J ust got a call from someone who has got the RANSOMEWARE (cryptolocker) virus. This was the second call about the virus in three weeks. It encrypts all of your data files, pics, videos and docs as well as some system files. It operates from the boot sector of your hard drive, not from the C or D drives that you can see and access. Too late to do any good for the people who phoned me unfortunately but just in case it happens to you, here’s what to do.
How you got it…. You downloaded an email ZIP attachment (compressed file) probably from someone you know, containing a PDF file or a doc file that looked innocuous and you didn’t get your virus scanner to scan it before you opened it…Next time “right click” on any compressed file you receive and select “scan File”. (Whoever sent it probably didn’t know, so don’t blame them. Their machine was probably acting as a “Zombie”) Or you were messing around with compressed torrent files on Piratebay! Hmmm…. In which case… Stay away from the dark side!!!
What Happens… You will get a red flashing warning screen that comes up on your computer, supposedly from the FBI,RCMP,OPP, or Microsoft etc, saying you have downloaded illegal files and your computer has been locked. To unlock the files you must pay them $300. It will begin to encrypt all your data and some of your registry files (to reciprocate itself ) with a public key that only they know. To get the key you will have to pay them with bitcoins or Google wallet cash to obtain the key to unlock your files. The latest version of cryptolocker(Ransomeware) will also lock you out from your system, making it impossible to enter “safe mode”, registry edit, or your control panel. You need “safe mode” to remove it from your computer.
What to do… IMMEDIATELY shut down your computer in “Brute force mode”– Press the power button and hold it down for several seconds until the computer starts to shut down. If you get a screen that says ongoing processes are stopping shutdown, click on FORCE SHUTDOWN. As long as you do shut down immediately there is a two step process that can help.
You will need a scanner called the “Kapersky Rescue Disc”. Then you will need another “root kit” scanner called MBAM. You will also need access to another computer to download these programs. If you have a favourite computer geek, now is the time to phone him because he may have the rescue disc and Mbam in his toolkit! If not, you will have to download the Kapersky rescue disc (links below)and burn the Iso file onto a CD on the other computer. Once you have burnt or borrowed the rescue disc, put in into the infected computer and start it up. It should boot to the disc instead of the hard drive and automatically start the Kapersky program. If not, that is to say if it goes straight to the hard drive and tries to start Windows instead, you will have to change the boot order of the computer. (see below, changing Boot Order).
STEP 1…Once you reach the disc and the Kapersky program starts, you can follow the prompts and scan the machine. It should find the virus and reset your system files to allow access back into your computer. Shutdown, remove the disc and restart in “safe mode” (see below Accessing safe mode) STEP 2…Put the Malwarebytes program you downloaded onto the other machine onto a USB stick and move it over to the infected computer. Install the program. Run the program (MBAM). Scan everything (full scan). If your computer wont let you install the program in safe mode, shutdown once more and restart in normal mode…Not as safe but it may be the only option available.
Once your computer is back under your control two final steps are a good idea. Download the one time Microsoft safety scanner (link below) and run it. Then run your everyday virus scanner on a full system scan.
How to avoid it… DON’T DOWNLOAD compressed files (ZIP, TAR ) via your email unless you have a GOOD virus scanner that scans your email. Free virus scanners will not do it… If you get the virus and it has already encrypted the files, the only option is to do a shadow copy of your data, via windows 7 shadow restore, assuming that you have Windows 7 ultimate or pro. This is not reliable and, if you have the lowly windows 7 home or XP, it might not be possible. The only other option is to take the hard drive out, format it on another machine and then reinstall your system, losing all your data files, unless you have (NECESSITY!) a disc image backup system(see precautions Norton Ghost system) .
(1) Don’t download compressed files (ZIP,TAR etc) in your email, even if you think you know who sent them. If you do, then scan them with your virus scanner before you open them. (“right click” on any compressed file you receive and select “virus scan File”). Especially one’s that contain PDF files. If your virus scanner doesn’t provide this option-Get one that does, like Norton or Kapersky!
(2) Regularly back up all your data files on a separate external hard drive, doc files,email ,pics, videos whatever. SYNCBACK is a very good program to back up your data files and folders on a daily basis. NORTON GHOST is a good imaging backup program that can image your hard drive, take a complete copy of the drives you choose (C,D and the hidden system root drive) and save it in a restorable form. In the event of an infection or system meltdown, you can reboot your computer from the Norton Ghost boot cd. It will format your drive and restore it to the state it was in before the infection or crash. This option is a life saver and will save you having to go through all this rubbish!
(3) Download and PAY for the full version of MBAM. (Malwarebytes.com). It will stop root viruses and boot sector trojans and worms that slip past the standard scanners.
(4)Download and keep a copy of the Kapersky Rescue disc.
(5) Make,buy or find original system restore discs for your computer, just for days like these. otherwise you will be paying for a new Windows operating system! These are very handy if you happen to sell or give the machine away as well, as it restores the computer to it’s pristine state as when you bought it. You should also wipe the hard drive as well if you’re selling it, DBAN is a program for that!
Changing the boot order Restart and try the CD first , but if the computer justs boots into Windows you will have to change the “boot order” for it to boot from the CD drive. You can do this at the start up screen. It will have an option (F key) to change “Boot order” Change it so the CD drive is at the top of the list.
Accessing “Safe Mode” “safe Mode” is a barebones version of the Windows GUI (what you see on the screen) that only loads the drivers and files necessary to start Windows. This means that no other programs such as email, internet browsers and any nasty stuff are loaded into the memory. MBAM will run in safe mode. To access “safe mode”: Shut down the computer. Restart by holding down the correct F key on start up. Each brand of operating system uses different “F” keys to go into safe mode,F10, F8 etc. If you don’t know the correct F key, another method is to press the power button and then, AS windows starts to load, hold the power key down again for a few seconds until it shuts down again. Repeat this until Windows doesn’t load but a black screen comes up with several boot options-you want: “SAFE MODE “. It takes time to load and you will see a few screens of black and white text scrolling.
Kapersky Rescue disc : http://www.tomsguide.com/us/download/Kaspersky-Rescue-Disk,0301-32450.html
I use Norton Internet Security. It contains an email scanner. http://ca.norton.com/antivirus/
I also use Norton Ghost as a disc image back up system : http://www.symantec.com/themes/theme.jsp?themeid=ghost
Syncback can be found at : http://www.2brightsparks.com/freeware/freeware-hub.html
Some good info is also available at : http://www.microsoft.com/security/resources/ransomware-whatis.aspx
MBAM (essential) can be found at http://www.malwarebytes.org/lp/lp4/?gclid=COa_vO-a9sECFQmDfgodxBcA8w They let you have a three month free trial last time I looked, but it is well worth the money ($30?) to buy it if you are getting recurring problems with root kit, worms etc…
DBAN , Drive burn and Nuke, for wiping your hard drive http://dban.org
Microsoft emergency one -time virus scanner http://www.microsoft.com/security/scanner/en-us/default.aspx
If this was helpful, or if it saved your bacon, maybe you could buy me a cup of coffee?