ransomeware called microtech infected computer. User paid money and now there is someone controlling PC.

Microtech scam/ransomware was on a computer at a remote location.  Said they needed to call a 1800 number to get virus removed.  This user did that and paid $300 dollars to have fake company remove virus.  Got a text from him and said they are in there right now controlling computer and "trying" to remove  virus.  Should he power off right away or should he let them do their thing so he can use his pc again since he paid the money?  I told him to immediatley power off computer and wait for them to call again.
mkramer777Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

masnrockCommented:
He should immediately disconnect from the internet! This is a scam. Also should contact his bank or CC company to report what happened so that they can try to freeze payment. Additionally, they may want to have a real computer technician check the system for any viruses/malware that may have been loaded. At the end of it all, might be better off backing up data and wiping the system.
mkramer777Author Commented:
Thanks.  Your suggestions are the ones that I suggested.  Do you think there is any hope of getting into safe mode with networking so I can remotely get in there and run some virus scans like malware bytes or bit defender?
Russ SuterSenior Software DeveloperCommented:
It's a bad situation all around. Here are a few points to consider. Unfortunately, many of these will be nothing more than a shoulda, coulda, woulda scenario at this point.

1. Always have backups and verify that the backups are valid.
2. Never pay the ransom. It's not a guarantee of data recovery and it feeds the trolls so to speak.
3. Never allow anyone to remotely access your computer unless you know and trust them. There are a few scenarios that can come out of this.
    Best case: They actually do recover the data. This isn't very likely.
    Likely case 1: They recover the data but leave behind either a trojan horse or some kind of spyware which they can then use to collect passwords and other sensitive data.
    Likely case 2: They recover the data and while they're at it they snoop around the PC and/or take your data which they can decrypt on their own later.
    Likely case 3: They recover the data and manage to get a look at your entire network, possibly planting additional nasties wherever they get the chance.
    Worst case: They can't recover the data and you've given them a free look at your environment. They'll take whatever they can.

To most directly answer your question, yes. They should definitely power off. If they absolutely insist on proceeding with this then make sure that the infected computer is isolated from any other computer on the network. You may need a separate router for this or just make sure all other devices are turned off or disconnected when they do it.

In any case, when this is all finished there is absolutely no way they should trust that PC again. Reformat the hard drive immediately. Better yet, take it out and burn it just in case they installed a root kit or bootloader virus.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
HTML5 and CSS3 Fundamentals

Build a website from the ground up by first learning the fundamentals of HTML5 and CSS3, the two popular programming languages used to present content online. HTML deals with fonts, colors, graphics, and hyperlinks, while CSS describes how HTML elements are to be displayed.

masnrockCommented:
You can try it, but cannot make any promises. You if happen to have forensics software like Redline, you could try to see exactly what has been done. Possible that they may have tried to throw on ransomware.
Russ SuterSenior Software DeveloperCommented:
Do you think there is any hope of getting into safe mode with networking so I can remotely get in there and run some virus scans like malware bytes or bit defender?
There's probably not much point. The damage is already done. The files are encrypted. Most ransomware does its job then just stops doing anything. Some even uninstall their core components to avoid potential for reverse engineering. Even if the antivirus software finds something it won't be able to decrypt the encrypted files.
mkramer777Author Commented:
OK.  Does anyone think I should allow them to try and remove so this user can get their files back?  Would a forensics company be able to get back the files if I sent it to them?
masnrockCommented:
Would a forensics company be able to get back the files if I sent it to them?
Depends on the damage already done. And how valuable is the data? Data recovery isn't cheap, nor would they guarantee being able to be able to recover all of the data. Most people lower their reported importance of data when they hear the cost.

You could try to clone the hard drive and connect it as an external to some system that's not connected to any network (ideally also not running Windows to avoid any potential autorun items), and trying to see what data could be extracted that way.
Russ SuterSenior Software DeveloperCommented:
It's likely that nobody, not even a forensics company, not even the Federal government (if they wanted to) can recover the encrypted files. This level of encryption is, for all practical purposes, uncrackable with current technology. Their only hope of getting any of their files back is to go to backups (which I assume they do not have) or let the bad guys have a crack at it. They're the only ones with the ability to generate the key needed to decrypt the files. They've already paid the money, probably in Bitcoin. If the bad guys were dumb enough to accept a credit card payment you can dispute the charge and get your money back.

I'd pretty much call this a very costly and painful learning experience.
nociSoftware EngineerCommented:
Assume the PC is lost, and if people are allowed to rummage on it as well reformat the harddisk and restore a known good backup.
And if they might have gotten administrator /root access  on the system you may need to verify the Firmware /BIOS  has nod been tampered with.
And hopefully there were no other systems accessible on the network.
mkramer777Author Commented:
Thankfully this was a remote computer on its own router.  A 1 computer mini office outside of the business network.  They do have a flash drive they made of their files last month so I said destory the computer and I would send them a new one and they can load the files from the flash drive to the new one.  Not much else they can do.
nociSoftware EngineerCommented:
Also check the router if it still has the correct setup that you expect, and some strange setup.
Maybe do a factory reset and set it up again.
mkramer777Author Commented:
ok
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Ransomware

From novice to tech pro — start learning today.