Hello there,

A bit of a problem today as one of our user clicked on a zip file in an attachement and got CTB locker. It encrypted the files on his computer and also on the network through all the mapped network drives.

We have avast server edition and avast pro on the workstation.
Shouldn’t this virus have been stopped by avast?

We got most of our data back, because we have backups. But one of our user put a lot of professional images in a folder without backups. Any way to get our data back except paying for the key? We have around 500 images to recover.

Regards,

PS : also, it seems this malware got installed after the user clicked on the attachment only. From what I know, you have to execute something to get a virus, and there he only opened the zip if I understand right. Am I missing something? Can I prevent this type of file from arriving on our mailboxes? It must be something specific, as it is some kind of zip executable. If it is something specific, I should be able to exclude it.
I don’t think one of our client will need to send us something like that.

Hello,
do you have the original email with malicious attachment? If yes, can you send it us for analysis?

Regards,
Milos

Sorry, I have a print screen but the original email was deleted everywhere to be certain that it doesn’t appear again.

Shouldn't this virus have been stopped by avast?

NO security program have 100% detection or zero false positives. Bad guys release new malware versions evry day

do you use a mail client, or webmail? … if mail client try access the account from web to see if the mail is still there?

Hello,
hmmm, that’s a pity. I think that the file had double extension (.zip.exe) and there was set to hide known extensions. So the “.exe” part was hidden and user only saw a .zip and/or the executable file might have icon of zip archive or folder so user thought it is zip archive/folder and run the .exe directly. But such attachments should be blocked by Avast because it’s exectuable from email and I also guess the file should have low prevalence in our FileRep (cloud based detections) so it should warn the user before running or run the file in DeepScreen. What version do Avast do you have? Do you have enabled “Reputation services” and “DeepScreen”?

Milos

We are using exchange and outlook on the workstations.
I know that no security program detects things 100% but I saw on an article on CTB locker that avast recognizes the program as a virus. I guess they made a new one.
We have mxlabs which filters our mail externally. Than we have avast on the server and avast on the workstations… I guess I thought this kind of file didn’t get through 3 layers of protection. Anyway, I asked my users to be more careful.

Deepscreen and reputation service are activated on every workstation. I know deepscreen works because I’ve seen it analyze our inhouse applications quite a few times. This application is never launched on the computer that had the problem, so I’ve never seen the deepscreen popup on that particular workstation. But deepscreen is activated in avast.