I asked about the source of the infection. After all, there’s little point in decrypting the files if the malware is still active. It may end up re-encrypting the files, putting him back to square one. But in their haste to stop the infection, they turned off most of the computers and hadn’t yet determined which one was doing the encrypting. I advised him to bring in a professional forensics malware specialist at this point, which he agreed to. In this situation, you want to be 100% sure you contain the situation.
I figure that, given the amount of time required to encrypt so many files, the malware must have been active for over a day. It probably started doing its nasty work in the late afternoon the day before, and everyone went home without noticing that files were being gobbled up. Hopefully, the decryption process will take less than a day. In the meantime, the forensics team can eliminate the infection. If it were me, I would probably throw away all the end-user computers and buy new ones!
I also advised my colleague to block macro-enabled Word (and Excel and PowerPoint) documents from being delivered in email, and I would advise you to do this as well. I have never seen anybody send a legitimate Office document containing a macro from outside a company. Sure, they might be used internally occasionally, but I think the odds of such documents that originate from outside being work-related are nil. And trust me, you don’t want to get Locky.
Sign up for Computerworld eNewsletters.