Discussion on:

The FBI locked your computer? Watch out for new spins on ransomware

I (almost) use Safe Mode to disinfect malware. Do the criminals know about this?

The FBI trojan locks both Safe and Normal...

The best way to stay safe from these and other threats is to only surf the internet by way of a live Linux CD coupled with persistent settings on a dedicated memory stick. Puppy Linux is my live distro of choice. No purveyor of malware can drop a nasty payload to my CD, neither to my hard drive becuase it's not mounted. Another way is to have a mirror image of one's hard drive on an external drive. There are plenty of freeware programs which, by way of a live CD, can overwrite a corrupted drive with one's mirror image. I live a totally safe online life. Nuff said?

100 percent safe is a goal, I have been around long enough to realize it is just a goal, never attainable.

nt

Some Manufactured CD/ DVD have rootkits, [ especially SONY].
Some have been found to have malware and trojans
Don't share USBs or other disk drives etc. with friends for same reason.

Just sayin'

Having dealt with police agencies on the IT side, I can guarantee you they aren't going to post any kind of warning on your computer! First you're likely to know of it is when they show up with handcuffs.

I visited a site not on the 'safe' list of my browser and got hit with this crap. There are online aids and how-to's for cleaning this off your machine. I was running AVG and Threatfire at the time and it still loaded and executed. I believe the package was delivered in a flash movie but could have come from the web page that embeded the flash. Either way I was lucky I had other boxes to search the net for solutions.

IMAO, I think when these people are found they should be summarily executed - but slowly. Their screams of agony would be music to the ears of millions of victims around the world.

On my husband's computer when he visited a dicey site (cough) by signing in as another user and deleting his profile. It was gone.

The first the time I saw the exact image posted across somebodies screen, I knew it was trouble. Problem was I had malwarebytes installed on the PC and couldn't get to it.

I recently had to clear one of these ransomware horrors from a friends computer.
What a clever piece of work it was - this newer version even activated his camera and placed a mug-shot of him in the middle of the locked screen!. You could NOT just start up in normal safe mode, only Safe mode with Command prompt. From there I was able to upload a heap of anti-virus , malware and trojan killer software tools from a USB [used about 20 different ones]. It took a few days to remove the actual infection, as it gets into the ports, the browsers, and even the Boot sectors of the HDD. After I got the computer back to functioning, I was then able to do a Restore from about a week prior to the attack, then ran a registry cleaner to clean out a load of dross.

About 5 year ago I had an experience with an exceptionally nasty trojan which even passworded the hard drive - lucky I did have a bootable recovery CD which just happened to have a hard drive bootup password remover app - the passcode that virus placed on the dirve was over 40 characters long [ ERD was not able to access the HDD until I was able to remove the password ]
That particular virus was an exceptionally difficult beast to get rid of , as it actually infected ALL the restore points in the recovery as well as nearly every executable file on the computer !

How people still fall for this nonsense is beyond me. Install your MSE, run with limited access, firefox instead of IE and you should be good to go. We rarely get any malware attacks in the office and when we do it is users farting around. Surf at home on your own time! When your machine gets blown up, its legit ransomeware time. (geek squad)

I have a friend that got this virus and even a format and reload did not get rid of it. I have flashed the BIOS and formatted and reloaded but it keeps coming back. Next step is to Zero the drive and then rebuild. He had no files on it anyway after the first time. It has come back 3 times on this computer.

happens if you load a copy of Linux or Unix on it instead?

like a SATA drive, be sure and use the factory diagnostic disk - it will ignore sector/clusters marked damaged by the malware, and zero fill them anyway. Also don't forget to flash the firmware on the drive controllers if they have one. (HDD/DVD) I don't know why, but I haven't had much luck with Darik's boot and nuke.

Of course I always try Kaspersky's or Avast's rescue DVD first.

It's failed to completely load for me lately. Are you getting a delay on seeking a floppy drive? I try the nofd option and it still looks for one, then fails.

The problem seems to be, that the only method available for SATA drives is just not effective - despite re-flashing the firmware on the drive controller. The manufacturer's diagnostic program is better at taking control of the drive geometry and nuking all sectors that are marked as bad, as they actually have to have damage for the program to ignore them. This defeats the malware's obfuscation technique - That's my theory, and I'm sticking to it!

I've had so much success in using this, that it is hard to believe anything else is possible. I don't know how many drives I've saved that folks had written off, and were ready to throw in the trash. One of my clients, who's drive's SMART and diagnostic, reported imminent failure(fixed), is still in use today after three years of operation - malware free; I might add, as they listen to me now on security practices and solutions.

