Security

The FBI locked your computer? Watch out for new spins on ransomware

The FBI locks your computer. Can they do that? Or is it fake? How does one know? Michael Kassner asks an expert for help with the latest forms of ransomware.

My ability to predict the future is dismal at best, so I figured I was sounding the death knell for ransomware when I apprehensively made this claim in my post,  "Ransomware: Extortion via the Internet":

Ransomware is making a resurgence. Hard-to-trace Internet payment methods are emboldening cybercriminals.

Well, in irony Shakespeare would love, it seems I'm wrong, and my prediction is coming true.

Ransomware?

For those not familiar with ransomware, the post referenced above describes it, but being written in 2010, makes my effort woefully out of date. Ransomware has come a long way since then. Here's the current Wikipedia definition:

Ransomware comprises a class of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator of the malware in order for the restriction to be removed.

Some forms of ransomware encrypt files on the system's hard drive, while some may simply lock the system and display messages intended to coax the user into paying.

What I meant by "coming a long way" is the increased deviousness of the ransomware developers. From 2009 through 2010, ransomware primarily encrypted data files, preventing users from accessing them. That didn't work very well; computers were still operational, allowing users to seek and destroy the malware.

So, the bad guys decided to lock the computer -- still no go; users opted to rebuild. Next step, have ransomware pretend to be an antivirus product asking to remove insidious malware. Nope, didn't fool enough people.

The bad guys decided to go back to locking the screen, but with a twist. They planted a pornographic image on the frozen screen hoping to shame the user into sending money. This approach was successful, particularly if the computer happened to be at work.

The current flavor du jour is trying to scare the user by planting a screen  similar to the one shown above (courtesy of Symantec). Time will tell the effectiveness of this newest approach.

Payment methods

How the bad guys were paid was a weak link. Using SMS or phone-based payment offered some chance of following the money trail and a chance to collar the crooks. So the ransomware community was ecstatic when prepaid electronic payment systems such as MoneyPak came into play. That type of service pretty much eliminated any chance of finding who was behind the scam.

Avoid ransomware

I've been asked to comment on how to avoid ransomware. Oddly enough there is nothing special required. Ransomware is the payload. How it gets installed on the computer is up to the developer and the malware distribution network hired by the developer. Yep, middlemen have made themselves invaluable even in the digital underground.

There already exists a humongous amount of information on how to protect one's computer from malware. I've used millions of electrons discussing it myself. So, I'd like to use this week's allotment for a better purpose. Not much is written on what to do if your computer is held hostage. And that's where I'd like to focus.

To that end, I contacted my friend and award-winning security pundit Brian Krebs. I can't think of anyone who has a better handle on ransomware and what to do when confronted with it.

Kassner: Brian, ransomware like the kind using the screen above looks quite convincing. What separates ransomware from other malware?

Krebs: Ransomware quite simply is malicious software that tries to extort money from victims by holding their computers and/or personal files hostage until payment is made.

Kassner: I've read your essays about the current best-seller ransomware, Reveton (Ransomlock). Please describe what one would encounter if their computer was infected with Reveton?

Krebs: The portion of the attack that's visible to the victim starts with a message that takes over the screen and disables key press combinations that would normally minimize windows, including Ctrl-Alt-Del. The message usually spoofs the victim's national law enforcement authority (if the victim is at a US Internet address it will show a warning made to look like it was issued by the FBI), warning that the user's computer has pirated software/movies (or in some cases child pornography) and that this is a violation of the law punishable by jail time.

The message states that users can avoid this trouble if they choose to pay a fine, which is usually a few hundred dollars. The victims are instructed to pay for a uKash or Moneypack voucher -- essentially a prepaid card -- and to transmit the code that allows one to redeem the funds on that voucher.

Kassner: There is significant information explaining how to avoid ransomware. But not much on what to do if a person is caught by ransomware. What advice would you give someone in the grip of ransomware?

Krebs: The trick is not to panic. The attackers want to frighten victims into paying right away, but that's almost always the wrong choice. I have seen some ransomware attacks fail when the computer is simply rebooted. Most ransomware malware, however, won't be affected by this, and may even then create a user account on the system and then hide or remove all other accounts, forcing the victim to log in using the newly created, hijacked account. Some ransomware even disables safe mode and other fallback and rescue options.

