ransomeware called microtech infected computer.  User paid money and now there is someone controlling PC.

mkramer777
mkramer777 used Ask the Experts™
on
Microtech scam/ransomware was on a computer at a remote location.  Said they needed to call a 1800 number to get virus removed.  This user did that and paid $300 dollars to have fake company remove virus.  Got a text from him and said they are in there right now controlling computer and "trying" to remove  virus.  Should he power off right away or should he let them do their thing so he can use his pc again since he paid the money?  I told him to immediatley power off computer and wait for them to call again.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018

Commented:
He should immediately disconnect from the internet! This is a scam. Also should contact his bank or CC company to report what happened so that they can try to freeze payment. Additionally, they may want to have a real computer technician check the system for any viruses/malware that may have been loaded. At the end of it all, might be better off backing up data and wiping the system.

Author

Commented:
Thanks.  Your suggestions are the ones that I suggested.  Do you think there is any hope of getting into safe mode with networking so I can remotely get in there and run some virus scans like malware bytes or bit defender?
Senior Software Developer
Commented:
It's a bad situation all around. Here are a few points to consider. Unfortunately, many of these will be nothing more than a shoulda, coulda, woulda scenario at this point.

1. Always have backups and verify that the backups are valid.
2. Never pay the ransom. It's not a guarantee of data recovery and it feeds the trolls so to speak.
3. Never allow anyone to remotely access your computer unless you know and trust them. There are a few scenarios that can come out of this.
    Best case: They actually do recover the data. This isn't very likely.
    Likely case 1: They recover the data but leave behind either a trojan horse or some kind of spyware which they can then use to collect passwords and other sensitive data.
    Likely case 2: They recover the data and while they're at it they snoop around the PC and/or take your data which they can decrypt on their own later.
    Likely case 3: They recover the data and manage to get a look at your entire network, possibly planting additional nasties wherever they get the chance.
    Worst case: They can't recover the data and you've given them a free look at your environment. They'll take whatever they can.

To most directly answer your question, yes. They should definitely power off. If they absolutely insist on proceeding with this then make sure that the infected computer is isolated from any other computer on the network. You may need a separate router for this or just make sure all other devices are turned off or disconnected when they do it.

In any case, when this is all finished there is absolutely no way they should trust that PC again. Reformat the hard drive immediately. Better yet, take it out and burn it just in case they installed a root kit or bootloader virus.
Introduction to R

R is considered the predominant language for data scientist and statisticians. Learn how to use R for your own data science projects.

Distinguished Expert 2018

Commented:
You can try it, but cannot make any promises. You if happen to have forensics software like Redline, you could try to see exactly what has been done. Possible that they may have tried to throw on ransomware.
Russ SuterSenior Software Developer

Commented:
Do you think there is any hope of getting into safe mode with networking so I can remotely get in there and run some virus scans like malware bytes or bit defender?
There's probably not much point. The damage is already done. The files are encrypted. Most ransomware does its job then just stops doing anything. Some even uninstall their core components to avoid potential for reverse engineering. Even if the antivirus software finds something it won't be able to decrypt the encrypted files.

Author

Commented:
OK.  Does anyone think I should allow them to try and remove so this user can get their files back?  Would a forensics company be able to get back the files if I sent it to them?
Distinguished Expert 2018

Commented:
Would a forensics company be able to get back the files if I sent it to them?
Depends on the damage already done. And how valuable is the data? Data recovery isn't cheap, nor would they guarantee being able to be able to recover all of the data. Most people lower their reported importance of data when they hear the cost.

You could try to clone the hard drive and connect it as an external to some system that's not connected to any network (ideally also not running Windows to avoid any potential autorun items), and trying to see what data could be extracted that way.
Russ SuterSenior Software Developer

Commented:
It's likely that nobody, not even a forensics company, not even the Federal government (if they wanted to) can recover the encrypted files. This level of encryption is, for all practical purposes, uncrackable with current technology. Their only hope of getting any of their files back is to go to backups (which I assume they do not have) or let the bad guys have a crack at it. They're the only ones with the ability to generate the key needed to decrypt the files. They've already paid the money, probably in Bitcoin. If the bad guys were dumb enough to accept a credit card payment you can dispute the charge and get your money back.

I'd pretty much call this a very costly and painful learning experience.
nociSoftware Engineer
Distinguished Expert 2018

Commented:
Assume the PC is lost, and if people are allowed to rummage on it as well reformat the harddisk and restore a known good backup.
And if they might have gotten administrator /root access  on the system you may need to verify the Firmware /BIOS  has nod been tampered with.
And hopefully there were no other systems accessible on the network.

Author

Commented:
Thankfully this was a remote computer on its own router.  A 1 computer mini office outside of the business network.  They do have a flash drive they made of their files last month so I said destory the computer and I would send them a new one and they can load the files from the flash drive to the new one.  Not much else they can do.
nociSoftware Engineer
Distinguished Expert 2018

Commented:
Also check the router if it still has the correct setup that you expect, and some strange setup.
Maybe do a factory reset and set it up again.

Author

Commented:
ok

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial