Digital Spy

Search Digital Spy
 

DS Forums

 
 

HELP!!! Friends files held to ransom!!!!


Reply
Thread Tools Search this Thread
Old 29-01-2013, 19:22
DaisyBumbleroot
Forum Member
 
Join Date: May 2003
Location: Derby, UK
Posts: 23,176

My friend has just posted this up n facebook

I've had at least six months worth of irreplaceable work, family photos, and film, encrypted by someone who's trying to extort a paltry 100 out of me to unlock my work.

The work is genuinely encrypted and needs a key to unlock it rather than simply wiping a virus. Is there anyone out there with the abilities to sort this?

If i thought for a second that the person in question would actually follow through i would happily pay the money as to me most of this material is priceless.

Any help, leads, advice or experience would be hugely appreciated.




Anyone have a clue at all please?!
DaisyBumbleroot is offline   Reply With Quote
Please sign in or register to remove this advertisement.
Old 29-01-2013, 19:33
Red Arrow
Forum Member
 
Join Date: Jul 2004
Location: Mars
Posts: 10,107
I'm no expert, but I don't think a virus can encrypt a large amount of data on a computer.

In my mind the person who did this had direct access to the computer, which means your friend knows them in person.

Sorry, I can't offer much advice.

Edit - I'm mistaken it seems:
http://www.net-security.org/malware_news.php?id=945
Red Arrow is offline   Reply With Quote
Old 29-01-2013, 19:34
joe-media
Forum Member
 
Join Date: Aug 2011
Posts: 162
It's probably a variant of the 'Reveton' virus, otherwise known as the Metropolitan Police virus.

Whatever your friend does, DO NOT let them pay, as it is completely BOGUS.

On another PC, download Avira Rescue CD and burn it to disk. Load it into the CD drive of the affected PC.

At startup you should see an option to select boot options. It usually varies from manufacturer to manufacturer. Once you see what this is, press the correct key once and you will be given the options of what to boot from.

Select the option that allows you to boot from the CD/DVD drive.

Avira should then load. Before you do anything else, make sure you update, by choosing the update tab. This will allow the utility to scan for all the latest threats out there.

You will then want to scan the PC and let it run until it has completed. A few items in red will appear in the status window, and the time it takes will depend on how much malware is present on the PC and how much data resides on it (a lot, by the sounds of it).

Once this has completed, quit Avira rescue CD and reboot, tapping F8 repeatedly until you reach a dialogue consisting of booting into Safe mode, Safe mode with Networking and Safe mode with command prompt.

Choose Safe Mode with Networking.

Log in once Windows allows you to, into the Administrator account of the machine. After the desktop has fully loaded up, open Internet Explorer. (The encryption malware should now no longer be present and should not appear; if it does then you may need to re-run the Rescue CD).

Go to Google and search for Malwarebytes free version (I usually use the one from C-net) and download it. Install the program and allow it to check for updates.

You should then see the main menu. Select 'run full scan'. Allow this to run. Anything left over should be detected and removed. Ensure that all traces have been removed and reboot back into Windows.

You should now be free of this malware. Hope this helped...
joe-media is offline   Reply With Quote
Old 29-01-2013, 19:34
rjb101
Forum Member
 
Join Date: Apr 2005
Posts: 2,259
Find out if it's true before you do anything. If it is tell them to contact the police... unless their last names Gadd.
rjb101 is offline   Reply With Quote
Old 29-01-2013, 19:54
shhftw
Forum Member
 
Join Date: Feb 2011
Location: Yorkshire
Posts: 1,833
It's probably a variant of the 'Reveton' virus, otherwise known as the Metropolitan Police virus.

Whatever your friend does, DO NOT let them pay, as it is completely BOGUS.

On another PC, download Avira Rescue CD and burn it to disk. Load it into the CD drive of the affected PC.

At startup you should see an option to select boot options. It usually varies from manufacturer to manufacturer. Once you see what this is, press the correct key once and you will be given the options of what to boot from.

Select the option that allows you to boot from the CD/DVD drive.

Avira should then load. Before you do anything else, make sure you update, by choosing the update tab. This will allow the utility to scan for all the latest threats out there.

You will then want to scan the PC and let it run until it has completed. A few items in red will appear in the status window, and the time it takes will depend on how much malware is present on the PC and how much data resides on it (a lot, by the sounds of it).

Once this has completed, quit Avira rescue CD and reboot, tapping F8 repeatedly until you reach a dialogue consisting of booting into Safe mode, Safe mode with Networking and Safe mode with command prompt.

