Page 1 of 4 123 ... LastLast
Results 1 to 15 of 48
  1. #1
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    London
    Posts
    703
    Thanks
    256
    Thanked 4 Times in 4 Posts

    Ransomware on wife’s laptop

    Is it still the case that ransomware can only be removed by paying the ransom or wiping the contents of the machine?

    My wife uses it only for email and browsing the web, plus we keep a third backup of our photos there, along with a weekly backup of ShareScope for the odd occasion when the settings get corrupted on my PC. The villains are demanding 3 bitcoins to decrypt – about $1,000 – which is far too much just to retrieve email, especially with the possibility that they might not provide the key.

    It is infuriating that on Sunday I made two images of my PC – one kept with a neighbour – and decided it was time to make a new image of the laptop, but ran out of time to do so, and then forgot about. We did the weekly shop this morning, and came home to find this had occurred. Fortunately the backup is only 2 months old, quite recent compared with the previous image made last May.

  2. #2
    WS Lounge VIP mrjimphelps's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    3,411
    Thanks
    447
    Thanked 406 Times in 378 Posts
    If your email is set up as IMAP, then there will be a full copy on your email service's server. If you don't have a lot of email in your email mailbox, I would suggest that you do your email as IMAP. In this way, you hopefully won't lose any email.

    (Then again, using IMAP may provide a path for the infection to spread to the email server.)

    Here is some good information about ransomware and what to do about it. You may be able to unlock the data on your wife's computer. But it will not be easy, and maybe not even possible, if the ransomware was well-designed.

    Most of the tools discussed in the article I linked to require that the tool be installed before the computer is infected, so that it can block the infection. But one or more of them do make an attempt to decrypt your files.

    Good luck.

  3. #3
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    London
    Posts
    703
    Thanks
    256
    Thanked 4 Times in 4 Posts
    Update. IMAP unavailable, as we use POP3.

    A little while ago my wife wanted to access her email, and despite being told it was encrypted, went ahead anyway, and it is all available (perhaps Thunderbird is resistant to encryption). This gave me the idea of backing- up to a thumb drive and reading it on my PC, quickly rejected due to the risk of both machines becoming infected.

    Thanks for the link. Have looked at Trend Micro Anti-Ransomware, and already need advice.

    “The first scenario requires the user to install the software using keyboard sequence after bypassing the malware by booting the PC into safe mode>”, however, I have the impression that the web cannot be accessed in safe mode.

    The alternative, i.e. “allows it to be loaded on to a USB drive using an uninfected system and executed from there during a boot” is not very clear to me. If it’s downloaded on my PC to a USB stick, will that boot the laptop without any additional software? Presumably it would not be safe to use the USB again, so I must try and find a fairly small one.

    If the Trend Micro doesn’t work, this is likely to be a slow process of trial and error. Why didn’t I image the laptop Sunday instead of having an early night!

  4. #4
    Super Moderator CLiNT's Avatar
    Join Date
    Dec 2009
    Location
    California & Arizona
    Posts
    6,121
    Thanks
    160
    Thanked 609 Times in 557 Posts
    A Two month old backup is better than no backup.
    Bite the bullet, live and learn.

    *Email should be backed up independently of an image.
    *Programs and license keys should also be backed up independently.
    DRIVE IMAGING
    Invest a little time and energy in a well thought out BACKUP regimen and you will have minimal down time, and headache.

    Build your own system; get everything you want and nothing you don't.
    Latest Build:
    ASUS X99 Deluxe, Core i7-5960X, Corsair Hydro H100i, Plextor M6e 256GB M.2 SSD, Corsair DOMINATOR Platinum 32GB DDR4@2666, W8.1 64 bit,
    EVGA GTX980, Seasonic PLATINUM-1000W PSU, MountainMods U2-UFO Case, and 7 other internal drives.

