Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Fell victim to ransomware, allowed person into computer
New Posts  All Forums:Forum Nav:

Fell victim to ransomware, allowed person into computer

post #1 of 8
Thread Starter 
My neighbor is the perfect victim because she got ransomware on her computer and then actually called the number and let the person into her computer and was in the process of negotiating a price with them to fix it because she thought it was legit.

So she called me in a panic and I told her to hang up her other phone and unplug her computer. And she argued with me saying "The guy said if I do that he won't be able to fix it" So I had to explain to her how these things worked but I'm certain she still doesn't get it. Now I have to see what I can do to fix her computer now that someone had access to it. I assume I'm going to have to reinstall Windows but that might not be an option because she has a bunch of photos on her computer. I am not going to put any of her files onto my external HDD because I don't want any malware to get to my HDD.

I don't know what they did to her computer and honestly I don't know what to do here. I installed Avast and the paid version of Malwarebytes onto her computer but that obviously didn't do anything. Their entire family downloads all sorts of things online and that's probably where the malware came from.

I'm going to disconnect her modem and then try getting rid of any malware with Avast and Malwarebytes. I have Malware Chameleon on my flash drive.
Edited by Thready - 1/22/16 at 8:11am
Zen
(17 items)
 
  
CPUMotherboardGraphicsRAM
i5-6600k Gigabyte Z170XP-SLI RX 480 4GB 24 GB DDR4 2133MHz 
Hard DriveHard DriveHard DriveHard Drive
Samsung 850 evo OCZ Vertex 4 Crucial MX 500 256GB WD Black 3 TB 
Hard DriveCoolingOSMonitor
Seagate 1 TB H60 Windows 10 Asus mx27a 
MonitorKeyboardPowerMouse
hp 2009 m Corsair MR Brown Antec Earthwatts 650 Razer Naga 
Audio
Soundblaster Omni 
  hide details  
Reply
Zen
(17 items)
 
  
CPUMotherboardGraphicsRAM
i5-6600k Gigabyte Z170XP-SLI RX 480 4GB 24 GB DDR4 2133MHz 
Hard DriveHard DriveHard DriveHard Drive
Samsung 850 evo OCZ Vertex 4 Crucial MX 500 256GB WD Black 3 TB 
Hard DriveCoolingOSMonitor
Seagate 1 TB H60 Windows 10 Asus mx27a 
MonitorKeyboardPowerMouse
hp 2009 m Corsair MR Brown Antec Earthwatts 650 Razer Naga 
Audio
Soundblaster Omni 
  hide details  
Reply
post #2 of 8
Quote:
Originally Posted by Thready View Post

My neighbor is the perfect victim because she got ransomware on her computer and then actually called the number and let the person into her computer and was in the process of negotiating a price with them to fix it because she thought it was legit.

So she called me in a panic and I told her to hang up her other phone and unplug her computer. And she argued with me saying "The guy said if I do that he won't be able to fix it" So I had to explain to her how these things worked but I'm certain she still doesn't get it. Now I have to see what I can do to fix her computer now that someone had access to it. I assume I'm going to have to reinstall Windows but that might not be an option because she has a bunch of photos on her computer. I am not going to put any of her files onto my external HDD because I don't want any malware to get to my HDD.

I don't know what they did to her computer and honestly I don't know what to do here. I installed Avast and the paid version of Malwarebytes onto her computer but that obviously didn't do anything. Their entire family downloads all sorts of things online and that's probably where the malware came from.

Usually in the cases of randomware, they are simply trying to get you to call in and either provide personal information, payment, or both while they simply get rid of the annoying, but benign javascript popup. That said, it is honestly impossible to know if they had the customer downloaded anything dangerous without extensive testing and monitoring, especially if a cursory glance reveals nothing new installed or new services running. Anti-malware and scans may or may not detect anything. If you or her have concerns about this, I recommend manually backing up select data, wiping out her HDD/SSD, reinstall whatever OS she is using, and put her data back on. That is much easier and faster than trying to look for a needle in a haystack that may or may not be there.
Biggie Smalls
(22 items)
 
  
CPUMotherboardGraphicsRAM
Intel i5-2500K Asus P8Z77-M EVGA Titan X Corsair Vengeance DDR3 16GB 
Hard DriveHard DriveHard DriveHard Drive
Samsung 830 Pro Samsung 850 Pro Western Digital Black Caviar 64MB Cache Western Digital Black Caviar 64MB Cache 
Optical DriveCoolingOSMonitor
LG Bluray Combo Drive Corsair H50 Windows 7 Professional x64 Dell UltraSharp U3415W 
KeyboardPowerCaseMouse
Ducky Shine 4 Blue/Red Corsair AX860 Corsair Obsidian 350D Razer Deathadder Chroma 
Mouse PadAudioAudioAudio
fUnc Mouse Mat Grace m9xx DAC/AMP ELAC B6 Schiit Lyr 2 
AudioAudio
Fostex TH-X00 (ebony cups with detachable cable... Sennheiser HD650 
  hide details  
Reply
Biggie Smalls
(22 items)
 
