Discussion on:

The FBI locked your computer? Watch out for new spins on ransomware

Hey Michael, I'm planning on giving a Malware What is it and how to remove it presentation for our company. I just added the same screen shots on ransomware (from a different source) today. I think one of the key things is to have good backups, then worst comes to worst you can restore and be back up in operation.

Just as long as you get rid of the malware. Not sure if you looked at the Symantec report. It is full of decent information.

Windows SteadyState runs on WInXP and is free. I don't know if it runs on Win7/8. Once can also use DeepFreeze. I mean these will defeat all viruses and malware and I have often wondered, how these products did not cripple the AV industry and render them almost irrelevant. It seems like they were never widely adopted. But that is the prevention side of it. And then to defeat the infected, one could possibly use ERD Commander. Many years ago I contemplated creating a network which could not be infected. It seemed possible, but at the time the features and resources did not exist. Today one company has already built one part. I am shocked and amazed and disappointed that it was not my company. That it was even possible was a joke with my friends. And part of it involved creating a complete mirrored virtual network. Users would work the on virtual network, with something like deepfreeze and IDS/IPS and then only secure scanned files could be saved to the physical network. There are a few more pieces to it, but too much to detail here. I hope if someone beats me to whole deal, they will invite me to work for the company:)

The government can be darned serious about things, but no way would they use exclamation marks like you see in the graphics.

In fact the whole premise is wrong. You broke a law but they'll let you pick up where you left off by paying 200 bucks? Not likely. They also wouldn't lock your computer, they'd pay you a visit, and confiscate the machine as evidence.

Not that a victim would think of any of that when faced with such a situation. The best we can do is try to make everyone aware of this vector and to take a deep breath and think rationally in the event they're faced with something like this.

Alternately, Michael could just post an article predicting the end to all malware, and an enveloping breakout of world peace while were at it.

Your powers of observation serve you well. I wish my predictive powers were as good.

If someone with some common sense read the message above, he/she should notice the Indistinctness. Regardless of what name is given to such app, treat it just like any other malware or virus. In other words, keep your machine secure following the necessary standard.

Unless i missed the point, to me as a 'dumb' end user, it IS just another malware that i am stopping from getting into my computer by keeping my computer up-to-date, using proper antivirus app, not clickign on email link just cause it says so :P.... etc...
I do not wish to repeat list of recommended methods to stay safe online, (discussed by security Pundits around the world). but you get the point...

If you look at the Symantec report:

"This particular variant charges $200. Over a period of approximately one month of activity, from September to early October, 68,000 unique infected IP addresses were identified connecting to the C&C server."

68,000 times $200 is not bad, and that was just one month, and one server.

It got by my Norton antivirus software, so don't be so dismissive of those attacked in this way.

What type of ransomware was it? What did it do to the computer?

And people say human beings are no longer subject to natural selection. It's just been moved up to intellectual selection.

be an issue as the user accounts should all be on the server, not the individual PC. Get hit at work, call IT and move to a vacant desk to log on and go back to work - that's if it gets through the gateway.

Read the link that Brian mentioned in his comment. And the newer versions are looking for network and external drives.

only connected for the short time it takes to do the back up, not permanently connected. Any system on the network can be damaged either via a virus or power in various circumstances, that's why back up copies are kept on unconnected systems or drives or tapes etc.

Yet, it would not take much for the malware to remain silent until an external drive is attached -- then activate.

helps to follow the back up rules of "back up each day to a different tape and keep the last week of back up" that way you only lose one day's work, maybe two if it hides out.

The real problem is that you are diligent and a vast majority of users just want to do their thing and not be bothered by all this silly stuff.

You suggest user profiles shouldn't be on the computer, that is not a good solution.

Roaming profiles cause more problems than they are worth. I guess you have had minimum exposure to this

managed through an appropriate server, thus it didn't matter what system you were at within the organisation you could log on and do your work. To have every possible user within a section having a logon ID on each computer in the section would require up to 20 to 30 accounts on 20 to 30 systems, not a smart way to do business. And it's all behind the secured gateway, heck most didn't have Internet access as it wasn't needed to do day to day work.

I've worked on facilities where we had over a thousand people working on over a thousand systems in about thirty buildings on the land we used. By having us all log in via the server we could use any computer in any of the buildings.

Most places where I've worked the term 'roaming profile' had been reserved for logging in via a VPN from out in the Internet somewhere. Such access was extremely limited as very few needed access to the corporate network from outside the corporate facilities. This did make running the gateways a lot easier.

At home on my system where I and my son are the only ones to use it it's easy for us each to have our own account.

Most places I've worked on had the VPN connections handled through the gateway/router/switch so Users only had to manually connect when they're out of office.

Though VPNs are more secure because they're encrypted, hackers will find a way to defeat that encryption, like they say, when you build better security, you make a better hacker.