Unplugging the system and restarting should be a first step. Download some removal tools to a removable drive or CD-Rom from another computer (Malwarebytes is a good one to start with). Scanning with some tools available on specialized "Live CD" such as distributions from Dr. Web or Kaspersky specially made for removing ransomware is another option. Frankly, just searching online for tips on removing ransomware produce some fairly exhaustive tutorials on how to regain access to your system.

Kassner: Brian, you're always one of the first to raise the alarm when a new chunk of malware appears. What do you see as the next step in ransomware?

Krebs: More threats that actually encrypt files with strong encryption. Strangely, with many of the ransomware attacks, the user's files are not encrypted. But I would expect this to change, and we will see file-encrypting ransomware attacks become far more common. What's more, there is nothing to stop the crooks from scanning for removable and network drives to encrypt as well, which could present major nightmares for businesses.

And there's no guarantee even a business that pays the ransom will get their files back. There was a terrifying story in September about an Australian company that had all of its files encrypted by ransomware, and their business ground to a halt. They ended up paying the ransom, but the thieves simply took the money and vanished, leaving the victim firm with files they couldn't use.

Final thoughts

There you have it. Ransomware works and is an effective moneymaker for the digital underground. So don't expect it to go away any time soon. Fortunately, ransomware is not forcing us to do anything other than what's required to protect ourselves from other types of malware.

Some more irony -- the cost of getting caught by ransomware might be the incentive needed to get more people to secure their computers.

I would like to thank Brian for his diligence in spreading the word about ransomware.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

90 comments
magnum sharp is
magnum sharp is

What if a picture of you was taken and the locked screen said it will be added to the investigation??

cadams
cadams

What Windows vulnerability does the malware take advantage of? Where did the malware come from? A website? A download from a website? A compromised link? Are there any specific actions that can be done to prevent this?

wyattharris
wyattharris

Just serviced another PC with MoneyPad only now it doesn't just show the lock picture, static or a webcam pic but an actual instance of child porn! Despicable. This time they aren't asking for $200 but instead its $4.95 and a subscription service. I fear that with the lowered price more people may actually bite on this one. Safe mode used to work but now both safe mode and 'command prompt only' are being locked. I found "Kaspersky's Windows Unlocker" (easy to find) software which works good so far. It can be loaded on a CD or thumb drive. One thing I'm concerned about. This actually put an instance of child porn on the PC. I cleaned it and have my records of the service call. Is there anything else I should do on my clients behalf? I know there are practices the local university goes through in such a case but I don't know the specifics.

drp6149
drp6149

about a month ago I got hit with the FBI Ransom Malware I turned off the computer immediatly and used my laptop to research what to do -- one suggestion was do a safe mode boot and run the antivirus-but when I tried it immediately went back to the ransom screen from safe mode -- I tried several other suggestions that didn't work. Then I found one that did and if you get hit with it immediately shut down the computer and note the time, then boot to command prompt only--go to C:\Program files\Prefetch and run dir and notice the time stamp on the files delete the one or more that has a time stamp of the time your were hit and then exit the command prompt and do a reboot to safe mode and run your antivirus--I ran Avast, then Malaware Bytes and then AML Registry Cleaner and I had a clean desktop I also went back to the Command Prompt and ran the sfc \scannow and it fixed 18 corrupted files. It ran pretty good after that but a couple of installed programs kept freezing up so I finally reinstall a harddrive image made about 6 months ago.

yooper
yooper

I setup a limited account on my Win7 machine and if there's sites such as crazy pic of the day, etc I use it for that purpose. Sure enough, a classic randsomware trojan downloaded and locked me out. All I did was totally delete the account, being that it was a throw away account to begin with, problem solved. Now, I just use my Linux box to do the same and chuckle a bit thinking how the virus must be confused being that there's no C:/ drive.

RobertMoore12
RobertMoore12

I have a friend that got this virus and even a format and reload did not get rid of it. I have flashed the BIOS and formatted and reloaded but it keeps coming back. Next step is to Zero the drive and then rebuild. He had no files on it anyway after the first time. It has come back 3 times on this computer.