  
CPUMotherboardGraphicsRAM
Intel i5-2500K Asus P8Z77-M EVGA Titan X Corsair Vengeance DDR3 16GB 
Hard DriveHard DriveHard DriveHard Drive
Samsung 830 Pro Samsung 850 Pro Western Digital Black Caviar 64MB Cache Western Digital Black Caviar 64MB Cache 
Optical DriveCoolingOSMonitor
LG Bluray Combo Drive Corsair H50 Windows 7 Professional x64 Dell UltraSharp U3415W 
KeyboardPowerCaseMouse
Ducky Shine 4 Blue/Red Corsair AX860 Corsair Obsidian 350D Razer Deathadder Chroma 
Mouse PadAudioAudioAudio
fUnc Mouse Mat Grace m9xx DAC/AMP ELAC B6 Schiit Lyr 2 
AudioAudio
Fostex TH-X00 (ebony cups with detachable cable... Sennheiser HD650 
  hide details  
Reply
post #3 of 8
If it's the ransomware which encrypts all the harddrive content.. it's gonna be hard..
post #4 of 8
Thread Starter 
Quote:
Originally Posted by OC'ing Noob View Post

Usually in the cases of randomware, they are simply trying to get you to call in and either provide personal information, payment, or both while they simply get rid of the annoying, but benign javascript popup. That said, it is honestly impossible to know if they had the customer downloaded anything dangerous without extensive testing and monitoring, especially if a cursory glance reveals nothing new installed or new services running. Anti-malware and scans may or may not detect anything. If you or her have concerns about this, I recommend manually backing up select data, wiping out her HDD/SSD, reinstall whatever OS she is using, and put her data back on. That is much easier and faster than trying to look for a needle in a haystack that may or may not be there.

I have a feeling that I'm going to have to end up backing things up and reinstalling. It's going to be tough because she's so needy and she's a panic stricken mess right now. I'm going to start with a ransomware removal tool I just downloaded and if that fixes it I'm just going to call it a day.
Zen
(17 items)
 
  
CPUMotherboardGraphicsRAM
i5-6600k Gigabyte Z170XP-SLI RX 480 4GB 24 GB DDR4 2133MHz 
Hard DriveHard DriveHard DriveHard Drive
Samsung 850 evo OCZ Vertex 4 Crucial MX 500 256GB WD Black 3 TB 
Hard DriveCoolingOSMonitor
Seagate 1 TB H60 Windows 10 Asus mx27a 
MonitorKeyboardPowerMouse
hp 2009 m Corsair MR Brown Antec Earthwatts 650 Razer Naga 
Audio
Soundblaster Omni 
  hide details  
Reply
Zen
(17 items)
 
  
CPUMotherboardGraphicsRAM
i5-6600k Gigabyte Z170XP-SLI RX 480 4GB 24 GB DDR4 2133MHz 
Hard DriveHard DriveHard DriveHard Drive
Samsung 850 evo OCZ Vertex 4 Crucial MX 500 256GB WD Black 3 TB 
Hard DriveCoolingOSMonitor
Seagate 1 TB H60 Windows 10 Asus mx27a 
MonitorKeyboardPowerMouse
hp 2009 m Corsair MR Brown Antec Earthwatts 650 Razer Naga 
Audio
Soundblaster Omni 
  hide details  
Reply
post #5 of 8
Quote:
Originally Posted by ignsvn View Post

If it's the ransomware which encrypts all the harddrive content.. it's gonna be hard..

Doesn't sound like it was really that kind of encrypted document's folder "ransomware"... which would be practically impossible to recover from w/o calling them back. I guess she doesn't run backups then frown.gif

Without evidence some data has been encrypted or something malicious has been installed, I'd suspect javascript popup scam with no real harm done.

Tools to check/repair os corruption that might help.
https://msdn.microsoft.com/en-us/library/hh825265.aspx

%windir%\system32\Dism.exe /Online /Cleanup-Image /CheckHealth
%windir%\system32\Dism.exe /Online /Cleanup-Image /ScanHealth
%windir%\system32\Dism.exe /Online /Cleanup-Image /RestoreHealth
Falcon2010
(18 items)
 
Kickass-X99
(19 items)
 
 
CPUMotherboardGraphicsRAM
i7-875K ASUS P7P55D-E-PRO EVGA GTX 670 FTW Crucial Ballistix Tactical 
Hard DriveHard DriveOptical DriveCooling
Western Digital Caviar Black Crucial M500 SSD  LG Blu-ray Combo Drive Asetek 550LC 
CoolingCoolingOSMonitor
Noiseblocker Multiframe M12-P Silverstone Case Fans Windows 7 Home Premium 64bit Samsung 2443 
KeyboardPowerCaseMouse
Rosewill RK-9000BR Silverstone Strider Plus 750 Silverstone Kublai SteelSeries Sensei [RAW] 
AudioAudio
Sennheiser PX100 headphones AntLion ModMic v4 
CPUMotherboardGraphicsRAM
i7-5820k | core@4.4 1.23v | cache@4.1 1.1v ASUS X99-PRO / USB 3.1 EVGA GTX 980ti FTW Crucial Ballistix Sport 2400 CL12 (4 x 4GB) 
Hard DriveHard DriveHard DriveOptical Drive
Crucial MX200 (1 TB) Crucial M500 (960 GB) Western Digital Green (2 TB) Pioneer BDR-XU03 
CoolingOSOSMonitor
Swiftech H240-X Win 10 Pro (64 bit) Linux Mint 17 Cinnamon Asus ROG Swift PG279Q 
KeyboardPowerCaseMouse
Rosewill RK-9000BR Silverstone Strider Gold 850 Phanteks Enthoo EVOLV ATX (gray) SteelSeries Sensei [RAW] 
Mouse PadAudioOther
Gamedias NYX Mousepad 350x280 Grado SR80e Lexar Professional Workflow SR2 SDHC/SDXC UHS-I... 
  hide details  
Reply
Falcon2010
(18 items)
 