AD is nice as a convenience, but shouldn't be implemented just out of a concern for security. I've seen Malware infect a user's profile so it got transferred to each and every computer they logged in with.

For some smaller business networks(10 nodes) I don't see the value in forcing my clients to buy an expensive server capable of AD.

the FBI can't touch us, their laws don't apply outside the USA.

It's kinda like those emails I keep getting telling me about my UPS package - the only UPS around here is an Uninterrupted Power Supply - and I didn't order one.

The bad guys alter the ransomware to reflect the country they are working in -- Australia for example:

https://www.staysmartonline.gov.au/alert_service/advisories/cert_australia_warns_of_ransomware_campaign_targeting_australian_organisations

justify my standard procedure of disabling that on all my client's systems. If they EVER need to give MS remote access, they can get me out to turn it on for them and I won't charge for it. In all the years I've been doing this I've not had a client need to use it.

Sadly, that is only one of the many ways in.

think what the enemy can do and then do what you can to negate those options, you may not stop them all, but you do limit what their options are.

Was so wildly successful in AU.

I know I got several people calling me telling me that some friends of mine had told them that my computers where infected Yada Yada Yada and when pushed they simply hung up and ran for cover.

The Feds here claimed that about 50% of all Australians had got a call like this and the vast majority where willing to pay the money let the caller remote in and infect their Windows Computers and still think that they had been saved.

Col

and keep them on the phone for ages as they try to understand what I'm saying in reply. My son lives stirring them with Japanese.

I've started using these calls as stress relief. Abuse them roundly then hang up. Makes me feel better.

I initially thought I was being a bit harsh, but they're ringing me at my home and lying to me in order to steal from me, so now I have no qualms.

It has NOTHING to do with any government department or countries' police !
It preys on your IP address, and modifies the screen pictures to suit the country codes.
FBI or CIA in the US. - and also State specific police logos have been seen.
Scotland Yard for the UK,
Gendarmeri Central for France .
Australian Federal Police in Australia ..., and so on
This is NOT specific to just USA!

READ the text don't skim the titles!
Your computer becomes completely LOCKED.

You can't do any recovery until the Virus is removed.

Look up UKASH Ransomware virus or Trojan .

These skumbags have got smart - they demand anything from $100 to over $200 [ or equivalant in which ever country currency ] to be sent to a UKASH link which can be cashed at any ATM which allows UKASH numbers - almost untraceable --- BUT you still do not get your computer unlocked, just thrown the money away, and possibly given your email and banking details to the crooks!

This made the rounds at one company I do work for. About 3 people got it and it was cleaned fairly easily. Fortunately, each user realized right away that it was bogus and came running to me. I mean really, child pornography and you think the FBI would just send out a $200 citation?

Anyway, the version I encountered had this little box that was all static with a caption reading "Photo of the person in question." The funny thing is that if you have an active webcam setup it would take control and snap a picture of whoever was sitting there. So we had this great mugshot of one girl with a deer-in-the-headlights look. Of course everyone in the office hassled her that day.

I have not heard about using the computer's web cam until you mentioned it.

Just encountered this little gem for the first time today. I eat viruses for breakfast so it was little more than an annoyance, however, I followed up with a visit to fbi.gov which directed me to ic3. Their advice: "If your computer is infected, you may need to contact a local computer expert for assistance to remove the malware.
It is suggested that you;
File a complaint at www.IC3.gov.
Seek out a local computer expert to assist with removing the malware."
Seriously? This has been circulating and infecting for over two years and this is the best the FBI has to offer? I shudder to think that these are the people we trust to protect us.

One scheme which wasn't discussed was one in which the hard drive is said to be locked. When looking into the problem, I found that drives could be locked with a password to "protect" the system if it was stolen. This was a Dell computer from memory, and the recovery files were overwritten, resulting in this message your drive is locked. I googled for information on this and found a program that would "unlock" it for me and it cost $15 for a 120 GB drive. I declined to be blackmailed, and was lucky enough to have a full backup and installed another drive. The system's owner insisted on using Incredimail on this computer, much against my advice and this was the source of her mail spam of which 25%was spam. The filter she paid for didn't help her much. It came from the same crowd who are suspected of funneling spam her way after stripping the addresses from her incredimail program. Even after advising her of the problem she insisted on using her old email address. I spent an incredible 4 weeks on and of before I finally cracked an told her to go away. The drive is still locked and I would appreciate some help with this.

I really hate to say this but I don't feel one bit sorry for anyone who falls for this crap and pays the money. After all the stuff you hear about in the news about things like this happening you would think people would finally get it. It makes me loose confidence in the human race.

