Solved

Has this user really been infected by Ransomware?

Posted on 2016-07-14
3
119 Views
Last Modified: 2016-07-18
I have a photo taken with an iPhone of a computer screen that appears to have been taken over by Ransomware.  Old computer, running XP
Is this recognizable?  Can the data be recovered?

Thanks.
Screen with ransomware threat
0
Comment
Question by:computerlarry
3 Comments
 
LVL 16

Assisted Solution

by:Malmensa
Malmensa earned 50 total points
ID: 41711690
Looks real to me, this mode of attack is, sadly, rather common.  Probably came in as a mail attachment. Check data files to see for sure. Your options?

1. Restore from backups.
2. Follow the links, pay the ransom, and hope the extortionists actually give you a decryption key.
3. Contact local law enforcement. They will probably be no help.
4. Learn to live with out the data. Being on a poorly secured, old machine running an unsupported OS with no backups, there can't have been much on it of any consequence.
0
 
LVL 26

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 200 total points
ID: 41711718
Be careful it isn't CTB-Faker, a Bastian that pretends to be ransomware in order to get your money. Upload a file to id-ransomware.com to check which variant.
0
 
LVL 61

Accepted Solution

by:
btan earned 250 total points
ID: 41712763
The message seems close to "TeslaCrypt 3.0" ransomware but do check on Thomas suggested IDRansomware (https://id-ransomware.malwarehunterteam.com/) for validity (you need tosupplied the ransom note and encrypted files).

Specifically you can also check for the file extension of files in My Document or desktop etc to have hints checked. Like .xxx, .ttt, .micro or .mp3 extension appended to the end of the filename. The ransom note is like below.
_H_e_l_p_RECOVER_INSTRUCTIONS+qjd.html
_H_e_l_p_RECOVER_INSTRUCTIONS+qjd.png
_H_e_l_p_RECOVER_INSTRUCTIONS+qjd.txt

Check the indicator below http://www.bleepingcomputer.com/forums/t/605185/teslacrypt-30-xxx-ttt-micro-mp3-support-topic/?p=3932673.

There may be discussion that it has decryption approach
If you are a victim of TeslaCrypt and your files have the ECC, .EZZ, .EXX, .XYZ, .ZZZ, .AAA, .ABC, .CCC, or .VVV extensions, you can use BloodDolly or Googulator's scripts to retrieve your decryption key.  Personally, for most users, I suggest that you use BloodDolly's TeslaDecoder tool because it will be easier to use for those who are more comfortable in a Windows environment and makes it easier to recover the key that can decrypt all of your files..

To decrypt your files simply download TeslaDecoder and read the included instructions. I created these instructions to be very detailed and to provide all the information and tools that you will need to recover your encryption key.
http://www.bleepingcomputer.com/news/security/teslacrypt-decrypted-flaw-in-teslacrypt-allows-victims-to-recover-their-files/
You may want to check out but be careful on those tool as well and not get infected by another malware. If you have latest (or acceptable version) backup then I suggest you go with it instead of decryption
1

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now