Ransom Spam

[Théière]

There has been a serious outbreak of ransom spam recently. This nasty blocks your computer files then ransomes you to pay to release them. Some friends were attacked over the weekend. Just be careful what you open.

http://www.bbc.co.uk/news/technology-24964426

[Clair]

Info HERE.

FREE possible prevention/solution HERE.

[Quillan]

There is some good stuff on fixing the problem on the Microsoft website as well as downloadable with which to create either a boot USB or disk. Follow the instructions, it is quite easy to remove.

http://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx

There are also fixes available for Apple users if Google Apple Ransomware.

[Théière]

Q, don't make this look too light, you can remove the programme but there is likely to be two and as you get rid of one the second automatically duplicates the file. 

The file extensions that lock your files cannot as I understand be removed so you cannot access those.  I am waiting to hear of answers from my Brother who works in computer security.

I would advise backing up your data to a separate device and making sure you unplug that from the computer.  Friends have had their backup device corrupted to as it's connected for auto backup.

So far it seems they come from bogus emails, we know one was from Nationwide and as the forum discusses Nationwide quite a lot I thought it best to alert the forum.

 

[Quillan]

[quote user="Théière"]

Q, don't make this look too light, you can remove the programme but there is likely to be two and as you get rid of one the second automatically duplicates the file. 

The file extensions that lock your files cannot as I understand be removed so you cannot access those.  I am waiting to hear of answers from my Brother who works in computer security.

I would advise backing up your data to a separate device and making sure you unplug that from the computer.  Friends have had their backup device corrupted to as it's connected for auto backup.

So far it seems they come from bogus emails, we know one was from Nationwide and as the forum discusses Nationwide quite a lot I thought it best to alert the forum.

[/quote]

I am not making light of it but it is not the end of the world however you do need access to another computer and I recommend you use the CD version as it can be a lot of mucking around making a bootable USB stick and some older computers will not boot from them.

 The first time I came across this I did a lot of research and spent hours and hours trying to get rid of it because as you say it can copy back. Things like booting in safe mode etc just do not work.

Eventually I found the fix on the Microsoft website which I tried and it worked first time and was very simple to implement. The 'trick' is, as they say, is you need to boot from an external device such as CD or USB stick which should also be loaded with the software they recommend. I have now removed it from around six or seven Laptops and PC's and can vouch 100% for the Microsoft removal tools. These are updated at regular intervals as different variations of the malware appear. The physical work takes about 10 minutes but the complete scan it carries out can take a few hours depending on the size of your disk.

I should add that it does not always infect via an email, at least two have been infected by visiting what appeared to be a genuine website.

[dwmcn]

Theiere,

I get bogus emails from people using the names of people I know to get me to look at them. I think they get the names from facebook. I looked at the first one and it turned out to be an ad for weight loss. Fortunately, no harm was done and now I report them as spam. They are usually from yahoo. 

David

[Rose (& Greyman)]

Quillan, I think you have misunderstood the issue that Teapot is raising. It is not the ransomware of old but the new cryptolocker virus. You can clean your PC of this new virus but that is the least of your worries. I have not yet read of a way to un-encrypt infected files. Unless you have a clean backup you have big problems. This is a very serious threat.

[Théière]

Quite right Greyman,

Yes,  Q, that site is for the fake ransom ware stuff,    this one is actually real encryption,  not just the pseudo lockscreen.

[Quillan]

Yes I know and it is the same method (same program) as recommended by Microsoft.

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan:Win32/Crilock.A

However, because this threat can lock your screen, you might not be able to download or run antivirus or antimalware software. If that happens, you will need to use the free tool, Windows Defender Offline:

• Download Windows Defender Offline

The following articles may help if you're having trouble getting the tool to work:

• Windows Defender Offline: frequently asked questions
• Microsoft's Free Security Tools - Windows Defender Offline

Once removed I would recomend Microsoft Security Essentials is installed or if you prefer Caspersky AV software both of which can identify and remove it if you download it again.

Personally I use Mailwasher Pro which will pick it up on your mail server before it gets as far as your PC/Laptop. 

You get somewhere between 80 and 100 hours before the 'payload' of the virus really ramps up but you should have caught it by then and your data loss should be minimal but then of course you have a backup to revert to. All our computers (data) is backed up every night.

 

[Rose (& Greyman)]

Sorry Q but you're still missing the point. Anyone can find out how to remove the virus, that's the easy bit. But no-one can un-encrypt your locked files without the key. For most people it's the lost data which has value not an infected hard drive. This is what makes this series of viruses so nasty.

Telling folks they can remove it is fine but it's like making an insurance claim after a lifetime of photos have gone up in flames. People need to believe there is no solution to this to take it seriously.

[Théière]

[quote user="Quillan"]

 All our computers (data) is backed up every night.

[/quote]

Yes so was my friends and guess what, that's all encrypted now as well.  This is a whole new ball game that is serious.

http://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24786/en_US/McAfee_Labs_Threat_Advisory_Ransom_Cryptolocker.pdf

[Rabbie]

That's why it is so important not to leave your back-up device plugged in except of course when you are actually backing up.

