I've had to experience the "joys" of what is being called "Ransomware" twice now on client PC's. Allow me to give you a little info, and some tips if you happen to come across this frustration-inducing malware.
Windows computers - especially those with poor virus protection, and out-of-date Windows Updates - are particularly vulnerable to being hijacked. It appears that the software comes in through an exploit of an Internet Explorer flaw with ActiveX.
The first time I saw one of these, it masqueraded as an "FBI notification". It claimed that the FBI had monitored the client viewing illegal content, and had "locked" their computer until they paid a fine. The fine was to be $200 paid via a specific pre-paid credit card available at a local retail outlet. The more recent one acted as if it was an anti-virus program, claiming that all executable functions of the computer - especially those that would disable/remove it - were infected, and made incapable of running. This one offered to remove the "virus" for about $100.
Here's how they work: Your computer is taken hostage, and not allowed to run properly, in some cases not at all. You are informed that you must pay X amount of money in order to have access back. If you pay, the ransomware will remove itself from your computer, freeing it up, and going away, possibly as if it had never been there before. It is possible that some residuals may remain to attempt to fleece you for something else down the line. In the end, you are out money, bad guys (often in another country) have your money, and your computer is no safer.
The first infection, I was able to point out to the client that he did right by mentioning it. The notice was obviously false, as what he was purported to have engaged in is not handled by the FBI. However, Law Enforcement of the appropriate branch would have visited with a search warrant, confiscated the evidence, and any fines would have been imposed by a judge & jury. The malware he had contracted was particularly clever, in that it studies the IP address of the infected computer, and recommends retail outlets where one can obtain the preferred card to pay the "fine".
The more recent one, was compiled on top of four other viruses. While I effectively used Norton to remove the other viruses, I learned that the computer was still infected. In this case, the client had the XP Defender, in its most recent incarnation. While many of these can be removed through startup in Safe Mode, I found that in this case, Safe Mode was ineffective. XP Defender would also run, in safe mode. It would render programs like Task Manager, MS Config, Regedit and the command prompt inoperable there, as well. As neither Norton nor Avast would see this on external, nor run as a primary drive, it became more of a frustration.
Both cases, a very simple solution worked. At the moment, I am hesitant to write what that solution is, but I am willing to share it via email. No, this is not a trade secret. However, it's better to not give the bad guys the answer outright. Please use the Contact Form on the website if you would like to know the simple workaround for these ransomware infestations.
Never pay some scumbag cybercriminal to "unlock" an infected computer!
No comments:
Post a Comment