Pages

Wednesday, 15 August 2012

The police want my money!!

ok, this blog post isn't necessarily anything to do with mobile phones or android, or sony, or anything that I normally blog about, however is still within the technical assistance I aim to deliver through experiences I've come across. Hopefully you'll never need this blog post, but it's here incase you do.




Lately I have been hearing a lot of buzz about a new type of malware (malicious firmware) which seizes contol of your PC with what appears to be a blackmail claiming that access to your PC will be restored upon payment of a given amount. This particular form of malware has been coined 'ransomeware' for reasons that may by now be starting to sound quite obvious. The usual actions we are all familliar with when using a PC become unachievable. You cannot select text, right click, or even access the task manager.

Within the space of a short few days, I had heard of four occurances through people I know personally, or people that people I know, know. Those short few days later, I too had received this particular attack, which in my case appeared as per the screen capture above. It can appear various forms, however ultimate gives the same message, and generally manifests in the same way. This means that whilst your typical anti-malware software may be having trouble keeping its libraries up to date due to the sheer quantity of different manifestations that are cropping up, when it does appear, the solution is much more simple than it may initially appear.

As I mentioned earlier, you loose complete control. This can bring on emotions of irational fear, and one might think the best solution is to give them what they want. It does look very genuine - it states that it is coming from the local police authority, and reads "Specialist Crime Directorate" followed by "Police Central e-crime Unit". After all, they promise you that upon payment you will regain control of your PC (given up to 78 hours later), and what if there actually is illigal content on the PC? What if I've accessed a website that has downloaded illigal content in the background without my consent. Is this a genuine request from my local police authority? The answer is no. This is NOT a genuine request.  

THE FIX
So how does a user who has received this form of attack get around it? Two of my collegues have also experienced this problem, and to paraphrase one of them, having heard of the fixes used between us who had earlier received the problem, it litterally took minutes before everything was back to normal.

**IMPORTANT**
These steps are provided as an account of my own experiences, and due to the nature of the ransomeware require your own judgement at times. It is important to note here that taking backups of your system is of crutial importance at any point (not just now) and this will be of great help to you if it goes wrong. You are following these steps with the understanding that I am not to be held accountable for any problems that may occur.

Safe Mode
The key to the removal of many types of malware is to remove it in safe mode. Safe mode is a restricted access version of windows that comes alongside the main OS, and when running it, unknown automatic tools are unable to load. This means the malware itself is unable to run and gives us a sand box to locate the problem.
  • To access safe mode in Windows 7, restart the PC. Before reaching the 'Starting Windows' screen, press F8. You will then be given a list of boot options. From here, select to run in safe mode.
  • Other versions of windows may have different ways to access Safe Mode, however the method is normally displayed in text at the bottom of the screen for a duration whilst booting up the PC.

The attack
As mentioned earlier, the attacks do change - there are several varieties all with the same purpose so in terms of the attack name, I cannot tell you exactly what it's name is going to be, but it is more than likely that you will know when you have found it due to its suspicious name.

Startup
  1. Whilst you are in safe mode, click on the start menu, and then 'Run'. If you do not have 'Run' as an option, you can use the 'Search Programs and Files' feature, typically embedded at the bottom of the start menu.
  2. Type MSConfig and press Enter. This will produce a system configuration window, where you will have access to a startup tab. This screen is useful to note in any case as it provides you a list of applications that are set to run when windows runs.
  3. Scroll down the list, and pay specific attention to the file names. If you trust the statup item name and/or the publisher looks like something relevant (for example, if you use a niche piece of software, something such as Ableton Live, it would be acceptable to have something where Ableton is the manufacturer) you should decide whether you really want it to start up, whether you need it to, etc. You really need to make best use of your own judgement here are there are millions of things around the internet that could appear in this list. If you do not feel it is needed, untick it.
  4. Importantly, look out for anything with a name consisting of random characters. This would look nonsensical, something like 'mstxrpoqxitzztr'. That's just one example, but it really could be anything. (this is how I currently believe these 'ransoms' to appear, although I do not have enough evidence (i.e. an understanding of every single manifestation in existence) to know that this is certain. If you see any of these, untick them.
  5. Keeping on the same screen, now take a look at the 'command' column. This will tell you exactly where these suspicious files are located. Again, you really need to use your judgement. If the location is something like an installation directory, take note of the filename, (i.e. if the file was in C:\Program Files\Adobe\mstxrpoqxitzztr.exe, then mstxrpoqxitzztr.exe is the file name) and run a quick google search for it. If the file name is trusted, you should see enough resources backing up it's purpose and again you can decide whether or not this sounds legitimate. The file will usually locate itself somewhere more permanent, such as the temp files directory, or the system32 directory, however to be certain that you're not removing something legitimate, you should perform the google search as mentioned earlier. (important: You may not be able to do the google search on your PC, so use your phone)
  6. If the file appears to be malicious or holds no trust according to your google search, it sounds like you may have located the virus. Locate the suspicious looking file and remove it. The file can be found in the location specified in the 'command' column, so open 'My Computer' or 'Computer' (based on your Windows version) and browse to the location specified. Locate the file, and delete it.
  7. Repeat the processes above to locate suspicious looking files and remove them if they seem malicious, until you are comfortable that everything has been checked. 
  8. Once you are comfortable, restart the PC. If the ransomware still exists, it will appear instantly. If it has been successfully removed, you should be able to use your PC as normal.  
As per usual I am providing these steps based on my own experiences and cannot promise or guarantee anything. I hope however that if you do come across this problem you manage to successfully remove it, and that my blog post can be of some assistance in doing so.

No comments:

Post a Comment