Solved

Has this user really been infected by Ransomware?

Posted on 2016-07-14
3
179 Views
Last Modified: 2016-07-18
I have a photo taken with an iPhone of a computer screen that appears to have been taken over by Ransomware.  Old computer, running XP
Is this recognizable?  Can the data be recovered?

Thanks.
Screen with ransomware threat
0
Comment
Question by:computerlarry
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 18

Assisted Solution

by:Mal Osborne
Mal Osborne earned 50 total points
ID: 41711690
Looks real to me, this mode of attack is, sadly, rather common.  Probably came in as a mail attachment. Check data files to see for sure. Your options?

1. Restore from backups.
2. Follow the links, pay the ransom, and hope the extortionists actually give you a decryption key.
3. Contact local law enforcement. They will probably be no help.
4. Learn to live with out the data. Being on a poorly secured, old machine running an unsupported OS with no backups, there can't have been much on it of any consequence.
0
 
LVL 28

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 200 total points
ID: 41711718
Be careful it isn't CTB-Faker, a Bastian that pretends to be ransomware in order to get your money. Upload a file to id-ransomware.com to check which variant.
0
 
LVL 64

Accepted Solution

by:
btan earned 250 total points
ID: 41712763
The message seems close to "TeslaCrypt 3.0" ransomware but do check on Thomas suggested IDRansomware (https://id-ransomware.malwarehunterteam.com/) for validity (you need tosupplied the ransom note and encrypted files).

Specifically you can also check for the file extension of files in My Document or desktop etc to have hints checked. Like .xxx, .ttt, .micro or .mp3 extension appended to the end of the filename. The ransom note is like below.
_H_e_l_p_RECOVER_INSTRUCTIONS+qjd.html
_H_e_l_p_RECOVER_INSTRUCTIONS+qjd.png
_H_e_l_p_RECOVER_INSTRUCTIONS+qjd.txt

Check the indicator below http://www.bleepingcomputer.com/forums/t/605185/teslacrypt-30-xxx-ttt-micro-mp3-support-topic/?p=3932673.

There may be discussion that it has decryption approach
If you are a victim of TeslaCrypt and your files have the ECC, .EZZ, .EXX, .XYZ, .ZZZ, .AAA, .ABC, .CCC, or .VVV extensions, you can use BloodDolly or Googulator's scripts to retrieve your decryption key.  Personally, for most users, I suggest that you use BloodDolly's TeslaDecoder tool because it will be easier to use for those who are more comfortable in a Windows environment and makes it easier to recover the key that can decrypt all of your files..

To decrypt your files simply download TeslaDecoder and read the included instructions. I created these instructions to be very detailed and to provide all the information and tools that you will need to recover your encryption key.
http://www.bleepingcomputer.com/news/security/teslacrypt-decrypted-flaw-in-teslacrypt-allows-victims-to-recover-their-files/
You may want to check out but be careful on those tool as well and not get infected by another malware. If you have latest (or acceptable version) backup then I suggest you go with it instead of decryption
1

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question