Anatolios

Keep it as a war-chest in case they refile in the proper jurisdiction.

A company I did some work for got hit by the new version of CryptoWall recently,

CryptoWall is a notoriously nasty "computer virus" that makes your files inaccessible, and demands payment in exchange for returning your files.

via someone's PA opening a dodgy Word document.

PA = Personal Assistant

Word = Microsoft Word

The malware

malware is a more general term for what you would commonly think of as a computer virus. Any software that is malicious.

encrypted a bunch of her files (renamed them to blah.doc.ecc)

"made a bunch of her files inaccessible using a particular technique"

and then went to work on their entire SAN,

SAN = Storage Area Network, basically a shared hard drive connected to the network rather than directly to the computer.

which was accessible from the victim laptop. AV caught it 8 hours later

AV = Antivirus

(new sig in the latest definitions),

sig = signature; Antivirus works by looking for known bad files. It does this by comparing files to short mathematical descriptions (signatures) of known bad files. It's like checking to see if a book is a particular book by checking if a particular sentence is in that book instead of by comparing the entire book.

by which time it'd encrypted a few hundred thousand documents.

You'd think this sounds dire, but one of their sysadmin guys shrugged it off like it was nothing. CryptoWall keeps a log of all the file names it has encrypted,

The virus keeps track of all the files it had made inaccessible

so he wrote a powershell script

"He wrote a simple program"

to go through and revert all the files to their previous shadow copies and they were back up and running after an hour. No ransom paid, all files restored.

"to go through and restore the files on that list from backup without paying the ransom"

They now have heuristics on the SAN to catch these operations in real-time.

They now have some kind of process that looks for this type of behavior real-time instead of just waiting for someone else to find the bad files and tell everyone.

Knowing what you know now, is there anything you would have done differently to prepare for the long term aftereffects of the storm? Is there anything that would help in restoring the community?