Malware Anyone ever run into ransomware or cryptowall?
- Thread starter PICURN
- Start date
Don't know how it got in. Have spent days trying to get rid of it. Think we have finally done it. Has anybody dealt with this before?
Josie
Has No Life - Lives on TB
Yep, got it a couple of years ago, too. I was looking at a fleece vest on the LL Bean website and suddenly an "announcement" was plastered on my screen telling me that the FBI has flagged my computer as one that was viewing and downloading kiddie porn. They were being dispatched to my house to confiscate my computer and arrest me. BUT I could avoid all of this if I would pay the fine now! All I had to do was march my little self down to Walgreens and purchase a Green Dot prepaid card for something like $100. Come back and load the code from the back onto this website and my computer would be released! It would have been kind of funny if it wasn't such a pain in the butt to try and get my computer working again without the FBI informing me that they were on the way to get me! A little digging led me to find out that most of this ransomware originates in Russia and that even if I would have paid the "fine", they most likely would have come back at a later date for more.
Apparently I got the new version that came out in april. Lucky me! It encrypts your files and then for a fee they will give you the decryption key to unlock your files. Well they can enjoy all those crochet and quilt patterns! After 4 days of searching and reading (my DD is a saint) found a simple solution....running a free antimalware program with computer in safe mode. Ta da computer is back up to speed and all the weird stuff has stopped. The scary part is I have no clue how I got it. I don't open zip files, don't open emails from anyone I don't recognize and generally don't do that much.
Heliobas Disciple
TB Fanatic
If you use mozilla firefox there are a bunch of add ons you should be using to stop scripts - noscript, ghostery, adblock plus, flashblock are a few good ones. You can do a search on TB for discussions about them and you'll get a lot of tips.
HD
HD
Heliobas Disciple
TB Fanatic
I guess this is a good thread to post this on too, I am going to post it tonight on MAIN as well. This is now a problem for Android PHONES. 
http://thehackernews.com/
(fair use applies)
Koler Android Ransomware Learns to Spread via SMS
Saturday, October 25, 2014
Mohit Kumar
Users of Android operating system are warned of a new variant of Android malware Koler that spreads itself via text message and holds the victim’s infected mobile phone hostage until a ransom is paid.
Researchers observed the Koler Android ransomware Trojan, at the very first time, in May when the Trojan was distributed through certain pornographic websites under the guise of legitimate apps. It locks the victim’s mobile screen and then demands money from users with fake notifications from law enforcement agencies accusing users of viewing and storing child pornography.
ANDROID SMS WORM
Recently, researchers from mobile security firm AdaptiveMobile has discovered a new variant of the rare piece of mobile malware – named Worm.Koler – that allows the malware to spread via text message spam and attempts to trick users into opening a shortened bit.ly URL, turning Koler into an SMS worm.
Once the device is infected by the Koler variant, it will first send an SMS message to all contacts in the device's address book with a text stating, "Someone made a profile named -[the contact's name]- and he uploaded some of your photos! is that you?" followed by a Bitly link, according to the security firm.
When a victim clicks on the Bitly link, he or she is then redirected to a Dropbox page with a download link for a 'PhotoViewer' app that, if installed, will push a ransom screen to pop up incessantly on the users' screen. The ransom message reads that the device has been locked up because of having illicit content and users must pay $300 via MoneyPak to 'wave the accusations.'
"The device appears to be completely locked down with the screen on the phone blocked, so the user won't be able to close the window, or deactivate the malware through the app manager," reads the blog post. "The victim is forced to buy a voucher as instructed on the blocking page, and send the voucher code to a malware author."
INFECTION SPREADING RAPIDLY
The Worm.Koler is capable of displaying localized ransomware messages to users from at least 30 countries, including the U.S., where three quarters of the latest Koler variant infections were seen by the firm, and smaller number of infections were also being detected in parts of the Middle East.
"Due to the Worm.Koler's SMS distribution mechanism, we are seeing a rapid spread of infected devices since the 19th of October, which we believe to be the original outbreak date," the blog post states. "During this short period, we have detected several hundred phones that exhibit signs of infection, across multiple US carriers. In addition to this, other mobile operators worldwide—predominantly in the Middle East, have been affected by this malware."
HOW TO PROTECT YOURSELF
If users suspect they are infected by the malware, they should never authorize any payment as it won't guarantee the unlocking of your device, as well as it will further encourage cyber criminals to carry out such ransomware practices again and again.
