techhelptrainer
asked on
How do you identify which Ransomware infection is on computer?
I have a customer's computer that has a ransomware infection. There are multiple messages about what to do and the files want to open in an MP3 player. The customer does not want to pay the ransom but they don't have a backup. I have read that there are tools available for unlocking some forms of ransomware, but don't know how to tell which ransomware varient is on the computer. I have a copy of the hard drive.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
@ techhelptrainer
Are files encrypted? If yes, I second John.
Are files encrypted? If yes, I second John.
ASKER
Thanks, I am curious how Jamie knows it it Tesla crypt, the files have names like _RECoVERY_+tdbwq.txt
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I do not see those files I do see in the desktop folder RECOVERY.htm, RECOVERY.png and RECOVERY.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
THanks for everyone's help, The customer has agreed to upgrading to a SSD drive so we will not be trying to clean up the infected drive. We are getting them onto a good backup plan.
ASKER
I always struggle with how to award points, it seems like it is a group effort so I hope I am being fair.
Thanks as mention no point decrypting..such tools are reliable as far as tried. Preventive is preferred do also do up applocker and cryptomonitor and malwarebytes anti ransomeware ..more info on those links shared
The customer does not want to pay the ransom but they don't have a backup. You're done. Pay and restore or clean, and restore from backup. The files are history.. There is nothing you can do. You could try restoring from shadow copies but these are probably not there or not configured.
usually identification of specific ransomware variations can be done by noting the file types that have been created by the virus. in this case the virus changed all files to mp3 ... Tesla crypt , previous versions of this changed the extension to .vvv and .micro
also the wording and file name of the ransom note will greatly help identify the specific variant. Google the file name exactly with " and after and you'll no doubt find out all you need to.
also the wording and file name of the ransom note will greatly help identify the specific variant. Google the file name exactly with " and after and you'll no doubt find out all you need to.
Indeed that is one mean to identify and I also shared a mindmap of a typical ransomware modus operandi in the earlier EE article.
Actually, to shorten the search as well on ransomware infection, one sensible option to do is describe your problem on computer help forums like Bleeping Computer or Malwarebytes. They keep track of latest ransomware news and can be of great help.
E.g. From bleeding computer
http://www.bleepingcomputer.com/forums/t/601379/teslacrypt-vvv-ccc-etc-files-decryption-support-requests/
Actually, to shorten the search as well on ransomware infection, one sensible option to do is describe your problem on computer help forums like Bleeping Computer or Malwarebytes. They keep track of latest ransomware news and can be of great help.
E.g. From bleeding computer
http://www.bleepingcomputer.com/forums/t/601379/teslacrypt-vvv-ccc-etc-files-decryption-support-requests/
Jamie A