Dyalect
Dyalect

How people still fall for this nonsense is beyond me. Install your MSE, run with limited access, firefox instead of IE and you should be good to go. We rarely get any malware attacks in the office and when we do it is users farting around. Surf at home on your own time! When your machine gets blown up, its legit ransomeware time. (geek squad)

trog7
trog7

I recently had to clear one of these ransomware horrors from a friends computer. What a clever piece of work it was - this newer version even activated his camera and placed a mug-shot of him in the middle of the locked screen!. You could NOT just start up in normal safe mode, only Safe mode with Command prompt. From there I was able to upload a heap of anti-virus , malware and trojan killer software tools from a USB [used about 20 different ones]. It took a few days to remove the actual infection, as it gets into the ports, the browsers, and even the Boot sectors of the HDD. After I got the computer back to functioning, I was then able to do a Restore from about a week prior to the attack, then ran a registry cleaner to clean out a load of dross. About 5 year ago I had an experience with an exceptionally nasty trojan which even passworded the hard drive - lucky I did have a bootable recovery CD which just happened to have a hard drive bootup password remover app - the passcode that virus placed on the dirve was over 40 characters long [ ERD was not able to access the HDD until I was able to remove the password ] That particular virus was an exceptionally difficult beast to get rid of , as it actually infected ALL the restore points in the recovery as well as nearly every executable file on the computer !

donaldfiander
donaldfiander

The first the time I saw the exact image posted across somebodies screen, I knew it was trouble. Problem was I had malwarebytes installed on the PC and couldn't get to it.

AmishCake
AmishCake

On my husband's computer when he visited a dicey site (cough) by signing in as another user and deleting his profile. It was gone.

wizardjr
wizardjr

I visited a site not on the 'safe' list of my browser and got hit with this crap. There are online aids and how-to's for cleaning this off your machine. I was running AVG and Threatfire at the time and it still loaded and executed. I believe the package was delivered in a flash movie but could have come from the web page that embeded the flash. Either way I was lucky I had other boxes to search the net for solutions. IMAO, I think when these people are found they should be summarily executed - but slowly. Their screams of agony would be music to the ears of millions of victims around the world.

cybershooters
cybershooters

Having dealt with police agencies on the IT side, I can guarantee you they aren't going to post any kind of warning on your computer! First you're likely to know of it is when they show up with handcuffs.

petrus.1928
petrus.1928

The best way to stay safe from these and other threats is to only surf the internet by way of a live Linux CD coupled with persistent settings on a dedicated memory stick. Puppy Linux is my live distro of choice. No purveyor of malware can drop a nasty payload to my CD, neither to my hard drive becuase it's not mounted. Another way is to have a mirror image of one's hard drive on an external drive. There are plenty of freeware programs which, by way of a live CD, can overwrite a corrupted drive with one's mirror image. I live a totally safe online life. Nuff said?

tom_housden2k8
tom_housden2k8

I (almost) use Safe Mode to disinfect malware. Do the criminals know about this?

fixmypcmike
fixmypcmike

Restarting the PC in safe mode (with or without networking), going to C:users\(UserName)\App Data\Local\Temp and deleting as many files as the computer will let you. Then, type "msconfig" in the "Run" box under the start menu. Click the "startup" tab and unselect everything that's checked in the check boxes. Afterwards, run your virus software (if it'll run in safe mode). Don't forget to run Malware Antibytes after normally restarting.

SgtPappy
SgtPappy

I really hate to say this but I don't feel one bit sorry for anyone who falls for this crap and pays the money. After all the stuff you hear about in the news about things like this happening you would think people would finally get it. It makes me loose confidence in the human race.

Michael Kassner
Michael Kassner

I would not have enough space to list all of the possible options available to the bad guys. it is not the attack vector that is important. What is important is how one responds to the malware. That is what I was trying to get across.

JCitizen
JCitizen

Thanks for bringing that out Wyatt - that is a worry for my clients!! Yuk! X-( It seems an IT techs will have to be part lawyer too! :O

JCitizen
JCitizen

you run as administrator all the time? For the future, burn an ISO of Kaspersky's Rescue Disc 10. It will automatically update and write the new files to your hard drive; so no worries about it becoming obsolete. This is a bootable disk, so it runs in the Pre-Post Environment(PE), before the bug can gain control. Run it in graphical mode. There's a video on RM (Remove Malware) dot com if you want some preliminary tips on running this venerable utility. It is pretty simple and easy to remember once you see the steps. This is not my web site, I am not a shill - this is all free - I just hate malware intensely, and will do anything to help folks with their PC security problems.