The virus encrypts the backup as well if you are unlucky.

[Quillan]

Firstly backups cannot encrypt themselves once removed from the computer they would have been encrypted before it was backed up.

Secondly you should be doing incremental backups and not a full one every time. If possible you should work on a three month cycle. Yes I know it can cost but then as people have already said "what price do you put on your data", in most cases it is invaluable

This 'virus' can only encrypt data on mapped drives, that’s the HDD and CD/DVD drive in your computer and a NAS that is connected via mapped drives. Most NAS devices do not connect via mapped drives although some people do feel the need to connect to them that way, you should be using UNC connections. You can access the UNC path via Network Places (Windows XP) or Network (Windows Vista and 7). This ‘virus’ cannot cross a UNC path.

If you don’t have a NAS you may find the following of interest.

Windows Vista Backup

http://answers.microsoft.com/en-us/windows/forum/windows_vista-windows_programs/windows-backup-in-vista/0e82cfda-c9dc-4b5f-af00-4d1bde8a3240

Windows 7 Backup

http://windows.microsoft.com/en-us/windows7/back-up-your-files

Windows 8 (and 8.1) Backup

Sadly Backup was lost but a new system was created called File History

http://windows.microsoft.com/en-gb/windows-8/set-drive-file-history

Of course if you have had this ‘virus’ and it has caused the loss of valuable data then I sympathise and unfortunately if you have not made proper backups that go back months then there is no way to get that data back.

Good AV “active” software that is up to date with its virus definitions should stop the ‘virus’ from entering your system.

For us Brits there are a load of emails being sent particularly aimed at Lloyds Bank users because of their c*ckups with moving people across to TSB that contain this virus. I normally get around five a day with at least two that contain this ‘virus’. As I said they never get to me because Mailwasher Pro sees them on the server before they are ever uploaded. They are also aimed at my business accounts and not my personal account. Mind you I have never had an account at either Lloyds or TSB so they are wasted on me. However Mrs Q has her client accounts with Lloyds and she has been moved to TSB but she knows never to download or open a Lloyds bank email if it does not have her name in the email.

 

 

 

[Théière]

I am just sorry I bothered to tell anyone.

[dwmcn]

T,

Everybody is an expert on everything on every forum I have ever used even though I have never heard of them elsewhere. Microsoft is always backing things up on my computer and I have no idea why or what they are doing. I just let them get on with it.

David

[Catalpa]

[quote user="Théière"]I am just sorry I bothered to tell anyone.[/quote][:D] Don't be. I found your information very useful. Thank you.

[suein56]

[quote user="Catalpa"][quote user="Théière"]I am just sorry I bothered to tell anyone.[/quote][:D] Don't be. I found your information very useful. Thank you. [/quote]

Me too.

Sue

[Pierre ZFP]

+1

Hardly a week goes by when I get an email from a friend/relative saying 'Have you heard about the (insert name of hoax virus here)'

It's good to get a Heads Up on a real one for a change.

This one is particulaly nasty as it can be delivered as a drive-by.

[Rabbie]

Very useful to have it posted here. It served as a reminder to make sure my external drive used for backups is not connected except for that purpose. It's all too easy to leave it plugged in and open to attack

[pip24]

I agree. A lot are just scare mongering warnings but this one bothers me. After reading the thread I had 2 emails from banks that I deal with as they now send notification of statements. and other info.

Even though I have spam protection etc I am becoming more cautious about opening that sort of email eg  "You called at our bank recently How Did We Perform".

A thought I had was to open such like emails on a Tab computer so as to try to avoid infection into my laptop files thus avoiding the problem.

Although I suspect a rogue app on a Tab could steel passwords I don't know what other damage could be done?  Perhaps someone knowledgeable on this technology could advise if this would work also do Tabs need virus protection?   

 

[Quillan]

If it does not have your name in the text like "Dear Mr Fred Bloggs" then don't open it. Financial institutions will only send emails to you with your name in them and possibly your account number. If it says "Dear Sir or Madam" or "Dear client" etc then it is a dodgy email so delete it. If in doubt phone your bank or the place it says it comes from.

There is AV software for just about anything these days including Android devices and Ipad/IPhone etc. In theory Android being a Linux operating system at its core you are better protected. You shouldn't really run an Android device in Developer Mode all the time as this effectivly 'roots' the device which leaves it open to abuse. The default for this is normally disabled unless you change it.

[dwmcn]

Q,

It's funny how so many people will bin junk mail that comes through the door without opening it, but are tempted to open dodgy email.

David 

[Cromarty]

sorry to resurrect a relatively old thread, but after reading this absolute rubbish I felt motivated to respond.

This is just wrong, mis-information. Coming from a normal user is bad but for a moderator to spout this is not acceptable.

Developer mode is NOTHING to do with root. Absolutely NOTHING! It does not open you up to more abuse.

Android more protected as it is Linux based? What???? There is significant amount of malware attached to apps in android. There are some very dangerous ones out there.

Please take note of what Thiery was saying everyone. This is a very nasty virus and once you have it, any file it encrypts is effectively lost. Backups can also be infected.

And please check your facts Quillan, and people, do your research and don't take the word of just anyone.