TECH Hit with "ransomeware" - Is there a fix?

[Mountain Man]

Well my week started out pretty crappy. Tuesday evening I got hit with an attack of ransomeware. They encrypted almost all of my files in My Documents including a couple thousand pictures. They want $700 for the "key", this Thursday that will go to $1400.
To answer the question I know will be ask; Not backed up (I know, I know, please save the lectures.
I am double firewalled and run a good anti-virus (up until now it has caught everything) plus Windows Defender. I also scan for malware.
I suspect it's from Russia but China is also on my short list (not that means anything)
I ran Spyhunter and it got rid of some of the problems but not the encryption.
If any one knows of a solution, I would really like to here it.
Note to add: My research shows that any OS is vulnerable, not just Windows.
Any help would be greatly appreciated.

 

[the watcher]

You might look through these links. Sucks. Hyperlinks embedded below

Panda Ransomware Decrypt Tool – Restore Encrypted Files

Cryptolocker Virus Removal: How To Decrypt or Restore Encrypted Files And Remove Ransomware Malware For Free

Remove CTB Locker ransomware and recover encrypted personal files

New Site Recovers Files Locked by Cryptolocker Ransomware

How to remove CryptoLocker Ransomware and Restore your files

 

[Mountain Man]

You might look through these links. Sucks. Hyperlinks embedded below

Panda Ransomware Decrypt Tool – Restore Encrypted Files

Cryptolocker Virus Removal: How To Decrypt or Restore Encrypted Files And Remove Ransomware Malware For Free


Remove CTB Locker ransomware and recover encrypted personal files

New Site Recovers Files Locked by Cryptolocker Ransomware

How to remove CryptoLocker Ransomware and Restore your files

Thank you, this looks like an excellent start. I didn't mention the offending sites and sources so that I could get a broader response.
You hit a couple of them on the head.
Again thank you.

 

[Woolly]

Thank you, this looks like an excellent start. I didn't mention the offending sites and sources so that I could get a broader response.
You hit a couple of them on the head.
Again thank you.

M.M., please give us an update on your experience with decrypting your files.

Thanks in advance.

Woolly

 

[Ragnarok]

If you can get malwarebytes to run, it helps sometimes... Or doing a system restore, that worked for me once.

Whenever you get one of those pop-ups saying "Are you sure you want to leave this site"? DO NOT click on any buttons saying "yes" or "leave page"... That will enable the program. Just do a hard reset (turn off the power without clicking on anything ).

Also, DO NOT pay the money. They will not send you a key... It is a scam.

Odds are, you may have just lost everything but you don't have to lose your savings on top of it all.

 

[Mark Armstrong]

...To answer the question I know will be ask; Not backed up (I know, I know, please save the lectures...

Since you don't want to hear it, I'll address this to others who might be reading this thread.

USB drives are not very expensive. Any file worth keeping is worth saving on at least two different drives. If a file is only saved once, and on just one drive, I consider it to be only a temporary save.

 

[the watcher]

Thank you, this looks like an excellent start. I didn't mention the offending sites and sources so that I could get a broader response.
You hit a couple of them on the head.
Again thank you.

No worries. Keep us apprised if you do successfully decrypt this, and good luck. Lol, I once got the explorer.exe virus, what a funtime to get rid of that one lol. For the novices, explorer.exe is a main windows file to get windows running, and what it also pulls from to run explorer, file search, on and on.

 

[zeker]

ty for this.. I have always been unable to make a restore point.????. just wouldnt complete the task..

this last site enabled me to..

 

[Millwright]

Maine police departments pay hackers to unlock computer system
http://www.pressherald.com/2015/04/10/police-departments-pay-hackers-to-unlock-computer-system/


OR

 

[Dosadi]

Search for Bleepingcomputer.com

Something like this

Ransomware Bleepingcomputer.com would probably work

Look for reference to "HITMANPRO" which is a locker romoval tool. (also search for locker remover and ransomware remover tools)

What you need then is at least a 32gig usb drive (it will be formated, so make sure it has no important files on it.

Eventually you will be lead to make a "bootable usb drive" which also contains the hitmanpro (or other software enabled) and bypasses the normal boot stuff and uses the usb.

When you get to your win login screen after following the directions, you will see the locker again.

In a minute or so the hitmanpro will pop up. (Choose just run one time as it will be free that way)

It will run, and hopefully detect the locker and offer the remove option.