  5. #5
    Star Lounger
    Join Date
    May 2011
    Posts
    84
    Thanks
    2
    Thanked 2 Times in 2 Posts
    mrjimphelps,

    Many thanks for those great links. I had tried to disable or turn off OneDrive sync to possibly avoid ransomware to also encrypt the cloud version of my files. I don't know if this will work, but it seems like a good idea. Unfortunately, all I can find is "pause" Still looking.

  6. #6
    Super Moderator
    Join Date
    Aug 2012
    Location
    Durham UK
    Posts
    6,645
    Thanks
    147
    Thanked 884 Times in 845 Posts
    Ransomware doesn't normally come as a drive-by - the victim normally has to be tricked into clicking on an infected link.

    I would review your wife's emails to see if there was a dodgy one.

    Opening it shouldn't activate anything as you normally have to click on a link within the email.

  7. #7
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    London
    Posts
    703
    Thanks
    256
    Thanked 4 Times in 4 Posts
    Quote Originally Posted by CLiNT View Post
    *Email should be backed up independently of an image.
    *Programs and license keys should also be backed up independently.
    Are you saying that email is not included in the image? If this is so, and attempts to debug the laptop prove unsuccesful, we might as well go for a clean install, as there is nothing else of importance there.

    Programmes and data are all on "C" drive for simplicity, and it seems to work. The only time I restored an image was after setting up my current PC, installing all the programmes I use, and probably the data from the old XP machine, then restored the image and everything was OK.

  8. #8
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    12,519
    Thanks
    152
    Thanked 1,398 Times in 1,221 Posts
    Quote Originally Posted by georgelee View Post
    Are you saying that email is not included in the image? If this is so, and attempts to debug the laptop prove unsuccesful, we might as well go for a clean install, as there is nothing else of importance there.

    Programmes and data are all on "C" drive for simplicity, and it seems to work. The only time I restored an image was after setting up my current PC, installing all the programmes I use, and probably the data from the old XP machine, then restored the image and everything was OK.
    Emails are included in any image that includes the drive where they are stored. What Clint means is that email changes frequently enough to require its own independent backup schedule.
    Rui
    -------
    R4

  9. The Following 3 Users Say Thank You to ruirib For This Useful Post:

    brino (2016-03-18),CLiNT (2016-03-16),georgelee (2016-03-16)

  10. #9
    WS Lounge VIP Calimanco's Avatar
    Join Date
    Dec 2009
    Location
    UK
    Posts
    723
    Thanks
    1
    Thanked 146 Times in 132 Posts
    Try new Malwarebytes Anti Ransomware to avoid being infected in the future. Its free and, although still in beta, is working without any problems so far.

    http://www.majorgeeks.com/files/deta...ansomware.html

  11. #10
    WS Lounge VIP mrjimphelps's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    3,411
    Thanks
    447
    Thanked 406 Times in 378 Posts
    Quote Originally Posted by georgelee View Post
    Have looked at Trend Micro Anti-Ransomware, and already need advice.

    “The first scenario requires the user to install the software using keyboard sequence after bypassing the malware by booting the PC into safe mode>”, however, I have the impression that the web cannot be accessed in safe mode.
    You can go into Safe Mode with Networking -- you can surf the web while there.

  12. The Following User Says Thank You to mrjimphelps For This Useful Post:

    brino (2016-03-18)

  13. #11
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    London
    Posts
    703
    Thanks
    256
    Thanked 4 Times in 4 Posts
    Hoping to try Trend Micro, #1 on link provided by mrjimphelps, but am unable to get into Safe Mode. Started up 3 times as instructed, and turned off quite quickly to ensure boot not completed, but the next start was like all the others. Deciding that it needed more time, and getting scientific, I restarted and timed how long it took for the splash screen to appear – 18 seconds. Beginning again, and holding down the power button after 15 seconds was more effective, but instead of Safe Mode it started diagnostics, finally concluding that it hadn’t started correctly and offering 3 options:

    go directly to Win 8.1, restore or close down. Stalemate, so I chose to close.

    The next step is to try downloading to a USB drive and booting from that, so I desperately need someone to answer my question as to whether an ordinary thumb drive will boot the laptop. Doesn’t it need a special programme to boot a PC?