JCitizen
JCitizen

there was probably no damage at all, just do a forced shutdown, and run CCleaner in safe-mode - this only works if the attack happened on a limited account of course. I believe Piriform now has a paid version of CCleaner that will clean all the accounts on a Windows PC. Haven't looked at it yet, though. In that case, my theory is that you could boot to the admin account in normal mode and run that version of CCleaner from there. If any of your vulnerable applications or the operating system were not fully updated, all bets are off on that, though.

JCitizen
JCitizen

like a SATA drive, be sure and use the factory diagnostic disk - it will ignore sector/clusters marked damaged by the malware, and zero fill them anyway. Also don't forget to flash the firmware on the drive controllers if they have one. (HDD/DVD) I don't know why, but I haven't had much luck with Darik's boot and nuke. Of course I always try Kaspersky's or Avast's rescue DVD first.

Deadly Ernest
Deadly Ernest

happens if you load a copy of Linux or Unix on it instead?

JCitizen
JCitizen

I run IE8 to 9 on my honeypot lab, and on a fully updated Windows machine, I'm always surprised on how many even zero day threats are stopped by the various protections included in Internet Explorer - it has become a hassle to test security software now, because 85% of either the file or sites are blocked by one or the other processes/filters of the IE browser. In fact I found a tip on Remove Malware(dot)com that suggested using junk email accounts full of spam for loading more effective threats!

Deadly Ernest
Deadly Ernest

we have MSIE 9 at the FHC and the safe list Microsoft has there often gives useless false negatives, to such and extent we, like many others ignore it as it just gets in the way telling us our own in house sites aren't safe because they no longer pay the MS Danegeld for certification. The sites aren't on the Fire Fox alert list, or any other I can check.

Michael Kassner
Michael Kassner

100 percent safe is a goal, I have been around long enough to realize it is just a goal, never attainable.

merelyjim
merelyjim

The FBI trojan locks both Safe and Normal...

JCitizen
JCitizen

Maybe someone can explain why running as a restricted user would let this trojan take over. My clients know better than to click on anything like this or even smelling like a fake alert. Most of them would do a force shutdown, and reboot to safemode and run CCleaner - VOILA! No more scamware! Somebody tell me I'm wrong?!

merelyjim
merelyjim

Can't post link here, but just google it. Makes a bootable flash-drive or CD with MS Security Essentials on it (or close enough)... Takes about 20 minutes for the Quick Scan. Run Malwarebytes to get rid of the rest.

Deadly Ernest
Deadly Ernest

site, yet - note the yet as I'm sure I'll get a case like that soon.

trog7
trog7

the most recent version - you CAN'T just start in safe mode. You can only use safe mode with command prompt, then use Windows Key + E to open explorer, then plug in a USB with some "stand alone" and Portable antivirus, and Anti malware and Trojan killers - copy them all to the HDD and try to run them from there. Your installed Antivirus will be useless until this gremlin is killed. I just had to remove one of these nasties about 6 weeks ago from a friends computer - had to battle it for a couple of days - not a simple fly-swatter job. Deleting certain folders and or files can also be locked out as you may find your ADMIN privileges are revoked - you may be able to install IOBits Windows Unlocker ... MajorGeeks site is a good resource to locate a load of tools and virus killers etc..

wyattharris
wyattharris

Here's the current situation. I was actually intercepted before cleaning the virus and told by the companies legal council to isolate the hard drive (remove it) and send it to them. I am not a lawyer so I may not fully understand what he was telling me but apparently there is a safe harbor period in which an incident needs to be reported. I'm still waiting for further instructions from the local authorities and I'll relay that once I'm told what to do. Tip: Before powering up the PC I unplugged the network connection. In this instance of the virus, it did not load and I had full control of the PC. I needed to verify that it was indeed infected so I plugged the network back in and within a minute the virus loaded and locked the screen. You may be able to try that if its being stubborn.

pgit
pgit

It's failed to completely load for me lately. Are you getting a delay on seeking a floppy drive? I try the nofd option and it still looks for one, then fails.

trog7
trog7

Some Manufactured CD/ DVD have rootkits, [ especially SONY]. Some have been found to have malware and trojans Don't share USBs or other disk drives etc. with friends for same reason.