Sorry it took so long to answer - it seems TR is having alert problems, and I just now got mine.

I setup a limited account on my Win7 machine and if there's sites such as crazy pic of the day, etc I use it for that purpose. Sure enough, a classic randsomware trojan downloaded and locked me out. All I did was totally delete the account, being that it was a throw away account to begin with, problem solved. Now, I just use my Linux box to do the same and chuckle a bit thinking how the virus must be confused being that there's no C:/ drive.

about a month ago I got hit with the FBI Ransom Malware I turned off the computer immediatly and used my laptop to research what to do -- one suggestion was do a safe mode boot and run the antivirus-but when I tried it immediately went back to the ransom screen from safe mode -- I tried several other suggestions that didn't work. Then I found one that did and if you get hit with it immediately shut down the computer and note the time, then boot to command prompt only--go to C:\Program files\Prefetch and run dir and notice the time stamp on the files delete the one or more that has a time stamp of the time your were hit and then exit the command prompt and do a reboot to safe mode and run your antivirus--I ran Avast, then Malaware Bytes and then AML Registry Cleaner and I had a clean desktop I also went back to the Command Prompt and ran the sfc \scannow and it fixed 18 corrupted files. It ran pretty good after that but a couple of installed programs kept freezing up so I finally reinstall a harddrive image made about 6 months ago.

Just serviced another PC with MoneyPad only now it doesn't just show the lock picture, static or a webcam pic but an actual instance of child porn! Despicable. This time they aren't asking for $200 but instead its $4.95 and a subscription service. I fear that with the lowered price more people may actually bite on this one.

Safe mode used to work but now both safe mode and 'command prompt only' are being locked. I found "Kaspersky's Windows Unlocker" (easy to find) software which works good so far. It can be loaded on a CD or thumb drive.

One thing I'm concerned about. This actually put an instance of child porn on the PC. I cleaned it and have my records of the service call. Is there anything else I should do on my clients behalf? I know there are practices the local university goes through in such a case but I don't know the specifics.

Thanks for bringing that out Wyatt - that is a worry for my clients!! Yuk!

It seems an IT techs will have to be part lawyer too!

Here's the current situation. I was actually intercepted before cleaning the virus and told by the companies legal council to isolate the hard drive (remove it) and send it to them. I am not a lawyer so I may not fully understand what he was telling me but apparently there is a safe harbor period in which an incident needs to be reported. I'm still waiting for further instructions from the local authorities and I'll relay that once I'm told what to do.

Tip: Before powering up the PC I unplugged the network connection. In this instance of the virus, it did not load and I had full control of the PC. I needed to verify that it was indeed infected so I plugged the network back in and within a minute the virus loaded and locked the screen. You may be able to try that if its being stubborn.

Man, I would be totally incapable of putting that thing back on the network. I've seen too many network aware viri and such that didn't take very long to discover other machines and begin working them over.

There's some work I'd just rather not do. Cleaning up malware tops that list.

so ANY incident no matter how small was immediately reported to the local Manager for that area, and the police. You can never go wrong instantly reporting any thing like this to the authorities. I can at least attest to that in my former organization.

I wish I could operate under a single policy on such matters. I try, but I have had a few folks balk at the thought of opening up their systems to any 3rd parties, 'authorities' included.

Somewhere along the line I started telling clients that if they didn't follow my recommendations then they were de facto absolving me of any liability. They all accept that without batting an eye, businesses themselves play hardball with the idea of liability/responsibility.

I should have included a hold harmless from day one, eg my liability ends when... (don't follow my recommendations, don't contract me to do all the work I propose etc)

I have the freedom to tell my clients you either do it my way or the highway. I just won't support them if they refuse to do the minimum in security, and then wonder why they have to call for help all the time. Fortunately, simply locking down the Windows system and using the built in features of computing security go a long way in protecting them as it is. That is my bare minimum if they wan't me to continue to support them. I only have one client left that still won't listen to me, but she's over 70 years old and indigent, so I still string along and make the best of it. Fortunately she is slowly taking my advice one baby step at a time.

Update on this issue. I haven't responded until now because it took a very long time to get a definitive answer. Even then, I can't say much because I've been told not to. All I will say is that Law Enforcement is not ignorant of this virus. Its sort of a "no-harm" "no-foul" situation. There is a responsibility on our end to document everything but beyond that talk to your local authorities or a lawyer, I can't give any specific advice. Sorry about that.

What Windows vulnerability does the malware take advantage of?
Where did the malware come from? A website? A download from a website? A compromised link?
Are there any specific actions that can be done to prevent this?