Jump to content
Login with your Gmail HERE and start posting in seconds! ×

Got hit by Ransomware :-(

Daffy D

By Daffy D
in IT and Computers

 Share

Recommended Posts

CaptHaddock Gold Member

CaptHaddock

Posted
Posted

Just an aside -- I run linux and a vm with windows for those things that insist on running in windows. As time goes by I use the windows vm less and less, but things like the recent 90day reporting online facility being only available on IE make it handy to have.

Like everything about personal computing -- people choose what their comfortable with, but the basics of prevention of malware and similar problems is where we all come together. Unfortunately there are as many solutions as there are people talking wink.png

Running windows in a VM on top of linux is the best way to go, IMHO. Keep trailing snapshots of the VM along with daily backups and you can always revert quickly to a known good state. By running Vmware or some other virtualizer you can do your browsing in a linux vm, for example, safely away from the Windows VM.

If I were the OP I would wipe the drive and rebuild the Windows installation from scratch to get to a known, clean state. Only way to be sure there will be no reinfection.

Link to comment
Share on other sites
  • Replies 98
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Posted Images

jpinx Platinum Member

jpinx

Posted
Posted

Just an aside -- I run linux and a vm with windows for those things that insist on running in windows. As time goes by I use the windows vm less and less, but things like the recent 90day reporting online facility being only available on IE make it handy to have.

Like everything about personal computing -- people choose what their comfortable with, but the basics of prevention of malware and similar problems is where we all come together. Unfortunately there are as many solutions as there are people talking wink.png

Running windows in a VM on top of linux is the best way to go, IMHO. Keep trailing snapshots of the VM along with daily backups and you can always revert quickly to a known good state. By running Vmware or some other virtualizer you can do your browsing in a linux vm, for example, safely away from the Windows VM.

If I were the OP I would wipe the drive and rebuild the Windows installation from scratch to get to a known, clean state. Only way to be sure there will be no reinfection.

FWIW - infections can get into the boot sector, impossible to remove without totally wiping, re-formatting and overwriting the whole disc with something like dd in linux - - possibly several times. Then create a filesystem in a virus-free environment and maybe - just maybe - you will be able to install windows again and not be infected. Not sure if ransomware gets into the boot sector, but given their level of persistence it'd not be a surprise.

Link to comment
Share on other sites
Simbelmayne Newbie

Simbelmayne

Posted
Posted

Hello, I found this topic accidently, and I see that it's really popular. Unfortunately, most of the statements, written here are not true, and I think that I can give a correct answers to most of the questions.

  1. Some people are trying to remove the virus. DON'T DO THIS! The removal of the virus itself won't help. It's just a tool to encrpt the files and to communicate with hackers. If you will remove it, you will lose the chance to restore the files through paying the ransom. Remove it only if you agreed to let the files go and forget about them, or if you've found the other solution.
  2. The chance to decrypt files is very low, but still it exists. Kaspersky lab is developing a tool which collects the decryption keys from all mentioned cases of encryption, and there may be your one too! Here's this tool.
  3. You have to understand that hackers aren't reliable people, and the don't give a s**t about you and your data. They don't want you to become a regular customer of their ransomware. If you will pay a ransom - only God knows will you get your files back or not. think twice before doing this and be ready to lose the money too. And use your brain, please. Don't pay the ransom with help of internet-services on the infected computer, because if ransomware got through its defence, there could be a keylogger too.
  4. The load of backups is a perfect way to get rid of any ransomware. if you have backups of the .txt, .jpg, and .png files - just remove the virus completely, wait for few days and use it. But if you have a full backup of all drives - think about when the virus had penetrated the system. If you backed up the system with the virus - it became useless.
  5. There are other possibilities to restore the data, except the backup. I don't talk about the actual decryption, but about the restoring from the shadow copies. Such tools as ShadowExplorer and Recuva can do this, but there's no 100% guarrantee of success.

This is all I had to say, and I'll be glad if it will help someone. If there's still not enough info - here are two articles about the ransomware and the restore of files, which will help you:

Ransomware removal

How to restore the encrypted files

Link to comment
Share on other sites
Chicog Star Member

Chicog

Posted
Posted (edited)
Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.

https://www.us-cert.gov/ncas/alerts/TA16-091A

Edited by Chicog
Link to comment
Share on other sites
CaptHaddock Gold Member

CaptHaddock

Posted
Posted

Just an aside -- I run linux and a vm with windows for those things that insist on running in windows. As time goes by I use the windows vm less and less, but things like the recent 90day reporting online facility being only available on IE make it handy to have.

Like everything about personal computing -- people choose what their comfortable with, but the basics of prevention of malware and similar problems is where we all come together. Unfortunately there are as many solutions as there are people talking wink.png

Running windows in a VM on top of linux is the best way to go, IMHO. Keep trailing snapshots of the VM along with daily backups and you can always revert quickly to a known good state. By running Vmware or some other virtualizer you can do your browsing in a linux vm, for example, safely away from the Windows VM.

If I were the OP I would wipe the drive and rebuild the Windows installation from scratch to get to a known, clean state. Only way to be sure there will be no reinfection.

FWIW - infections can get into the boot sector, impossible to remove without totally wiping, re-formatting and overwriting the whole disc with something like dd in linux - - possibly several times. Then create a filesystem in a virus-free environment and maybe - just maybe - you will be able to install windows again and not be infected. Not sure if ransomware gets into the boot sector, but given their level of persistence it'd not be a surprise.

A virus on a virtual machine cannot get access to the boot sector of the host computer running the virtualization software. An infected vm can be safely reverted to a snapshot taken prior to the infection eliminating the infection, if available, since the snapshot includes the boot sector of the vm. This is obvious if you understand virtual machines.

Link to comment
Share on other sites
  • 6 months later...
Cyrys Newbie

Cyrys

Posted
Posted

Hello! I have a question on ransomware. My sis laptop is infected with virus that encrypted all files and now they have .shit extension. Virus claims 3 BTC (1500$) for decryption tool.... I've read this article (http://www.bleepingcomputer.com/news/security/locky-ransomwares-new-shit-extension-shows-that-you-cant-polish-a-turd/) and this guide (http://manual-removal.com/shit-encrypted-files/) , also I've used ShadowExplorer and Recuva - but no help from them.

So I want to ask you if it is any chance to get her files back without paying 3 BTC?

 

Link to comment
Share on other sites
Chicog Star Member

Chicog

Posted
Posted
1 hour ago, Cyrys said:

Hello! I have a question on ransomware. My sis laptop is infected with virus that encrypted all files and now they have .shit extension. Virus claims 3 BTC (1500$) for decryption tool.... I've read this article (http://www.bleepingcomputer.com/news/security/locky-ransomwares-new-shit-extension-shows-that-you-cant-polish-a-turd/) and this guide (http://manual-removal.com/shit-encrypted-files/) , also I've used ShadowExplorer and Recuva - but no help from them.

So I want to ask you if it is any chance to get her files back without paying 3 BTC?

 

 

I have to say it doesn't sound good. 

Check this list:

http://www.thewindowsclub.com/list-ransomware-decryptor-tools

 

Or who knows you might get lucky here:

https://www.nomoreransom.org/crypto-sheriff.php

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.










×
×
  • Create New...