Once you click remove select reboot and it should reboot normally with the locker off.

While it may not be gone, you should be prepared to grab and move all your important files to a external usb drive. (a terrabyte external is about 70 bucks at wally world)

Once you have everything important, you can download and run malwarebytes and ccleaner and probably get away with just importing your important stuff back in.

To be truly sure, I would suggest using restore disks and letting them format and reinstall factory settings for windows. Run the updates, and install the various programs you want including anti virus and antimalware. (make back ups to the external drive of important downloads of such programs also.)

Make a new restore point.

Consider getting something such as Nortan Ghost and making a image of your system before using it. Then with regular backups, you can always use the boot usb to allow yourself to restore the ghost immage which is a snapshot of exactlly what was on your computer when you made it. Might want to make new immages about once a month.

****

I have had to deal with lockers in the past, and if I could get my hands on the folk doing it I'd probably pop their head like a giant zit. I truly despise such folk.

I tried to offer the simplest options. To manually search and delete the files is a option, but last time I did that I was almost 12 hours rebuilding the system. Total pain in the rear end.

Of course I'll suggest a best practices / back up / make immages / etc. But we all get got sooner or later if we aren't very lucky or only go to a few places on the web.

My youngest son says before he would pay ransom ware he would buy a new computer for less at wall world and take a shot gun to the offending machine, or give it to a techy person to see what he could do with it.

Good luck, and if you can let us know how it works out.

Sorry I can't make it simple. These are true pains.

Funniest one was one that wanted paid in bit coin, but I'll spare you that adventure.

D.

 

[Mountain Man]

ty for this.. I have always been unable to make a restore point.????. just wouldnt complete the task..

this last site enabled me to..

And this site would be............?

 

[Mountain Man]

No worries. Keep us apprised if you do successfully decrypt this, and good luck. Lol, I once got the explorer.exe virus, what a funtime to get rid of that one lol. For the novices, explorer.exe is a main windows file to get windows running, and what it also pulls from to run explorer, file search, on and on.

Most of those refer to Crypto Locker. I'm dealing with Crypto Wall 3.0. One of the links mention that their solution might not work on several different types of encryption and Crypto Wall 3.0 was one of them.

Again, thank you and everyone else trying to get my files restored. (Restore point didn't work.) Wife found a 5Tbyte external drive for $125, I think I will get one. My 150 Gig just isn't big enough.

 

[bev]

Good luck!

Is this something that could affect my mini iPad? I had heard that the iOS isn't prone to these things. But if that's not the case, is there some anti-ransomware program I can use to prevent getting it? Thanks in advance.

 

[Dennis Olson]

I apologize in advance for what I'm about to say.

You:

- Didn't have adequate protection in your PC

- Ran your PC with an Admin level user rather than a User-level user, as is recommended by every geek in the world

- Surfed dangerous sites OR opened attachments in an unknown email OR clicked a link in an email that you shouldn't have

- Didn't back up your critical files


Sorry man, but you got exactly what you deserved. No sympathy from me. Stupid should hurt. Sorry to be so harsh, but dude...

 

[Dennis Olson]

Good luck!

Is this something that could affect my mini iPad? I had heard that the iOS isn't prone to these things. But if that's not the case, is there some anti-ransomware program I can use to prevent getting it? Thanks in advance.

If an iOS device is not jailbroken, it is nearly impossible to infect them.

 

[Dennis Olson]

Also, ransoms are is not a scam. If they didn't unlock your files, people wouldn't pay. The goal is to get people to pay. So if you pay, they WILL unlock your files.


But regardless, I assume you learned something from this...

 

[Mark Armstrong]

I apologize in advance for what I'm about to say.

You:

- Didn't have adequate protection in your PC

- Ran your PC with an Admin level user rather than a User-level user, as is recommended by every geek in the world

- Surfed dangerous sites OR opened attachments in an unknown email OR clicked a link in an email that you shouldn't have

- Didn't back up your critical files


Sorry man, but you got exactly what you deserved. No sympathy from me. Stupid should hurt. Sorry to be so harsh, but dude...

And setting up a user-level account that does not have admin privileges is quick and easy to do. For Windows 7, open the Control Panel, go to User Accounts, click on Add or remove user accounts, and select "Create a new account." Make the new account a "Standard account." Come up with a name and different password for that new account, and use it as your web-surfing account.