Choose Safe Mode with Networking.

Log in once Windows allows you to, into the Administrator account of the machine. After the desktop has fully loaded up, open Internet Explorer. (The encryption malware should now no longer be present and should not appear; if it does then you may need to re-run the Rescue CD).

Go to Google and search for Malwarebytes free version (I usually use the one from C-net) and download it. Install the program and allow it to check for updates.

You should then see the main menu. Select 'run full scan'. Allow this to run. Anything left over should be detected and removed. Ensure that all traces have been removed and reboot back into Windows.

You should now be free of this malware. Hope this helped...
That might get rid of a message, but they maintain the work is genuinely encrypted. If the second post is to be believed, it's one tough nut to crack.

There's a tool that might help issued by Kaspersky

http://support.kaspersky.com/1809

Either way it looks like a major pain in the proverbial.
shhftw is offline   Reply With Quote
Old 29-01-2013, 19:57
joe-media
Forum Member
 
Join Date: Aug 2011
Posts: 162
Ok thanks, I just posted that because even with the Metropolitan police virus, people genuinely think that they have to pay a fine because their PC has been 'locked', so thought I would post that guide up.

I hope the Kaspersky tool can help rectify the issue if it has genuinely been encrypted.
joe-media is offline   Reply With Quote
Old 29-01-2013, 20:00
max99
Forum Member
 
Join Date: Jun 2005
Posts: 8,659
Google for the exact wording of the message and you might find info on what steps to take next. The files might just be hidden or moved. However, there is genuine malware which does encrypt data. Previous versions of it had tools available which could decrypt the files. Sometimes deleted versions of the files are left behind, so it might even be possible to recover them using regular data recovery software.

Check back here before if you're not sure if any of the info you find is genuine. And give your friend a slap for not having their 'irreplaceable data' backed up. There's no excuse nowadays.
max99 is offline   Reply With Quote
Old 29-01-2013, 20:46
psionic
Forum Member
 
Join Date: May 2002
Location: Crystal Palace TX
Posts: 18,923
I've heard about certain ransomware which really does encrypt data. I think there were tools mentioned on bleepingcomputer that can unencrypt it or work out the key. But thankfully I've not personally encountered this malware yet.
psionic is offline Follow this poster on Twitter   Reply With Quote
Old 29-01-2013, 23:32
alternate
Forum Member
 
Join Date: Jul 2005
Posts: 7,893
are you sure he hadn't just been reading the book ReamDe?
alternate is offline   Reply With Quote
Old 29-01-2013, 23:53
Thine Wonk
Forum Member
 
Join Date: Mar 2009
Posts: 10,433
And of course no backup in the event that the hard drive failed and they would also have lost all their precious content.

Will people never learn?

If the data was that important you'd have thought they would have backed it up so that in the event of a virus, burglary, hardware failure etc they still have it.
Thine Wonk is offline   Reply With Quote
Old 30-01-2013, 11:12
paulj48
Forum Member
 
Join Date: Jul 2007
Posts: 999
And of course no backup in the event that the hard drive failed and they would also have lost all their precious content.
Maybe their backup is encrypted as well, what if the OP's friend has done a recent backup before they knew of the problem?
paulj48 is offline   Reply With Quote
Old 31-01-2013, 15:31
DaisyBumbleroot
Forum Member
 
Join Date: May 2003
Location: Derby, UK
Posts: 23,176
Sorry for not replying or getting back to you all.

He'd had a PC repair guy out who got rid of the virus ok, but yep, the files are deffo encrypted.

im not sure if he managed to get his stuff back, ive not spoken to him. I will come back and let you know - thanks for the replies.
DaisyBumbleroot is offline   Reply With Quote
Old 01-02-2013, 14:22
psionic
Forum Member
 
Join Date: May 2002
Location: Crystal Palace TX
Posts: 18,923
There's a new type of ransomware doing the rounds in Germany now apparently. Which demands a 100 fine to unlock your computer as a fine for viewing 'juvenile porn'. Probably only a matter of time before variants of this start spreading everywhere. http://www.bbc.co.uk/news/technology-21291925
psionic is offline Follow this poster on Twitter   Reply With Quote
Old 01-02-2013, 14:25
flagpole
Inactive Member
 