Restarting the PC in safe mode (with or without networking), going to
C:users\(UserName)\App Data\Local\Temp
and deleting as many files as the computer will let you.
Then, type "msconfig" in the "Run" box under the start menu. Click the "startup" tab and unselect everything that's checked in the check boxes. Afterwards, run your virus software (if it'll run in safe mode). Don't forget to run Malware Antibytes after normally restarting.

enough said

site, yet - note the yet as I'm sure I'll get a case like that soon.

Anyone know of one?

nt

Can't post link here, but just google it.
Makes a bootable flash-drive or CD with MS Security Essentials on it (or close enough)... Takes about 20 minutes for the Quick Scan. Run Malwarebytes to get rid of the rest.

I (almost) use Safe Mode to disinfect malware. Do the criminals know about this?

The FBI trojan locks both Safe and Normal...

The best way to stay safe from these and other threats is to only surf the internet by way of a live Linux CD coupled with persistent settings on a dedicated memory stick. Puppy Linux is my live distro of choice. No purveyor of malware can drop a nasty payload to my CD, neither to my hard drive becuase it's not mounted. Another way is to have a mirror image of one's hard drive on an external drive. There are plenty of freeware programs which, by way of a live CD, can overwrite a corrupted drive with one's mirror image. I live a totally safe online life. Nuff said?

100 percent safe is a goal, I have been around long enough to realize it is just a goal, never attainable.

nt

Some Manufactured CD/ DVD have rootkits, [ especially SONY].
Some have been found to have malware and trojans
Don't share USBs or other disk drives etc. with friends for same reason.

Just sayin'

Having dealt with police agencies on the IT side, I can guarantee you they aren't going to post any kind of warning on your computer! First you're likely to know of it is when they show up with handcuffs.

I visited a site not on the 'safe' list of my browser and got hit with this crap. There are online aids and how-to's for cleaning this off your machine. I was running AVG and Threatfire at the time and it still loaded and executed. I believe the package was delivered in a flash movie but could have come from the web page that embeded the flash. Either way I was lucky I had other boxes to search the net for solutions.

IMAO, I think when these people are found they should be summarily executed - but slowly. Their screams of agony would be music to the ears of millions of victims around the world.

On my husband's computer when he visited a dicey site (cough) by signing in as another user and deleting his profile. It was gone.

The first the time I saw the exact image posted across somebodies screen, I knew it was trouble. Problem was I had malwarebytes installed on the PC and couldn't get to it.

I recently had to clear one of these ransomware horrors from a friends computer.
What a clever piece of work it was - this newer version even activated his camera and placed a mug-shot of him in the middle of the locked screen!. You could NOT just start up in normal safe mode, only Safe mode with Command prompt. From there I was able to upload a heap of anti-virus , malware and trojan killer software tools from a USB [used about 20 different ones]. It took a few days to remove the actual infection, as it gets into the ports, the browsers, and even the Boot sectors of the HDD. After I got the computer back to functioning, I was then able to do a Restore from about a week prior to the attack, then ran a registry cleaner to clean out a load of dross.

About 5 year ago I had an experience with an exceptionally nasty trojan which even passworded the hard drive - lucky I did have a bootable recovery CD which just happened to have a hard drive bootup password remover app - the passcode that virus placed on the dirve was over 40 characters long [ ERD was not able to access the HDD until I was able to remove the password ]
That particular virus was an exceptionally difficult beast to get rid of , as it actually infected ALL the restore points in the recovery as well as nearly every executable file on the computer !

How people still fall for this nonsense is beyond me. Install your MSE, run with limited access, firefox instead of IE and you should be good to go. We rarely get any malware attacks in the office and when we do it is users farting around. Surf at home on your own time! When your machine gets blown up, its legit ransomeware time. (geek squad)

I have a friend that got this virus and even a format and reload did not get rid of it. I have flashed the BIOS and formatted and reloaded but it keeps coming back. Next step is to Zero the drive and then rebuild. He had no files on it anyway after the first time. It has come back 3 times on this computer.

happens if you load a copy of Linux or Unix on it instead?

like a SATA drive, be sure and use the factory diagnostic disk - it will ignore sector/clusters marked damaged by the malware, and zero fill them anyway. Also don't forget to flash the firmware on the drive controllers if they have one. (HDD/DVD) I don't know why, but I haven't had much luck with Darik's boot and nuke.

Of course I always try Kaspersky's or Avast's rescue DVD first.

It's failed to completely load for me lately. Are you getting a delay on seeking a floppy drive? I try the nofd option and it still looks for one, then fails.

The problem seems to be, that the only method available for SATA drives is just not effective - despite re-flashing the firmware on the drive controller. The manufacturer's diagnostic program is better at taking control of the drive geometry and nuking all sectors that are marked as bad, as they actually have to have damage for the program to ignore them. This defeats the malware's obfuscation technique - That's my theory, and I'm sticking to it!