In the future, when starting up your computer, you will have to choose which account you want to use for that session, and use the appropriate password. If you want to use the other account, you can "Switch user" without having to shut down the computer.

The new account will have its own desktop, so you might have to reinstall some things for that desktop, and things saved to the drive in the computer might be accessible only from the account you were using when you did the save. But you will be saving data files to an external usb drive in the future anyway, right? And those things saved on the external drive will be easily accessible whatever user account you are using.

 

[Mountain Man]

I apologize in advance for what I'm about to say.

You:

- Didn't have adequate protection in your PC
Figured double firewall, good anti-virus, malwarebytes, Windows defender

- Ran your PC with an Admin level user rather than a User-level user, as is recommended by every geek in the world
Ran user-level user and no, going back in as admin didn't help.

- Surfed dangerous sites OR opened attachments in an unknown email OR clicked a link in an email that you shouldn't have
I have never done any of these ( well TB2K )

- Didn't back up your critical files
Guilty as charged


Sorry man, but you got exactly what you deserved. No sympathy from me. Stupid should hurt. Sorry to be so harsh, but dude...

No one deserves this, no matter their technical level, no one . I didn't ask for sympathy. I am far from stupid, a bit naïve, but not stupid.

 

[Dennis Olson]

You did something. Malware doesn't just mysteriously appear on your computer from the fourth dimension.

 

[LoupGarou]

...
- Didn't have adequate protection in your PC
...

Actually, some of the newest variants of this "build" the ransomware executable in memory, using either java or flash, so the majority of AV systems won't detect them till they do a memory scan. Most of the AV systems check files on the drives as they are written via hook in the OS, or similar means. The latest batch of ransomware, as well as some of the latest viruses, trojans, and rootkits, have figured out that if they assemble the executables from various bitstreams, that the virus scanners won't detect them till they are too late. Once they get a chance to run, and start nailing files, then they sometimes put a copy of themselves on the drive to catch the victim on a reboot.

These are going to be a lot harder to catch before they start doing their damage.

Back up your data.

Be careful of what you click on websites, and especially emails with attachments.

Keep the power cord close to you to pull if needed, and the server's power as well if at work.

Keep at least two bootable CDs/DVDs around (once burnt, they can't be tampered with like a bootable USB drive). I would suggest SystemRescueCD.

If at work, and you are the admin, let EVERYBODY know of this threat, and tell them that IF they see something fishy to IMMEDIATELY call you and yank power to their PC.

Look for Unlock.jpg, Unlock.png, and Unlock.htm or Unlock.html across your file server storage as well as ALL of your user directories. It is the first file that gets written and it has the information needed to start figuring out what is nailing you.

Loup

 

[Sacajawea]

Thanks for the info, Loup.

Those files are something we can all go look for and may not know we've picked up.

 

[Josie]

Also, ransoms are is not a scam. If they didn't unlock your files, people wouldn't pay. The goal is to get people to pay. So if you pay, they WILL unlock your files.


But regardless, I assume you learned something from this...

Actually, when I was doing research when this happened to me, I found that if the ransom is paid the computer may be temporarily unlocked but whatever the bad guys used to hijack your computer is not removed. Many times, they come back at a later date and demand more ransom to unlock the computer again...and so on.

 

[LoupGarou]

More files the different versions like to use:
HELP_DECRYPT.HTML
HELP_DECRYPT.TXT
HELP_DECRYPT.PNG
HELP_DECRYPT.URL

Loup

 

[Pinecone]

Dennis,
I have to disagree with you here. If I leave my front door unlocked while I'm in the back yard of my rural property with the dogs, does it make it alright for someone to come in and steal stuff? Seems like the same to me. Theft is theft. Locks only keep honest people honest anyway.

Mark, thanks for putting into layman's terms how to set up the user system. That I understand. Question: If I am on the internet user side, can I still cut and paste a document from the other user without compromising the entire computer to this despicable ransomware? I'll have to play around and figure out how that will work. Thanks in advance for your help.

It used to be that you got a paper manual with your computer. If I needed help, I could browse through it to find out what I needed, but it seems so much more difficult with the help button they now have instead of a manual. I am not computer literate. Just like cars, I want to drive them, not repair them. I know when a vehicle needs repair, but I don't have the skills to do anything but very, very basic stuff.

