We were infected by the new CryptoLockerDefense trojan today.
http://www.symantec.com/connect/blogs/cryptodefense-cryptolocker-imitator-makes-over-34000-one-month
Three things saved us:
1. Early detection -- A user came across an encrypted file on a network share and let us know immediately. We estimate the time between infection and whacking the infected machine off the network to be about two hours.
2. Limited permissions -- The infected machine had access to only two of the mapped network drives stored on our file server. We have about 20. The others were not affected.
3. Backups -- We have backups from last night of the two affected mapped network drives.
Special thanks to Spicehead DarthVal for helping us determine which machine was infected, and with other things.
Our file server is a Buffalo NAS, and I made mistake during this ordeal. I couldn't access the web interface. So I was panicking that somehow it was infected, or at the very least, overloaded because of all of the file writing it was doing. So I yanked it off the network, and yanked its power cord. I was going to set it up at my desk for emergency surgery... but soon after I plugged in all back in and discovered that I couldn't access the web interface because I was using Chrome. Firefox worked just fine.
I have about 300 GB of data to restore from backups, and I'm using Robocopy. But, it could be a LOT worse. We make and sell rubber parts for classic cars. Our call center had only negligible interruptions in operations, and shipping and production were unaffected. Only our tooling and design department had a significant interruptions, because we had determined early on that the infected machine was in that department, and we pulled their switch from the network. They were out for about 90 minutes.
I have yet to determine why it was missed by both MSE and our Sonicwall, but that's after I restore all this data and have a chance to reflect.