    Another question. My wife has discovered that she can still send and receive email despite the ransomware, which means I’m not getting much access. However, is there a risk of infecting anyone who receives her emails? She has been instructed not to send anything to this PC, to avoid any risk of us both being cut off from the internet.

    PS. As the other options in the link provided by mrjimphelps look equally complex, I'm considering taking it to a repair shop. Has anyone had any success taking this course?
    Last edited by georgelee; 2016-03-16 at 09:39. Reason: PS

  14. #12
    WS Lounge VIP mrjimphelps's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    3,411
    Thanks
    447
    Thanked 406 Times in 378 Posts
    Quote Originally Posted by robertpri View Post
    mrjimphelps,

    Many thanks for those great links. I had tried to disable or turn off OneDrive sync to possibly avoid ransomware to also encrypt the cloud version of my files. I don't know if this will work, but it seems like a good idea. Unfortunately, all I can find is "pause" Still looking.
    You are correct in turning off the OneDrive sync to protect the cloud version of your files. Hopefully they aren't already infected.

    I haven't done OneDrive; but I have done other cloud services. If you remove your hard drive folders from the cloud network, that should stop the synchronization from happening.
    Last edited by mrjimphelps; 2016-03-16 at 09:37.

  15. #13
    WS Lounge VIP mrjimphelps's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    3,411
    Thanks
    447
    Thanked 406 Times in 378 Posts
    Quote Originally Posted by georgelee View Post
    Hoping to try Trend Micro, #1 on link provided by mrjimphelps, but am unable to get into Safe Mode. Started up 3 times as instructed, and turned off quite quickly to ensure boot not completed, but the next start was like all the others. Deciding that it needed more time, and getting scientific, I restarted and timed how long it took for the splash screen to appear – 18 seconds. Beginning again, and holding down the power button after 15 seconds was more effective, but instead of Safe Mode it started diagnostics, finally concluding that it hadn’t started correctly and offering 3 options:

    go directly to Win 8.1, restore or close down. Stalemate, so I chose to close.
    Hold your left shift key down, then click the Start button and choose Restart. Keep your left shift key held down till the computer is restarting. That will bring up the menu for choosing Safe Mode or Safe Mode with Networking.

    Quote Originally Posted by georgelee View Post
    Another question. My wife has discovered that she can still send and receive email despite the ransomware, which means I’m not getting much access. However, is there a risk of infecting anyone who receives her emails? She has been instructed not to send anything to this PC, to avoid any risk of us both being cut off from the internet.
    Yes, there is a risk.

  16. The Following User Says Thank You to mrjimphelps For This Useful Post:

    georgelee (2016-03-16)

  17. #14
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    London
    Posts
    703
    Thanks
    256
    Thanked 4 Times in 4 Posts
    Sudo,
    One of yesterday’s emails with a heading along the lines of ‘Insufficient funds to complete the transaction’ attracted my attention, and not noticing the time sent, thought it was related to when I looked into how much was required for the ransom, without proceeding further.

    Clicking on it opened a page of gibberish, which my wife also admits to opening, so the laptop has most likely been encrypted twice, making it impossible to clean.

    Replying to your post has only now made me realise that my action has made the situation much worse.

    PS Also how easy it is to be tricked into opening a malicious link - almost anyone would want to know where and why the lack of funds occurred - or am I more gullible than most?
    Last edited by georgelee; 2016-03-16 at 12:17. Reason: added PS

  18. #15
    Super Moderator
    Join Date
    Aug 2012
    Location
    Durham UK
    Posts
    6,645
    Thanks
    147
    Thanked 884 Times in 845 Posts
    The idea was to check for suspicious emails without clicking on any links in them, but it's the first I've heard of just opening an email has resulted in infection.

    I'd use your two month old image and if in future your wife receives an email from someone she doesn't know - then get her to treat it as Spam at the least and bin it straight away.
    Last edited by Sudo15; 2016-03-16 at 11:51.

Page 1 of 4 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •