I just booked a visit for tomorrow to a small operation that has a PC infected with a Ransomware/CrytoLocker infection. The machine was infected over 2 months ago. The environment it it in is completely unknown regarding network or number/age/OS of machines. Based on the location size I would guess a workgroup with no more than 4 or 5 PCs.
Since this is my first call for this type of problem, I am unsure of how to proceed. Google searches result in everything but a framework to follow in troubleshooting and recovery of the issue.
What I have discovered so far is to:
- Safe Mode
- Identify the "brand" of the infection, I am assuming by way of the message that appears on screen.
- Grab the Bitcoin wallet address and filelist.
- Check for a restore point prior to the infection - there is little hope of that in this case. If available, restore to...