Solved A question about ransomware

[TrustMe]

My friend's computer is infected with ransomware. She called the number on the screen and let them take over her computer. She thought she was talking to Microsoft. Now the computer is asking for a password which she never needed before. The guy on the phone said it will cost $200 for the password.

My question is, if I use the OEM recovery partition to restore her computer to factory defaults, would you trust that to get rid of the virus? Is it possible for the virus to be lurking some where else? Do you think I need to wipe the hard drive and do a clean install? I kind of hate destroying the OEM recovery partition but I will if it is necessary.

She is bringing me the computer later today so i haven't looked at it yet. It's a Dell laptop.

 

[samuria]

It doesn't sound like ransom ware that encrypts your files but you can login. What is exactly asking for the password Windows or BIOS? The recovery should work OK. We need to see screenshot of it asking for password to identify what it is. It may be worth getting a free bootable virus scanner CD and try that as a first step. It can be a simple scam that just runs a file at startup so cntl and c may break it or cntl alt del may let you run task manager and kill it

 

[mrjimphelps]

The OEM recovery partition process should sufficiently clean her computer. However, if she has a set of factory rebuild disks, that would be even better, because you would be using something to do the rebuild that will definitely not be infected. If she doesn't currently have these disks, she should be able to purchase a set of factory rebuild disks for her computer from Dell.

 

[TrustMe]

samuria, mrjimphelps thanks for the replys. I will post a screenshot this evening when I receive the computer.

Thanks for reminding me about the Dell recovery drive. I remember making one when she first bought the computer. I just talk to her on the phone and she is going to look for it. I'll keep you posted.

 

[DonnaB]

Hi TrustMe,

Sorry to hear about your friends computer. This is one of the oldest tricks in the book and so many people fall for it.

I agree that this type of ransomeware is not the type that encrypts the personal data, though since she is being locked out of her computer till she pays the $200 ransome fee, it is one variation of many types of ransomeware out there just waiting for it's next victim. Without looking at a diagnostic log I/we could not determine if it is file encrypting ransomeware or not. Who knows what you will find once you get past that password.

Reformatting with the OEM recovery disks is the easiest way out and will ensure a clean machine since you are not sure what other types of malware had been installed, though it will wipe out all her personal files. We could try to remove the password on the computer, get any files off she just can not live without then reformat if you want to try that route, or if it is found that there are no serious backdoor trojans installed you may not need to reformat.

I am pretty sure that when you reformat using the OEM recovery partition (if there is one and it is usually found on the D: drive) or the recovery disks them selves, the recovery partition will be reinstalled during the reformat. I think Dell only provides the ability to create recovery disks, though the manufacturer may have created that D: recovery partition.

Anyway, when you get possession of the computer, see if you can boot it into safe mode. If so, this could be a way around that password so we can get a diagnostic log to reverse whatever changes the scammer did when she allowed him to access the computer remotely. If safe mode is not an option, we could also use a USB flash drive to create a bootable USB and use a recovery.iso to get through the "backdoor", per se'. Up to you though how you want to go about doing this.

Donna

 

[TrustMe]

Hi DonnaB, Thanks for the reply.

I just wanted to give an update. There was no message about the password (she originally told me there was). On startup it just brought you to the normal login screen. She never used a password before. I used Hirens Boot CD to clear the password and it booted to the desktop. From there i was able to save all her personal files to a portable hard drive.

She found the Factory Restore flash drive I made when the computer was new and I used it this morning to restore her computer. Now i'm in the process of installing all the updates. It's installing the first 35 now. It will probable take two days to install them all. lol

After the updates, she has a few programs I need to install.

Thanks everyone for your input.

 

[DonnaB]

Excellent! I love success stories. Nothing better than having friends who know their way around the computer. I am sure she will remember this experience for a long time coming. Please tell her to pass along her experience. If she tells 2 friends and they tell 2 friends (and so on and so on), maybe together we can all put these bad guys out of business who take advantage of the uneducated.

If you encounter any questions or concerns, please don't hesitate to ask.