Koler does not encrypt files, according to the security firm, therefore it becomes easy for users to eliminate the threat from their infected devices by following two simple steps:
Reboot your phone in the "Safe Mode"
Remove the 'PhotoViewer' app using standard Android app uninstallation tool
In order to protect yourself from such threats in future, the best practice is to have the "Unknown Sources" option turned off in your Android device' security settings menu. Turning off of this option won't let users to install applications from unknown sources, but only from the official Google Play store.
http://thehackernews.com/
(fair use applies)
Koler Android Ransomware Learns to Spread via SMS
Saturday, October 25, 2014
Mohit Kumar
Users of Android operating system are warned of a new variant of Android malware Koler that spreads itself via text message and holds the victim’s infected mobile phone hostage until a ransom is paid.
Researchers observed the Koler Android ransomware Trojan, at the very first time, in May when the Trojan was distributed through certain pornographic websites under the guise of legitimate apps. It locks the victim’s mobile screen and then demands money from users with fake notifications from law enforcement agencies accusing users of viewing and storing child pornography.
ANDROID SMS WORM
Recently, researchers from mobile security firm AdaptiveMobile has discovered a new variant of the rare piece of mobile malware – named Worm.Koler – that allows the malware to spread via text message spam and attempts to trick users into opening a shortened bit.ly URL, turning Koler into an SMS worm.
Once the device is infected by the Koler variant, it will first send an SMS message to all contacts in the device's address book with a text stating, "Someone made a profile named -[the contact's name]- and he uploaded some of your photos! is that you?" followed by a Bitly link, according to the security firm.
When a victim clicks on the Bitly link, he or she is then redirected to a Dropbox page with a download link for a 'PhotoViewer' app that, if installed, will push a ransom screen to pop up incessantly on the users' screen. The ransom message reads that the device has been locked up because of having illicit content and users must pay $300 via MoneyPak to 'wave the accusations.'
"The device appears to be completely locked down with the screen on the phone blocked, so the user won't be able to close the window, or deactivate the malware through the app manager," reads the blog post. "The victim is forced to buy a voucher as instructed on the blocking page, and send the voucher code to a malware author."
INFECTION SPREADING RAPIDLY
The Worm.Koler is capable of displaying localized ransomware messages to users from at least 30 countries, including the U.S., where three quarters of the latest Koler variant infections were seen by the firm, and smaller number of infections were also being detected in parts of the Middle East.
"Due to the Worm.Koler's SMS distribution mechanism, we are seeing a rapid spread of infected devices since the 19th of October, which we believe to be the original outbreak date," the blog post states. "During this short period, we have detected several hundred phones that exhibit signs of infection, across multiple US carriers. In addition to this, other mobile operators worldwide—predominantly in the Middle East, have been affected by this malware."
HOW TO PROTECT YOURSELF
If users suspect they are infected by the malware, they should never authorize any payment as it won't guarantee the unlocking of your device, as well as it will further encourage cyber criminals to carry out such ransomware practices again and again.
Koler does not encrypt files, according to the security firm, therefore it becomes easy for users to eliminate the threat from their infected devices by following two simple steps:
Reboot your phone in the "Safe Mode"
Remove the 'PhotoViewer' app using standard Android app uninstallation tool
In order to protect yourself from such threats in future, the best practice is to have the "Unknown Sources" option turned off in your Android device' security settings menu. Turning off of this option won't let users to install applications from unknown sources, but only from the official Google Play store.
Heliobas Disciple
TB Fanatic
First - what browser are you using? If you're using Internet Explorer you should probably start by downloading Mozilla Firefox (google that to find where to download it from). Once you're on Firefox, of if you already are on firefox, come back and I'll show you how to get the add ons. It's really easy!
HD
Heliobas Disciple
TB Fanatic
Good!
Look for Tools on the top toolbar. The second choice on the list is Add Ons. When you click on that you'll see a list on the left, click on Get Add Ons.
The ones you definitely want to get are noscript, ghostery, AdBlock Plus 2.6.5. Add those to start and get used to working with them.
Other ones I use are Better Privacy and Flashblock. I really like them, you decide if you need them!
After you install them, let me know here and I'll give you some tips on using them.
HD
Look for Tools on the top toolbar. The second choice on the list is Add Ons. When you click on that you'll see a list on the left, click on Get Add Ons.
The ones you definitely want to get are noscript, ghostery, AdBlock Plus 2.6.5. Add those to start and get used to working with them.
Other ones I use are Better Privacy and Flashblock. I really like them, you decide if you need them!
After you install them, let me know here and I'll give you some tips on using them.
HD
Hi HD, I'm PICURNs DD, she asked me to pinch hit for her. I'm marginally better at this computer stuff. :P
I've got the add ons you mentioned installed in firefox, not too used to how they work yet but working on that.
The thing I'm wondering right now if something deeper is wrong with the computer. After I apparently got rid of the cryptowall - ran malware in safe mode with networking, as most fix it articles I found said to do - it was fine for awhile, but then we started having problems. Weird pop ups, java kept trying to install, flash player detour pages. It's built up to where just about every day I have to rerun malware. Then things will work fine for awhile, or the rest of the day, but then it starts up again. There's odd little things like security settings not allowing downloads, even though we never set them to be that way. That caused a lot of trouble in the beginning when I was trying to update malware and adaware before I figured out it was cryptowall.