Dennis, do you repair your vehicles as well as your computers? We all have our talents. You run a great website. Mountain Man has his own skill set. Mark's explanation made it clear what you were referring to as changing users. Thanks for your help, everyone.

 

[Mountain Man]

You did something. Malware doesn't just mysteriously appear on your computer from the fourth dimension.

Apologies in advance:

Read my previous post, everything I wrote is fact. I know what I did, now I am trying to find out what to do about it. Just about everyone's response has been an attempt to find a solution. Noise is what I don't need.

 

[LoupGarou]

Actually, when I was doing research when this happened to me, I found that if the ransom is paid the computer may be temporarily unlocked but whatever the bad guys used to hijack your computer is not removed. Many times, they come back at a later date and demand more ransom to unlock the computer again...and so on.

Yes, they are all trojans and LOVE to also pull in rootkits to fully get control of your system. You have to do your homework and make SURE that you get all the pieces out of your system.

I would STRONGLY suggest to everybody that holds their PCs near and dear to their hearts to do a FULL IMAGE backup of your system and all it's drives NOW, while you are clean. Without it, bringing it back from the dead, or at least massively infected states is hard work. A full image, plus nightly data backups and shadow copies are the way to go. Also keep in mind that all of these do NOT encrypt the original file, but instead make a new version of the file that is encrypted and delete the old one. So, if you have a quick kill of the power, a good system rescue CD to help with the cleanup, a lot of times you can undelete the unencrypted files back from the disk. The longer it goes on, the harder it is to undelete them..

Loup

 

[Dennis Olson]

Good advice indeed Loup. Anything I want kept is not only on multiple flash drives, but also in the Cloud.

 

[Mark Armstrong]

...Question: If I am on the internet user side, can I still cut and paste a document from the other user without compromising the entire computer to this despicable ransomware?...

Safest way to save things off the internet that I'm aware of is to do screen captures. That way, you are just saving the image that's on your screen, and not whatever code might be hidden within the images or text. Of course it will mean retyping a text document, if you want an editable document. But when dealing with the unknown, a little inconvenience is sometimes necessary.

To do a screen capture, press the "Print Screen" button. (On the laptop I'm using at the moment, it is abbreviated "PrtSc.") That puts an image of whatever is on your screen into the temporary clipboard memory.

Then open up a graphics editing program, create a new document, and paste what's on the clipboard into the document. From there, crop the image, and save as a jpg (or if you prefer, a png or whatever).

I generally use GIMP to edit screen captures, but Microsoft's built-in Paint will suffice.

 

[Last Resort]

Do a hard shutdown, restart in safe mode without network, then do System Restore to the last (oldest) save date. You may lose some files. Restart in safe mode with networking, run Malwarebytes.

Then set up non-admin accounts on your computer and invest in Carbonite.

 

[Ragnarok]

Actually, when I was doing research when this happened to me, I found that if the ransom is paid the computer may be temporarily unlocked but whatever the bad guys used to hijack your computer is not removed. Many times, they come back at a later date and demand more ransom to unlock the computer again...and so on.

Exactly...

Do a hard shutdown, restart in safe mode without network, then do System Restore to the last (oldest) save date. You may lose some files. Restart in safe mode with networking, run Malwarebytes.

Then set up non-admin accounts on your computer and invest in Carbonite.

This worked for me when I had a ransomware infection... At least long enough for me to get my files off the drive... About three days later, the ransomware came back and the computer was toast.

 

[Mark Armstrong]

...Question: If I am on the internet user side, can I still cut and paste a document from the other user without compromising the entire computer to this despicable ransomware?...

A safe way of copying editable text without getting any unwanted hidden code is to copy from the page source. To get to that in Firefox, go to the "Tools" menu item, and scroll down to "Web Developer." From there, go down to "Page Source," and open that.

Within all the multicolored gobbledygook you see there, there should be some blocks of text that are the text you want--the text you actually see on the screen when that html code is rendered as a page.

Should be safe to highlight and copy the none-code blocks of text you find within that mess.

And as an added bonus, you might learn a little html code.

And as yet another bonus, you might be able to discern if there is anything hidden there that shouldn't be there, or if there are links on the page that direct you to a site or file other than what the link says it is directing you to.

 

[Neargone]

Do a hard shutdown, restart in safe mode without network, then do System Restore to the last (oldest) save date. You may lose some files. Restart in safe mode with networking, run Malwarebytes.