Join Date: Jan 2003
Posts: 43,524
There's a new type of ransomware doing the rounds in Germany now apparently. Which demands a 100 fine to unlock your computer as a fine for viewing 'juvenile porn'. Probably only a matter of time before variants of this start spreading everywhere. http://www.bbc.co.uk/news/technology-21291925
that one does infact actually include images of juvenile porn too. terrifying.
flagpole is offline   Reply With Quote
Old 01-02-2013, 14:36
bobcar
Forum Member
 
Join Date: Sep 2004
Posts: 12,673
that one does infact actually include images of juvenile porn too. terrifying.
That is terrifying, I suspect most of us would rather do time than be accused of something like that.
bobcar is offline   Reply With Quote
Old 01-02-2013, 14:51
flagpole
Inactive Member
 
Join Date: Jan 2003
Posts: 43,524
That is terrifying, I suspect most of us would rather do time than be accused of something like that.
It's interesting innit. like if it came up on a shared family computer, for example, how many parents or husbands or wives would pay to cover it up.
flagpole is offline   Reply With Quote
Old 03-02-2013, 04:15
Cyclist
Forum Member
 
Join Date: Feb 2012
Posts: 715
FFS if working on something valuable back it up to a separate device and keep it separate so it does not catch a virus or get trashed if the PC crashes and burns. Hard disks do fail. It takes 10 minutes to burn a CD.

And yes, these scams have been doing the rounds in one form or another for ages, they rely on fear, knowing that many perfectly innocent people will pay up rather than have the finger of suspicion pointed at them.

The Met Police variant claims it is an online fine. Wonder how many people pay up and think they have to declare it under the Convictions section of applications for social work, teaching or nursing jobs?
Cyclist is offline   Reply With Quote
Old 03-02-2013, 05:38
Apprentice 2 SA
Forum Member
 
Join Date: Aug 2007
Posts: 1,771
Maybe their backup is encrypted as well, what if the OP's friend has done a recent backup before they knew of the problem?
You should backup as regularly as possible, and also archive older backups if possible. In this case it may be that the regular recent backup is affected, and the last archive backup is six months ago, which realistically is an acceptable level of backup. It's what I do.

I can't help this issue, but my advice for anyone in the future is to run anti virus and malewarebytes before the regular backup.

This is a sad situation. (Find a virus-maker and shake them warmly by the throat.)
Apprentice 2 SA is offline   Reply With Quote
Old 03-02-2013, 06:41
thenetworkbabe
Forum Member
 
Join Date: Jul 2003
Posts: 26,222
It's interesting innit. like if it came up on a shared family computer, for example, how many parents or husbands or wives would pay to cover it up.
Nastier because if you put something that nasty on a computer many people won't take it to a computer expert to fix it either. The problem of course is that the crooks won't take it off for the money, but will use the credit card details to empty the account credit. About time someone got on top of this at the security or the credit card ends of the problem.
thenetworkbabe is offline   Reply With Quote
Old 03-02-2013, 10:23
bobcar
Forum Member
 
Join Date: Sep 2004
Posts: 12,673
Nastier because if you put something that nasty on a computer many people won't take it to a computer expert to fix it either. The problem of course is that the crooks won't take it off for the money, but will use the credit card details to empty the account credit. About time someone got on top of this at the security or the credit card ends of the problem.
It's relatively easy to do a lot about credit card fraud especially online but the banks are willing to accept fraud rather than make transactions more difficult. One measure that would really cut fraud would be if we could opt in that our credit card could only be used routinely for deliveries to our home address.
bobcar is offline   Reply With Quote
Old 03-02-2013, 11:41
Smiley433
Forum Member
 
Join Date: Apr 2006
Location: Location: Location
Posts: 3,617
One measure that would really cut fraud would be if we could opt in that our credit card could only be used routinely for deliveries to our home address.
I'm going slightly off topic here, but that would only work where you are using the credit card to buy a physical product. What if you want to use your credit card to pay for a service (subscription TV, car service, etc), or a product that isn't physically delivered (e.g. digital music).
Smiley433 is offline   Reply With Quote
Old 03-02-2013, 11:55
Thine Wonk
Forum Member
 
Join Date: Mar 2009
Posts: 10,433
Maybe their backup is encrypted as well, what if the OP's friend has done a recent backup before they knew of the problem?
If you do the backup correctly you copy the files and only replace duplicates, any encrypted files wouldn't be duplicates, they would be different as the encryption would change the file size and hash. The same goes for an online backup, it would store the encrypted files as duplicates.
Thine Wonk is offline   Reply With Quote
 
Reply



Thread Tools Search this Thread
Search this Thread:

Advanced Search

 
Forum Jump


All times are GMT +1. The time now is 06:09.