LocostBuilders - powered by XMB

OT - Mass File Corruption - Help !!!!

mcerd1 - 19/2/14 at 10:11 AM

Got a major issue thats just developed at work - nearly an entire drives worth of data seems to have been corrupted in the last hour
thats nearly 90 thousand excel, word, pdf and autocad files that are now just full of gibberish
only picture files actually seem to work.....

this only affects the one drive at the moment - but its on the same physical disk as 2 other drives which appear to be working perfectly...

any ideas ?

[Edited on 19/2/2014 by mcerd1]

ironside - 19/2/14 at 10:24 AM

Are any of your users infected with the CryptoLocker virus?

McLannahan - 19/2/14 at 10:25 AM

Do you have shadow copies/previous versions enabled? (Assuming this is a Windows box that is...)

mcerd1 - 19/2/14 at 10:44 AM

quote:
Originally posted by ironside
Are any of your users infected with the CryptoLocker virus?

don't think so - and we arn't getting any ransom demands

mcerd1 - 19/2/14 at 10:45 AM

quote:
Originally posted by McLannahan
Do you have shadow copies/previous versions enabled? (Assuming this is a Windows box that is...)

we do have off line backups - but that would mean loosing 2 - 3 days worth of work for all of us

McLannahan - 19/2/14 at 10:59 AM

quote:
Originally posted by mcerd1

quote:
Originally posted by McLannahan
Do you have shadow copies/previous versions enabled? (Assuming this is a Windows box that is...)

we do have off line backups - but that would mean loosing 2 - 3 days worth of work for all of us

Shadow copies/previous versions is not the same as backups - it's a snapshot of the selected shared drive taken at scheduled points throughout the day/night. It's certainly not an alternative to a good backup but ideal for a situation like this....If it's enabled of course!

Is it worth manually running another backup now of the existing healthy files?

mcerd1 - 19/2/14 at 11:04 AM

quote:
Originally posted by McLannahan
Shadow copies/previous versions is not the same as backups - it's a snapshot of the selected shared drive taken at scheduled points throughout the day/night. It's certainly not an alternative to a good backup but ideal for a situation like this....If it's enabled of course!

its not enabled, but I doubt it would help much anyway...

were talking about 90,100 files

iank - 19/2/14 at 11:43 AM

quote:
Originally posted by mcerd1

quote:
Originally posted by ironside
Are any of your users infected with the CryptoLocker virus?

don't think so - and we arn't getting any ransom demands

Surely only the infected user would be getting the ransom demands, and they might, ahem, be keeping their head down!
Virus scan of every computer on the network would be my first step. But it looks like the backups are the only way to get back information (might want to ask the IT dept why they aren't doing nightly backups of key server drives).

If it were a hardware problem you'd expect the filesystem to be completely gone rather than individually corrupted files so it's most likely a software topic.

jeffw - 19/2/14 at 12:39 PM

I'd lay money this is Cryptolocker

scudderfish - 19/2/14 at 12:45 PM

If you haven't already, pull the network cable out.

mcerd1 - 19/2/14 at 12:56 PM

quote:
Originally posted by iank
Surely only the infected user would be getting the ransom demands, and they might, ahem, be keeping their head down!
Virus scan of every computer on the network would be my first step.

well looks like you guys were right

turns out its one of the guys in the workshop

(I assume the drive in question was mapped on his machine - luckily my own files aren't on that one....)

so I think we'll be going back to fridays back-up

[Edited on 19/2/2014 by mcerd1]

mookaloid - 19/2/14 at 01:49 PM

Very scary stuff

Do you know how much they were asking for?

mcerd1 - 19/2/14 at 03:17 PM

quote:
Originally posted by mookaloid
Very scary stuff

Do you know how much they were asking for?

no idea - but google it and you'll get some scary stats about the amount of cash they may have got from other folk....

our IT support company (well know national company staffed by monkeys) have apparently isolated it and are replacing the affected files with the ones on the backup - mind you I don't trust them as far as I could throw them, they've already screwed up a couple of other programs today while 'fixing' the virus issue

(no idea why the boss won't go elsewhere...)

[Edited on 19/2/2014 by mcerd1]

Ben_Copeland - 19/2/14 at 03:24 PM

quote:
Originally posted by mcerd1

our IT support company (well know national company staffed by monkeys) have apparently isolated it and are replacing the affected files with the ones on the backup - mind you I don't trust them as far as I could throw them, they've already screwed up a couple of other programs today while 'fixing' the virus issue (no idea why the boss won't go elsewhere...)

[Edited on 19/2/2014 by mcerd1]

Because they are all the same... ours is anyway !

mookaloid - 19/2/14 at 03:27 PM

quote:
Originally posted by mcerd1

quote:
Originally posted by mookaloid
Very scary stuff

Do you know how much they were asking for?

no idea - but google it and you'll get some scary stats about the amount of cash they may have got from other folk....

our IT support company (well know national company staffed by monkeys) have apparently isolated it and are replacing the affected files with the ones on the backup - mind you I don't trust them as far as I could throw them, they've already screwed up a couple of other programs today while 'fixing' the virus issue (no idea why the boss won't go elsewhere...)

Oh I did google it - that's why it's so scary. it could completely kill a small business which isn't prepared for that sort of thing - either you pay out a fortune to the criminals or you pay out to IT support to get it fixed - either way it's a worry

Hope you get sorted.

mcerd1 - 19/2/14 at 03:29 PM

quote:
Originally posted by Ben_Copeland
Because they are all the same... ours is anyway !

ours have a reputation of being one of the worst of the worst

we were with a smaller company that could at least fix things properly - but they got bought over a few years ago and for some unknown reason we've stayed with them.....

iank - 19/2/14 at 03:48 PM

quote:
Originally posted by mcerd1

quote:
Originally posted by Ben_Copeland
Because they are all the same... ours is anyway !

ours have a reputation of being one of the worst of the worst

we were with a smaller company that could at least fix things properly - but they got bought over a few years ago and for some unknown reason we've stayed with them.....

britishtrident - 19/2/14 at 05:00 PM

In my area a lot of the l the lawyers and accountants offices have been getting hit with virus laden emails mostly claiming to come from either government departments including Scottish Courts, HMCRC or respectable companies such as SAGE, TNT or a bank (are banks still considered respectable !).
The emails aren't getting hits in the sbl-xbl.spamhaus.org blacklist but but can be flagged because they are routed from Russia, Liberia, and Brazil. The sparsely worded email with the attachment is worded in a away the would arouse suspicion in anybody who deals with these organisations.

mcerd1 - 20/2/14 at 03:36 PM

well the monkeys are still at work - so far they've had 2 failed attempts to fix it (i.e. copy the file off the back up) and thats taken them at least 8 of our working hours....

this really is just a big copy / paste job - how can they get that wrong

[Edited on 20/2/2014 by mcerd1]

daveb666 - 20/2/14 at 04:02 PM

Regardless of whether your boss will switch IT companies - surely it has to worth spending a few hundred quid on a daily, on-site backup so you no longer need to rely on outside sources?

britishtrident - 20/2/14 at 04:16 PM

quote:
Originally posted by mcerd1
well the monkeys are still at work - so far they've had 2 failed attempts to fix it (i.e. copy the file off the back up) and thats taken them at least 8 of our working hours....

this really is just a big copy / paste job - how can they get that wrong

[Edited on 20/2/2014 by mcerd1]

It depends when the last full back was done, normally a back up set consists of a full back up and incremental back ups and normally just the data is backed up not the OS.
The problem is when trying to get the system as near up to date as possible you can copy the malware straight back on.