Jump to content

Hit by Ransomware


Islander

Recommended Posts

Last week, I got a popup telling me that my Ad-Aware program had an urgent security update that had to be installed right away.

I checked the certificate and it looked right, so I clicked for the download.

Within a minute or so, a big official-looking popup appeared, telling me my files have been encrypted using an RSA 2048 something, and they have the key to decrypt them. I should click on the link in the big popup to see how to pay.

There were none of the usual spelling or grammar mistakes you'd seen in a scam bit. It looked official and even polite.

I checked and found I couldn't access any of my documents and about 2/3 of my photos.

I shut down the computer and did some research on my smartphone. That's how I'm typing this.

There was no good news. The decryption key is so long that it's not feasible to try to crack it. The crooks usually want to be paid in bitcoin, and the price increases with every missed deadline.

I started the machine the next day, but it was still the same, so I shut it down. I have not clicked onto any of the "how to pay" links. The computer has now been shut down for six days, and I don't want to start it until I have some idea how to solve this.

It seems that even if you do pay, you may hear nothing from the scammers.

Have any of you encountered this kind of malware, and do you know of any solutions that will restore my computer? I should mention that the malware seems to have deleted my Restore Points, so System Restore is unavailable.

I'm running Windows 7. I hope someone has some good news or useful ideas.

Link to comment
Share on other sites

My roommate a couple years back did have this.

We didn't figure a way to recover the files, but we did figure out how to disable the software from running and encrypt more / remove it from the computer. It takes some troubleshooting to do, and you have to be safe with editing the registry to do so. I haven't seen or heard anything about unlocking the encryption though.

Link to comment
Share on other sites

My computer has a RAID comprised of two drives set up as mirror units, so each is exactly the same. The idea was that if one drive crashed, the second one would be fine, and I wouldn't need to do any backups.

However, that's no protection against malware. I do run antivirus programs, but they didn't flag this, maybe because it was impersonating one of them.

I did buy an external drive years ago, but only used it a couple of times, and that was likely with the XP computer I had before this Win7 machine.

Link to comment
Share on other sites

I hate it for you and hope you get this resolved quickly and don't lose your data. Once you get through this and to everyone out there that doesn't have a complete back up in place, please do a little research and get one in place. I personally use Acronis and Vice Versa and it has saved my *** on more than one occasion, including a couple weeks ago. If you are not savoy enough to get something solid in place, there are people out there that can help you. My I.T. guy is 300+ miles away from me and handles all of my business and personal computers and never has to come on site.

Good Luck

Link to comment
Share on other sites

My new strategy for desktop computer is to only have the system disk online. All data and software with any value of any kind, like my 12,000 photographs, are stored on a portable disk which is NEVER EVER connected to the PC when it is online. To work on those files, I close the Internet connection, and physically connect the "Value Disk" to the PC. When done, disconnect. 

Link to comment
Share on other sites

As far as I know you have to have an offsite back up to have everything protected. There will likely be some files that are ok. The problem is dragging the good files to a decent drive without bringing the funk with it.  Get rid of the process before trying to move files.  We will all have off sight protection with 15 min reads in the future, its just coming to that. 

Link to comment
Share on other sites

it's called cryptolocker and the only options are to restore from backup (if you have them) or pay the ransom.. which is in the form of bitcoin and converts to about $700 USD.

 

It's nasty stuff, and we've encountered it a half dozen times with our customers. every time they've opted to pay the unlock fee.

Edited by Thaddeus Smith
Link to comment
Share on other sites

it's called cryptolocker and the only options are to restore from backup (if you have them) or pay the ransom.. which is in the form of bitcoin and converts to about $700 USD.

 

It's nasty stuff, and we've encountered it a half dozen times with our customers. every time they've opted to pay the unlock fee.

 

Your customers must be high rollers to fork out that kind of dough.

JJK

Link to comment
Share on other sites

Last week, I got a popup telling me that my Ad-Aware program had an urgent security update that had to be installed right away.

I checked the certificate and it looked right, so I clicked for the download.

Within a minute or so, a big official-looking popup appeared, telling me my files have been encrypted using an RSA 2048 something, and they have the key to decrypt them. I should click on the link in the big popup to see how to pay.

There were none of the usual spelling or grammar mistakes you'd seen in a scam bit. It looked official and even polite.

I checked and found I couldn't access any of my documents and about 2/3 of my photos.

I shut down the computer and did some research on my smartphone. That's how I'm typing this.

There was no good news. The decryption key is so long that it's not feasible to try to crack it. The crooks usually want to be paid in bitcoin, and the price increases with every missed deadline.

I started the machine the next day, but it was still the same, so I shut it down. I have not clicked onto any of the "how to pay" links. The computer has now been shut down for six days, and I don't want to start it until I have some idea how to solve this.

It seems that even if you do pay, you may hear nothing from the scammers.

Have any of you encountered this kind of malware, and do you know of any solutions that will restore my computer? I should mention that the malware seems to have deleted my Restore Points, so System Restore is unavailable.

I'm running Windows 7. I hope someone has some good news or useful ideas.

This is what I do on a daily work related trip...Dont always believe what you are seeing....

Do this first...

Enter Safemode while booting...

  1. If your computer has a single operating system installed, press and hold the F8 key as your computer restarts. You need to press F8 before the Windows logo appears. If the Windows logo appears, you'll need to try again by waiting until the Windows logon prompt appears, and then shutting down and restarting your computer
      1. Find your files "pictures, documents whatever and copy some of them to a jumb drive.

      2. Take that jump drive and plug it into another known good working Winows 7 PC. If you can open those files on this other PC, "than no encryption has taken place"

      3. If the above #3 is True, Copy all the files to the jump drive so you can copy and paste them after a complete wipe and reload of the screwed up PC...Sometimes it is faster and better to do a wipe and reload of the OS...Been down this road many many times.

      4. If #3 is not true, than just perform the complete wipe and reload

Edited by Steve_S
Link to comment
Share on other sites

This stuff is nasty. Anything attached to the infected computer gets encrypted - thumb drives, external usb drives, even mapped network drives on a NAS, etc. So you can imagine how crippling this becomes in an enterprise environment where users all share data on a centralized server.

 

likewise, for home users it's the type of data that gets ransomed which ensures prompt payment: large picture collections, music, movies, documents, etc.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...