In the middle of this, Dad started a system restore when he ran into the same things, but it froze. We left it for about two hours, then forced the computer off. Didn't know what else to do since it wasn't going anywhere. The computer wouldn't come back on for awhile, but after a few times of 'repair computer' in the boot menu option it finally came back up, said the restore had failed and seems to have been working no differently the before.
Today we kept getting pop ups from some kind of fake flash player update. Wouldn't allow us to click out of it, had to force off the computer. Then it came back, did stuff like opening lots of tabs, had five pop ups all in a row and every time I shut one down another one opened. After that, we apparently got hit with the rango/Sirius win 7 antivirus 2014 scam. Again, no one had been on any suspicious sites, I'd ran malware multiple times. After looking up this latest one, I did the safemode routine again. I haven't done anything more then that yet, though the article said this one also damages registry keys? Just they say to download certain things to fix it, and at this point I'm just paranoid about anything downloaded. The site was PCRisk.com. So far this evening I haven't had to do anything else, finally.
We just seem to have problem after problem on this computer now. I'm starting to wonder if cryptowall managed to damage or leave open something that's letting other stuff in, or if the fail restore screwed something up. If all the stuff we're doing will even work, since it doesn't seem to be so far. I've never had to constantly fix/clear stuff out like this, and it's only on this one computer. I've had no problems on mine, I have the same protections and frequent some of the same sites.
I've got the add ons you mentioned installed in firefox, not too used to how they work yet but working on that.
The thing I'm wondering right now if something deeper is wrong with the computer. After I apparently got rid of the cryptowall - ran malware in safe mode with networking, as most fix it articles I found said to do - it was fine for awhile, but then we started having problems. Weird pop ups, java kept trying to install, flash player detour pages. It's built up to where just about every day I have to rerun malware. Then things will work fine for awhile, or the rest of the day, but then it starts up again. There's odd little things like security settings not allowing downloads, even though we never set them to be that way. That caused a lot of trouble in the beginning when I was trying to update malware and adaware before I figured out it was cryptowall.
In the middle of this, Dad started a system restore when he ran into the same things, but it froze. We left it for about two hours, then forced the computer off. Didn't know what else to do since it wasn't going anywhere. The computer wouldn't come back on for awhile, but after a few times of 'repair computer' in the boot menu option it finally came back up, said the restore had failed and seems to have been working no differently the before.
Today we kept getting pop ups from some kind of fake flash player update. Wouldn't allow us to click out of it, had to force off the computer. Then it came back, did stuff like opening lots of tabs, had five pop ups all in a row and every time I shut one down another one opened. After that, we apparently got hit with the rango/Sirius win 7 antivirus 2014 scam. Again, no one had been on any suspicious sites, I'd ran malware multiple times. After looking up this latest one, I did the safemode routine again. I haven't done anything more then that yet, though the article said this one also damages registry keys? Just they say to download certain things to fix it, and at this point I'm just paranoid about anything downloaded. The site was PCRisk.com. So far this evening I haven't had to do anything else, finally.
We just seem to have problem after problem on this computer now. I'm starting to wonder if cryptowall managed to damage or leave open something that's letting other stuff in, or if the fail restore screwed something up. If all the stuff we're doing will even work, since it doesn't seem to be so far. I've never had to constantly fix/clear stuff out like this, and it's only on this one computer. I've had no problems on mine, I have the same protections and frequent some of the same sites.
Heliobas Disciple
TB Fanatic
It sounds like you still have a virus. Is the operating system XP? Or 7 or 8? We once got a virus on a laptop running XP and the laptop was never right after that. I even had it wiped clean and started over and that only lasted a few weeks. And we did very little with it other than mail and a little surfing. It was just ruined. I used to call it the laptop from hell I'd get so frustrated.
It may be time to break down and take the computer to a pro shop and let them look at it. Most of them around here charge around $70. If nothing else they may be able to save the files you want off that computer before wiping it clean for you.
Meanwhile - put the new Mozilla knowledge to good use on your other computers. An ounce of prevention that can stop this from happening to anyone else.
HD
It may be time to break down and take the computer to a pro shop and let them look at it. Most of them around here charge around $70. If nothing else they may be able to save the files you want off that computer before wiping it clean for you.
Meanwhile - put the new Mozilla knowledge to good use on your other computers. An ounce of prevention that can stop this from happening to anyone else.
HD
Thanks HD for all your advice. We have windows 7. Can totally relate to the computer from hell, have felt that the lowest level in Dante's Inferno is being trapped with a computer that can't be fixed! Doesn't even sound like doing a factory reset would help. There is something to be said for pencil and paper. Thanks again for your help!