Discussion on:

The FBI locked your computer? Watch out for new spins on ransomware

Hey Michael, I'm planning on giving a Malware What is it and how to remove it presentation for our company. I just added the same screen shots on ransomware (from a different source) today. I think one of the key things is to have good backups, then worst comes to worst you can restore and be back up in operation.

Just as long as you get rid of the malware. Not sure if you looked at the Symantec report. It is full of decent information.

Windows SteadyState runs on WInXP and is free. I don't know if it runs on Win7/8. Once can also use DeepFreeze. I mean these will defeat all viruses and malware and I have often wondered, how these products did not cripple the AV industry and render them almost irrelevant. It seems like they were never widely adopted. But that is the prevention side of it. And then to defeat the infected, one could possibly use ERD Commander. Many years ago I contemplated creating a network which could not be infected. It seemed possible, but at the time the features and resources did not exist. Today one company has already built one part. I am shocked and amazed and disappointed that it was not my company. That it was even possible was a joke with my friends. And part of it involved creating a complete mirrored virtual network. Users would work the on virtual network, with something like deepfreeze and IDS/IPS and then only secure scanned files could be saved to the physical network. There are a few more pieces to it, but too much to detail here. I hope if someone beats me to whole deal, they will invite me to work for the company:)

The government can be darned serious about things, but no way would they use exclamation marks like you see in the graphics.

In fact the whole premise is wrong. You broke a law but they'll let you pick up where you left off by paying 200 bucks? Not likely. They also wouldn't lock your computer, they'd pay you a visit, and confiscate the machine as evidence.

Not that a victim would think of any of that when faced with such a situation. The best we can do is try to make everyone aware of this vector and to take a deep breath and think rationally in the event they're faced with something like this.

Alternately, Michael could just post an article predicting the end to all malware, and an enveloping breakout of world peace while were at it.

Your powers of observation serve you well. I wish my predictive powers were as good.

If someone with some common sense read the message above, he/she should notice the Indistinctness. Regardless of what name is given to such app, treat it just like any other malware or virus. In other words, keep your machine secure following the necessary standard.

Unless i missed the point, to me as a 'dumb' end user, it IS just another malware that i am stopping from getting into my computer by keeping my computer up-to-date, using proper antivirus app, not clickign on email link just cause it says so :P.... etc...
I do not wish to repeat list of recommended methods to stay safe online, (discussed by security Pundits around the world). but you get the point...

If you look at the Symantec report:

"This particular variant charges $200. Over a period of approximately one month of activity, from September to early October, 68,000 unique infected IP addresses were identified connecting to the C&C server."

68,000 times $200 is not bad, and that was just one month, and one server.

It got by my Norton antivirus software, so don't be so dismissive of those attacked in this way.

What type of ransomware was it? What did it do to the computer?

And people say human beings are no longer subject to natural selection. It's just been moved up to intellectual selection.

be an issue as the user accounts should all be on the server, not the individual PC. Get hit at work, call IT and move to a vacant desk to log on and go back to work - that's if it gets through the gateway.

Read the link that Brian mentioned in his comment. And the newer versions are looking for network and external drives.

only connected for the short time it takes to do the back up, not permanently connected. Any system on the network can be damaged either via a virus or power in various circumstances, that's why back up copies are kept on unconnected systems or drives or tapes etc.

Yet, it would not take much for the malware to remain silent until an external drive is attached -- then activate.

helps to follow the back up rules of "back up each day to a different tape and keep the last week of back up" that way you only lose one day's work, maybe two if it hides out.

The real problem is that you are diligent and a vast majority of users just want to do their thing and not be bothered by all this silly stuff.

You suggest user profiles shouldn't be on the computer, that is not a good solution.

Roaming profiles cause more problems than they are worth. I guess you have had minimum exposure to this

managed through an appropriate server, thus it didn't matter what system you were at within the organisation you could log on and do your work. To have every possible user within a section having a logon ID on each computer in the section would require up to 20 to 30 accounts on 20 to 30 systems, not a smart way to do business. And it's all behind the secured gateway, heck most didn't have Internet access as it wasn't needed to do day to day work.

I've worked on facilities where we had over a thousand people working on over a thousand systems in about thirty buildings on the land we used. By having us all log in via the server we could use any computer in any of the buildings.

Most places where I've worked the term 'roaming profile' had been reserved for logging in via a VPN from out in the Internet somewhere. Such access was extremely limited as very few needed access to the corporate network from outside the corporate facilities. This did make running the gateways a lot easier.

At home on my system where I and my son are the only ones to use it it's easy for us each to have our own account.

Most places I've worked on had the VPN connections handled through the gateway/router/switch so Users only had to manually connect when they're out of office.

Though VPNs are more secure because they're encrypted, hackers will find a way to defeat that encryption, like they say, when you build better security, you make a better hacker.

AD is nice as a convenience, but shouldn't be implemented just out of a concern for security. I've seen Malware infect a user's profile so it got transferred to each and every computer they logged in with.

For some smaller business networks(10 nodes) I don't see the value in forcing my clients to buy an expensive server capable of AD.

the FBI can't touch us, their laws don't apply outside the USA.