Kickass-X99
(19 items)
 
 
CPUMotherboardGraphicsRAM
i7-875K ASUS P7P55D-E-PRO EVGA GTX 670 FTW Crucial Ballistix Tactical 
Hard DriveHard DriveOptical DriveCooling
Western Digital Caviar Black Crucial M500 SSD  LG Blu-ray Combo Drive Asetek 550LC 
CoolingCoolingOSMonitor
Noiseblocker Multiframe M12-P Silverstone Case Fans Windows 7 Home Premium 64bit Samsung 2443 
KeyboardPowerCaseMouse
Rosewill RK-9000BR Silverstone Strider Plus 750 Silverstone Kublai SteelSeries Sensei [RAW] 
AudioAudio
Sennheiser PX100 headphones AntLion ModMic v4 
CPUMotherboardGraphicsRAM
i7-5820k | core@4.4 1.23v | cache@4.1 1.1v ASUS X99-PRO / USB 3.1 EVGA GTX 980ti FTW Crucial Ballistix Sport 2400 CL12 (4 x 4GB) 
Hard DriveHard DriveHard DriveOptical Drive
Crucial MX200 (1 TB) Crucial M500 (960 GB) Western Digital Green (2 TB) Pioneer BDR-XU03 
CoolingOSOSMonitor
Swiftech H240-X Win 10 Pro (64 bit) Linux Mint 17 Cinnamon Asus ROG Swift PG279Q 
KeyboardPowerCaseMouse
Rosewill RK-9000BR Silverstone Strider Gold 850 Phanteks Enthoo EVOLV ATX (gray) SteelSeries Sensei [RAW] 
Mouse PadAudioOther
Gamedias NYX Mousepad 350x280 Grado SR80e Lexar Professional Workflow SR2 SDHC/SDXC UHS-I... 
  hide details  
Reply
post #6 of 8
Quote:
Originally Posted by michael-ocn View Post

Doesn't sound like it was really that kind of encrypted document's folder "ransomware"... which would be practically impossible to recover from w/o calling them back. I guess she doesn't run backups then frown.gif

Without evidence some data has been encrypted or something malicious has been installed, I'd suspect javascript popup scam with no real harm done.

Tools to check/repair os corruption that might help.
https://msdn.microsoft.com/en-us/library/hh825265.aspx

%windir%\system32\Dism.exe /Online /Cleanup-Image /CheckHealth
%windir%\system32\Dism.exe /Online /Cleanup-Image /ScanHealth
%windir%\system32\Dism.exe /Online /Cleanup-Image /RestoreHealth

If it's just a JS popup scam, then it's much better. Still tedious to clean up, but at least your files are safe.
post #7 of 8
Your best bet is to know where she got the malware from, because that could provide a bit of information as to how prevalent the malware is. Antiviruses are only capable up to a certain point, after that point it becomes up to the zero-day protection of the software to detect the threat, however this can be evaded by malware.

If the encryption of files has already taken place it's pretty rare that any antivirus will be able to fix it. The only way you could decrypt the files is by either calling the support and paying the ransom (may or may not work) and I DONT recommend doing so.

You could also find out what variant the malware is, or is called and if it is prevalent enough it's possible there could be a decryption tool.
post #8 of 8
What sort of ransomware did you get?

If it was a syskey infection (Looks like the below picture), then it will be very difficult to boot up the PC, but the files themselves are fine. Syskey is actually a windows 'feature' There does exist a few syskey removers, usually taking the form of linux on usb flash drives.


If it was a full hard drive encryption, you are SOL.
If it was a selection of files that were encrypted, you are SOL. May look like the picture below.


If it is some other sort of ransom, feel free to share what it was.

As far as being paranoid that somehow the infection will spread from the hard drive to another if plugged into a different computer, computer viruses don't work like biological viruses. A computer virus only has a shot of spreading if it's actually run. The virus usually runs when the infected operating system starts up, then the virus puts up a number of self-protections, such as hiding itself, creating multiple copies, automatically spawning new instances if one is forced to end, etc. But if you just boot up a clean OS, then connect the infected hard drive like an external hard drive, nothing on the infected drive is run. It just sits there. You're free to search for any pictures or documents that are important, but I would not -run- (open any programs) anything from it if you can help it. Once you've saved what you want, you're free to nuke it with a format and reinstall.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Fell victim to ransomware, allowed person into computer