Then set up non-admin accounts on your computer and invest in Carbonite.

Yes, starting in Safe Mode was the only way for me to do a restore when this happened to me. Mountain Man, if you haven't tried a restore from Safe Mode, give it a chance. While the computer is booting up, repeatedly press F8 key until the menu comes up. Choose "Safe Mode With Networking".

Good Luck

 

[jenzie]

this trash doesn't encrypt anything, only putting a file in the boot commands

 

[Pinecone]

Thanks, Mark. It is still quite a bit to digest, but I will print it out and play with it.
Pinecone

 

[ItsJustMe]

I fix computers and consult with businesses for a living. Over the past 2+ years I have seen dozens of Cryptolocker ransom infected computers. The earlier ones were easier to fix as you could use Shadow Volume Copies to restore the documents.

The current version Cryptolocker ransomware is impossible to decrypt without the key. It also turns off SVC and deletes those files so you will not be able to restore your files from previous copies.

If you do not have a backup of your data, you will have to pay the ransom for the key. Otherwise you are screwed. Sorry, that's just how it is.

 

[Vector]

I fix computers and consult with businesses for a living. Over the past 2+ years I have seen dozens of Cryptolocker ransom infected computers. The earlier ones were easier to fix as you could use Shadow Volume Copies to restore the documents.

The current version Cryptolocker ransomware is impossible to decrypt without the key. It also turns off SVC and deletes those files so you will not be able to restore your files from previous copies.

If you do not have a backup of your data, you will have to pay the ransom for the key. Otherwise you are screwed. Sorry, that's just how it is.

I hope that one day soon the authorities catch one of these jokers. They are the height of cowardly arrogance and upon apprehension should be dealt with swiftly, harshly and publicly.

The death penalty sounds reasonable to me.

 

[Mountain Man]

Thanks all, lots of good info and ideas. Some I have already tried with no success. As I stated earlier this is not Cryptolocker (I wish it was). This one is Crypto Wall 3.0 (evidently 2.0 was too easy to get around). Loup, the HELP files you listed are the ones that are on my computer. After doing more research this afternoon, I have found that without the key that they want to sell you, there is nothing that will restore all of your files. They wipe out almost all of your previous versions.

I still have a couple of days to use some of what I found here and do more research. I will let everyone know the outcome.

Again, thank all of you for your thoughts and suggestions.

 

[Dennis Olson]

I hope that one day soon the authorities catch one of these jokers. They are the height of cowardly arrogance and upon apprehension should be dealt with swiftly, harshly and publicly.

The death penalty sounds reasonable to me.

You think the Efff Beee Eyyye is going to go over to Bosnia or Nigeria and arrest someone? Because it's for damn sure they're not in the U.S.

 

[Bob1313]

this trash doesn't encrypt anything, only putting a file in the boot commands

Bingo! google search whatever ransomware threat it is and there's guaranteed to be a way to remove it and restore your system, might take some time, you may have to do it more than once but I've ran across these several times on clients PC's and have yet to ever fail to get rid of it with minimal to no effect on the PC.

Almost everyone is the result of an email attachment, if you're even remotely suspicious of any email, error on the side of caution and don't open it, the White House got hacked as a result of a phising email, just security up and pay attention to the little things.

Also open a gmail account for cloud storage, its multiple free GB's, also Amazon prime members are eligible for a pretty good free cloud storage deal as well.

 

[the watcher]

Other options not mentioned. Build a usb flash drive with Ubuntu on it. Boot to usb (Ubuntu) and browse the drive, running the Ubuntu in live mode (in the ram). Since the windows drive never boots, it allows you to get into it.

Second option, take the drive to a computer shop, explain to them what happened and see if they'll slave it to one of their machines. I have slaved windows drives into a linux machine tons of time and I just browse at will. One drive had 97 viri on it. Have to love P2P crap. I retrieved what they wanted and wiped it.

Third option, get one of the free data recovery programs, they require you to make a boot disc or usb drive (on another windows machine). Then boot to one of them, and browse the HD. There is hope. I keep boot discs around, from Hirens Boot Cd to assorted Linux live versions. I even still have a Knoppix and Linspire live cd lol. AND have used them to retrieve data from HD's.

The top 23 free data recovery tools
http://www.gfi.com/blog/the-top-23-free-data-recovery-tools/