It's kinda like those emails I keep getting telling me about my UPS package - the only UPS around here is an Uninterrupted Power Supply - and I didn't order one.

The bad guys alter the ransomware to reflect the country they are working in -- Australia for example:

https://www.staysmartonline.gov.au/alert_service/advisories/cert_australia_warns_of_ransomware_campaign_targeting_australian_organisations

justify my standard procedure of disabling that on all my client's systems. If they EVER need to give MS remote access, they can get me out to turn it on for them and I won't charge for it. In all the years I've been doing this I've not had a client need to use it.

Sadly, that is only one of the many ways in.

think what the enemy can do and then do what you can to negate those options, you may not stop them all, but you do limit what their options are.

Was so wildly successful in AU.

I know I got several people calling me telling me that some friends of mine had told them that my computers where infected Yada Yada Yada and when pushed they simply hung up and ran for cover.

The Feds here claimed that about 50% of all Australians had got a call like this and the vast majority where willing to pay the money let the caller remote in and infect their Windows Computers and still think that they had been saved.

Col

and keep them on the phone for ages as they try to understand what I'm saying in reply. My son lives stirring them with Japanese.

I've started using these calls as stress relief. Abuse them roundly then hang up. Makes me feel better.

I initially thought I was being a bit harsh, but they're ringing me at my home and lying to me in order to steal from me, so now I have no qualms.

It has NOTHING to do with any government department or countries' police !
It preys on your IP address, and modifies the screen pictures to suit the country codes.
FBI or CIA in the US. - and also State specific police logos have been seen.
Scotland Yard for the UK,
Gendarmeri Central for France .
Australian Federal Police in Australia ..., and so on
This is NOT specific to just USA!

READ the text don't skim the titles!
Your computer becomes completely LOCKED.

You can't do any recovery until the Virus is removed.

Look up UKASH Ransomware virus or Trojan .

These skumbags have got smart - they demand anything from $100 to over $200 [ or equivalant in which ever country currency ] to be sent to a UKASH link which can be cashed at any ATM which allows UKASH numbers - almost untraceable --- BUT you still do not get your computer unlocked, just thrown the money away, and possibly given your email and banking details to the crooks!

This made the rounds at one company I do work for. About 3 people got it and it was cleaned fairly easily. Fortunately, each user realized right away that it was bogus and came running to me. I mean really, child pornography and you think the FBI would just send out a $200 citation?

Anyway, the version I encountered had this little box that was all static with a caption reading "Photo of the person in question." The funny thing is that if you have an active webcam setup it would take control and snap a picture of whoever was sitting there. So we had this great mugshot of one girl with a deer-in-the-headlights look. Of course everyone in the office hassled her that day.

I have not heard about using the computer's web cam until you mentioned it.

Just encountered this little gem for the first time today. I eat viruses for breakfast so it was little more than an annoyance, however, I followed up with a visit to fbi.gov which directed me to ic3. Their advice: "If your computer is infected, you may need to contact a local computer expert for assistance to remove the malware.
It is suggested that you;
File a complaint at www.IC3.gov.
Seek out a local computer expert to assist with removing the malware."
Seriously? This has been circulating and infecting for over two years and this is the best the FBI has to offer? I shudder to think that these are the people we trust to protect us.

One scheme which wasn't discussed was one in which the hard drive is said to be locked. When looking into the problem, I found that drives could be locked with a password to "protect" the system if it was stolen. This was a Dell computer from memory, and the recovery files were overwritten, resulting in this message your drive is locked. I googled for information on this and found a program that would "unlock" it for me and it cost $15 for a 120 GB drive. I declined to be blackmailed, and was lucky enough to have a full backup and installed another drive. The system's owner insisted on using Incredimail on this computer, much against my advice and this was the source of her mail spam of which 25%was spam. The filter she paid for didn't help her much. It came from the same crowd who are suspected of funneling spam her way after stripping the addresses from her incredimail program. Even after advising her of the problem she insisted on using her old email address. I spent an incredible 4 weeks on and of before I finally cracked an told her to go away. The drive is still locked and I would appreciate some help with this.

I really hate to say this but I don't feel one bit sorry for anyone who falls for this crap and pays the money. After all the stuff you hear about in the news about things like this happening you would think people would finally get it. It makes me loose confidence in the human race.

Restarting the PC in safe mode (with or without networking), going to
C:users\(UserName)\App Data\Local\Temp
and deleting as many files as the computer will let you.
Then, type "msconfig" in the "Run" box under the start menu. Click the "startup" tab and unselect everything that's checked in the check boxes. Afterwards, run your virus software (if it'll run in safe mode). Don't forget to run Malware Antibytes after normally restarting.

enough said

site, yet - note the yet as I'm sure I'll get a case like that soon.

Anyone know of one?

nt

Can't post link here, but just google it.
Makes a bootable flash-drive or CD with MS Security Essentials on it (or close enough)... Takes about 20 minutes for the Quick Scan. Run Malwarebytes to get rid of the rest.