JCitizen
JCitizen

If your careless enough to run as administrator, or if you don't lock the hidden administrator down. I do that for all my clients. Of course on anything higher than Home versions, that Administrator is disabled; but I still give it a password before disabling it, on all versions. (edited) - I've had malware try to log into this hidden account while I'm surfing on my honeypot PC - even as a limited user they can attempt to do this.

trog7
trog7

You don't necessarily need to visit disreputable sites only to get these infections. Many web pages may get hacked , and can simply radiate an attachment as you land on them! Facebook and some of the other social networks can also get hacked, and of course the P2P downloaders are a good source of unfriendlies at times. A Good protective help is to install PeerBlock, as it monitors all the open ports ... - Incase you don't realise when you connect to the internet you actually have 65,000 ports open, and most of us will only use about 5 or 6 of these commonly for browsing and email - the rest are sitting there with an Open Window to the World !

wyattharris
wyattharris

Update on this issue. I haven't responded until now because it took a very long time to get a definitive answer. Even then, I can't say much because I've been told not to. All I will say is that Law Enforcement is not ignorant of this virus. Its sort of a "no-harm" "no-foul" situation. There is a responsibility on our end to document everything but beyond that talk to your local authorities or a lawyer, I can't give any specific advice. Sorry about that.

JCitizen
JCitizen

I have the freedom to tell my clients you either do it my way or the highway. I just won't support them if they refuse to do the minimum in security, and then wonder why they have to call for help all the time. Fortunately, simply locking down the Windows system and using the built in features of computing security go a long way in protecting them as it is. That is my bare minimum if they wan't me to continue to support them. I only have one client left that still won't listen to me, but she's over 70 years old and indigent, so I still string along and make the best of it. Fortunately she is slowly taking my advice one baby step at a time.

pgit
pgit

I wish I could operate under a single policy on such matters. I try, but I have had a few folks balk at the thought of opening up their systems to any 3rd parties, 'authorities' included. Somewhere along the line I started telling clients that if they didn't follow my recommendations then they were de facto absolving me of any liability. They all accept that without batting an eye, businesses themselves play hardball with the idea of liability/responsibility. I should have included a hold harmless from day one, eg my liability ends when... (don't follow my recommendations, don't contract me to do all the work I propose etc)

JCitizen
JCitizen

so ANY incident no matter how small was immediately reported to the local Manager for that area, and the police. You can never go wrong instantly reporting any thing like this to the authorities. I can at least attest to that in my former organization.

pgit
pgit

Man, I would be totally incapable of putting that thing back on the network. I've seen too many network aware viri and such that didn't take very long to discover other machines and begin working them over. There's some work I'd just rather not do. Cleaning up malware tops that list.

pgit
pgit

I hadn't thought of the SATA implications. Something to look into next time it fails. I'm with you on saving disks. I inherited a ton of "dead" drives in the 3-25GB range that have been clicking away in smoothwalls for years now.

JCitizen
JCitizen

The problem seems to be, that the only method available for SATA drives is just not effective - despite re-flashing the firmware on the drive controller. The manufacturer's diagnostic program is better at taking control of the drive geometry and nuking all sectors that are marked as bad, as they actually have to have damage for the program to ignore them. This defeats the malware's obfuscation technique - That's my theory, and I'm sticking to it! :) I've had so much success in using this, that it is hard to believe anything else is possible. I don't know how many drives I've saved that folks had written off, and were ready to throw in the trash. One of my clients, who's drive's SMART and diagnostic, reported imminent failure(fixed), is still in use today after three years of operation - malware free; I might add, as they listen to me now on security practices and solutions. Sorry it took so long to answer - it seems TR is having alert problems, and I just now got mine.

JCitizen
JCitizen

As long as you're sure your PC that you are burning it on is clean, and you do a hash key checksum on the file, that is pretty minimal. I actually buy my discs from [b]On-Disc.com[/b] for a nominal S&H fee. This helps fund the open source community, and ensures your disc is clean.