I've had so much success in using this, that it is hard to believe anything else is possible. I don't know how many drives I've saved that folks had written off, and were ready to throw in the trash. One of my clients, who's drive's SMART and diagnostic, reported imminent failure(fixed), is still in use today after three years of operation - malware free; I might add, as they listen to me now on security practices and solutions.

Sorry it took so long to answer - it seems TR is having alert problems, and I just now got mine.

I setup a limited account on my Win7 machine and if there's sites such as crazy pic of the day, etc I use it for that purpose. Sure enough, a classic randsomware trojan downloaded and locked me out. All I did was totally delete the account, being that it was a throw away account to begin with, problem solved. Now, I just use my Linux box to do the same and chuckle a bit thinking how the virus must be confused being that there's no C:/ drive.

about a month ago I got hit with the FBI Ransom Malware I turned off the computer immediatly and used my laptop to research what to do -- one suggestion was do a safe mode boot and run the antivirus-but when I tried it immediately went back to the ransom screen from safe mode -- I tried several other suggestions that didn't work. Then I found one that did and if you get hit with it immediately shut down the computer and note the time, then boot to command prompt only--go to C:\Program files\Prefetch and run dir and notice the time stamp on the files delete the one or more that has a time stamp of the time your were hit and then exit the command prompt and do a reboot to safe mode and run your antivirus--I ran Avast, then Malaware Bytes and then AML Registry Cleaner and I had a clean desktop I also went back to the Command Prompt and ran the sfc \scannow and it fixed 18 corrupted files. It ran pretty good after that but a couple of installed programs kept freezing up so I finally reinstall a harddrive image made about 6 months ago.

Just serviced another PC with MoneyPad only now it doesn't just show the lock picture, static or a webcam pic but an actual instance of child porn! Despicable. This time they aren't asking for $200 but instead its $4.95 and a subscription service. I fear that with the lowered price more people may actually bite on this one.

Safe mode used to work but now both safe mode and 'command prompt only' are being locked. I found "Kaspersky's Windows Unlocker" (easy to find) software which works good so far. It can be loaded on a CD or thumb drive.

One thing I'm concerned about. This actually put an instance of child porn on the PC. I cleaned it and have my records of the service call. Is there anything else I should do on my clients behalf? I know there are practices the local university goes through in such a case but I don't know the specifics.

Thanks for bringing that out Wyatt - that is a worry for my clients!! Yuk!

It seems an IT techs will have to be part lawyer too!

Here's the current situation. I was actually intercepted before cleaning the virus and told by the companies legal council to isolate the hard drive (remove it) and send it to them. I am not a lawyer so I may not fully understand what he was telling me but apparently there is a safe harbor period in which an incident needs to be reported. I'm still waiting for further instructions from the local authorities and I'll relay that once I'm told what to do.

Tip: Before powering up the PC I unplugged the network connection. In this instance of the virus, it did not load and I had full control of the PC. I needed to verify that it was indeed infected so I plugged the network back in and within a minute the virus loaded and locked the screen. You may be able to try that if its being stubborn.

Man, I would be totally incapable of putting that thing back on the network. I've seen too many network aware viri and such that didn't take very long to discover other machines and begin working them over.

There's some work I'd just rather not do. Cleaning up malware tops that list.

so ANY incident no matter how small was immediately reported to the local Manager for that area, and the police. You can never go wrong instantly reporting any thing like this to the authorities. I can at least attest to that in my former organization.

I wish I could operate under a single policy on such matters. I try, but I have had a few folks balk at the thought of opening up their systems to any 3rd parties, 'authorities' included.

Somewhere along the line I started telling clients that if they didn't follow my recommendations then they were de facto absolving me of any liability. They all accept that without batting an eye, businesses themselves play hardball with the idea of liability/responsibility.

I should have included a hold harmless from day one, eg my liability ends when... (don't follow my recommendations, don't contract me to do all the work I propose etc)

I have the freedom to tell my clients you either do it my way or the highway. I just won't support them if they refuse to do the minimum in security, and then wonder why they have to call for help all the time. Fortunately, simply locking down the Windows system and using the built in features of computing security go a long way in protecting them as it is. That is my bare minimum if they wan't me to continue to support them. I only have one client left that still won't listen to me, but she's over 70 years old and indigent, so I still string along and make the best of it. Fortunately she is slowly taking my advice one baby step at a time.

Update on this issue. I haven't responded until now because it took a very long time to get a definitive answer. Even then, I can't say much because I've been told not to. All I will say is that Law Enforcement is not ignorant of this virus. Its sort of a "no-harm" "no-foul" situation. There is a responsibility on our end to document everything but beyond that talk to your local authorities or a lawyer, I can't give any specific advice. Sorry about that.

What Windows vulnerability does the malware take advantage of?
Where did the malware come from? A website? A download from a website? A compromised link?
Are there any specific actions that can be done to prevent this?