Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Has this user really been infected by Ransomware?

Posted on 2016-07-14
3
Medium Priority
?
206 Views
Last Modified: 2016-07-18
I have a photo taken with an iPhone of a computer screen that appears to have been taken over by Ransomware.  Old computer, running XP
Is this recognizable?  Can the data be recovered?

Thanks.
Screen with ransomware threat
0
Comment
Question by:computerlarry
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 19

Assisted Solution

by:Mal Osborne
Mal Osborne earned 200 total points
ID: 41711690
Looks real to me, this mode of attack is, sadly, rather common.  Probably came in as a mail attachment. Check data files to see for sure. Your options?

1. Restore from backups.
2. Follow the links, pay the ransom, and hope the extortionists actually give you a decryption key.
3. Contact local law enforcement. They will probably be no help.
4. Learn to live with out the data. Being on a poorly secured, old machine running an unsupported OS with no backups, there can't have been much on it of any consequence.
0
 
LVL 30

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 800 total points
ID: 41711718
Be careful it isn't CTB-Faker, a Bastian that pretends to be ransomware in order to get your money. Upload a file to id-ransomware.com to check which variant.
0
 
LVL 65

Accepted Solution

by:
btan earned 1000 total points
ID: 41712763
The message seems close to "TeslaCrypt 3.0" ransomware but do check on Thomas suggested IDRansomware (https://id-ransomware.malwarehunterteam.com/) for validity (you need tosupplied the ransom note and encrypted files).

Specifically you can also check for the file extension of files in My Document or desktop etc to have hints checked. Like .xxx, .ttt, .micro or .mp3 extension appended to the end of the filename. The ransom note is like below.
_H_e_l_p_RECOVER_INSTRUCTIONS+qjd.html
_H_e_l_p_RECOVER_INSTRUCTIONS+qjd.png
_H_e_l_p_RECOVER_INSTRUCTIONS+qjd.txt

Check the indicator below http://www.bleepingcomputer.com/forums/t/605185/teslacrypt-30-xxx-ttt-micro-mp3-support-topic/?p=3932673.

There may be discussion that it has decryption approach
If you are a victim of TeslaCrypt and your files have the ECC, .EZZ, .EXX, .XYZ, .ZZZ, .AAA, .ABC, .CCC, or .VVV extensions, you can use BloodDolly or Googulator's scripts to retrieve your decryption key.  Personally, for most users, I suggest that you use BloodDolly's TeslaDecoder tool because it will be easier to use for those who are more comfortable in a Windows environment and makes it easier to recover the key that can decrypt all of your files..

To decrypt your files simply download TeslaDecoder and read the included instructions. I created these instructions to be very detailed and to provide all the information and tools that you will need to recover your encryption key.
http://www.bleepingcomputer.com/news/security/teslacrypt-decrypted-flaw-in-teslacrypt-allows-victims-to-recover-their-files/
You may want to check out but be careful on those tool as well and not get infected by another malware. If you have latest (or acceptable version) backup then I suggest you go with it instead of decryption
1

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article covers the basics of data encryption, what it is, how it works, and why it's important. If you've ever wondered what goes on when you "encrypt" data, you can look here to build a good foundation for your personal learning.
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question