Solved

Has this user really been infected by Ransomware?

Posted on 2016-07-14
3
139 Views
Last Modified: 2016-07-18
I have a photo taken with an iPhone of a computer screen that appears to have been taken over by Ransomware.  Old computer, running XP
Is this recognizable?  Can the data be recovered?

Thanks.
Screen with ransomware threat
0
Comment
Question by:computerlarry
3 Comments
 
LVL 17

Assisted Solution

by:Malmensa
Malmensa earned 50 total points
ID: 41711690
Looks real to me, this mode of attack is, sadly, rather common.  Probably came in as a mail attachment. Check data files to see for sure. Your options?

1. Restore from backups.
2. Follow the links, pay the ransom, and hope the extortionists actually give you a decryption key.
3. Contact local law enforcement. They will probably be no help.
4. Learn to live with out the data. Being on a poorly secured, old machine running an unsupported OS with no backups, there can't have been much on it of any consequence.
0
 
LVL 27

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 200 total points
ID: 41711718
Be careful it isn't CTB-Faker, a Bastian that pretends to be ransomware in order to get your money. Upload a file to id-ransomware.com to check which variant.
0
 
LVL 62

Accepted Solution

by:
btan earned 250 total points
ID: 41712763
The message seems close to "TeslaCrypt 3.0" ransomware but do check on Thomas suggested IDRansomware (https://id-ransomware.malwarehunterteam.com/) for validity (you need tosupplied the ransom note and encrypted files).

Specifically you can also check for the file extension of files in My Document or desktop etc to have hints checked. Like .xxx, .ttt, .micro or .mp3 extension appended to the end of the filename. The ransom note is like below.
_H_e_l_p_RECOVER_INSTRUCTIONS+qjd.html
_H_e_l_p_RECOVER_INSTRUCTIONS+qjd.png
_H_e_l_p_RECOVER_INSTRUCTIONS+qjd.txt

Check the indicator below http://www.bleepingcomputer.com/forums/t/605185/teslacrypt-30-xxx-ttt-micro-mp3-support-topic/?p=3932673.

There may be discussion that it has decryption approach
If you are a victim of TeslaCrypt and your files have the ECC, .EZZ, .EXX, .XYZ, .ZZZ, .AAA, .ABC, .CCC, or .VVV extensions, you can use BloodDolly or Googulator's scripts to retrieve your decryption key.  Personally, for most users, I suggest that you use BloodDolly's TeslaDecoder tool because it will be easier to use for those who are more comfortable in a Windows environment and makes it easier to recover the key that can decrypt all of your files..

To decrypt your files simply download TeslaDecoder and read the included instructions. I created these instructions to be very detailed and to provide all the information and tools that you will need to recover your encryption key.
http://www.bleepingcomputer.com/news/security/teslacrypt-decrypted-flaw-in-teslacrypt-allows-victims-to-recover-their-files/
You may want to check out but be careful on those tool as well and not get infected by another malware. If you have latest (or acceptable version) backup then I suggest you go with it instead of decryption
1

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Worried about if Apple can protect your documents, photos, and everything else that gets stored in iCloud? Read on to find out what Apple really uses to make things secure.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question