Dismiss Notice
Join Physics Forums Today!
The friendliest, high quality science and math community on the planet! Everyone who loves science is here!

Ransomware software problem

  1. May 24, 2015 #1
    i woke up this morning i took a look at my computer and i saw a program was open
    locker v3.5 ... it said that it had locked my files and it wont let me use them until i pay them with bitcoin
    and i took a look it has encrypted all my jpg files
    http://s1.upload7.ir/uploads/thumbs/pnh9gd7DRQ8YAAzwMwuETAWCyzPN23Sgf3go6dRN [Broken]


    any one has any idea how to take back my files ?
    how did this program came to my computer ? i was just downloading some bbc documentries with bittorent
     
    Last edited by a moderator: May 7, 2017
  2. jcsd
  3. May 24, 2015 #2

    Evo

    User Avatar

    Staff: Mentor

    You used bittorrent and are surprised? You know it's used to illegally download videos, like those BBC documentaries. And you're surprised you got infected?
     
  4. May 24, 2015 #3
    im in Iran thats not illegal here ... and i can not purchase them ... there is no other way but to download
     
  5. May 24, 2015 #4

    Evo

    User Avatar

    Staff: Mentor

    Bittorrent allows illegal downloads, if the BBC allowed downloads where you are, you would be able to download them directly from the BBC site. Your country may not prosecute illegal downloads, some countries allow their citizens to download illegally without repercussions,that does not make it legal.

    For example http://www.zdnet.com/article/downloading-pirate-material-finally-becomes-illegal-in-the-netherlands/
     
  6. May 24, 2015 #5
    If the files have actually been encrypted then realistically the encryption cannot be broken.
    [ even the police can't crack it ].

    Paying the ransom does not guarantee they will provide decryption,
    even if the criminals do enable decryption, they could exploit you again in the future if you don't find & remove the malware.
    http://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx

    You should have multiple back-ups of all your irreplaceable photos on external-drives and "in the cloud".

    [ It's not a question of "if" a data-storage-medium will fail but "when".
    Having multiple copies on different media should ensure you always have a copy ].
     
  7. May 24, 2015 #6
    I feel that if you don't pay, your files will remain encrypted. However even if you do pay there is, as has been mentioned, no certainty they will be unlocked.

    You should have security software on your computer that would have stopped such software from infecting your computer. Dodgy torrent files will most likely infect your computer.
     
  8. May 24, 2015 #7
    what security software do you recommend ? i have microsoft security essentials now
     
  9. May 24, 2015 #8
    I personally use GData Total Protection, but there are many on the market. Look up some reviews and make a judgement call what suits your needs/costs etc.
     
  10. May 25, 2015 #9
    The [crypto]malware can be delivered via a drive-by-download when browsing webpages which include features which use JavaScript or Adobe Flash. The NoScript browser-addon , [free] , can block that sort of thing , [ it reduces the attack surface ]. Such blocking software is a useful addition to anti-virus , but not a substitute for it.
     
    Last edited: May 25, 2015
  11. May 25, 2015 #10
    is it really that easy to attack someones computer ?

    http://s1.upload7.ir/uploads/thumbs/rAmUXeWPtrR99B2BM3y9Ygrdj3zpHJ62bhNYnzDG [Broken]

    i have these addons should i remove or deactivate them ?
     
    Last edited by a moderator: May 7, 2017
  12. May 25, 2015 #11

    Borek

    User Avatar

    Staff: Mentor

    Yes, bittorrent is quite often used for illegal distribution, but don't link the technology with the piracy. FTP and HTTP protocols can be used for illegal downloads as well. Sigh, there would be no illegal downloads without this internet thing, so perhaps that's where the problem lies? And it is not unheard of that bittorent is used as a way of legal distribution of files. At some point in time Dawkins Christmas lectures on evolution (registered by BBC) were distributed this way (from his foundation site if memory doesn't fail me, so I assume it was perfectly legit).
     
  13. May 25, 2015 #12
    that happened to me once, some ransom ware tried to encrypt my hard drive, windows is the problem when it locks you out of task manager and your forced to reboot only to find some of your files encrypted, it didn't find my external drives(I always have backups) and a rollback fixed the problem, weird thou it went after my music files.
     
  14. May 25, 2015 #13
    In that screen-grab, Java , (which is not the same a JavaScript), is disabled by default : you have to give your permission for it to run, so is not a vulnerability if you only allow it to run on sites you trust. However your Flash addon is "always activate", so Flash is a vulnerability.
    If you use NoScript you can whitelist sites which are permitted to use Java/JavaScript/Flash ,
    all other webpages are blocked from using them by default.

    If you are concerned about a webpage try ...
    http://www.google.com/safebrowsing/diagnostic?site=physicsforums.com
    replace "physicsforums.com" with the site in question.
    similarly https://www.mywot.com/en/scorecard/physicsforums.com
     
    Last edited by a moderator: May 7, 2017
  15. May 30, 2015 #14
    Ransomware is not brilliant! Do you have any recovery points or snapshots you can revert back too? Hopefully you made backups of your files in which case reformat your HDD back to factory settings and go from there.
     
  16. Jun 2, 2015 #15
    Certainly the best solution is a recent snapshot of your system but if you were doing that it is unlikely you would be posting here so I'm going to offer a possible solution. You can try booting in Safe Mode as it is possible the "encryption" is not really encryption but just some scam that confuses the system as to how to deal with those files with that extension - in this case jpg. A change of attributes can easily cause this. It's difficult to estimate the odds that this is so but it only takes a few minutes to rule this out.

    If Safe Mode fails to allow viewing of your jpegs then the next step is to boot from an external source, preferably with some tools handy. I recommend getting the latest version of Hirens Boot CD (last I looked it was 15.2). You download an iso image file and burn image (not copy) to disk and the results is a bootable media, whether USB, CD or DVD.

    Upon booting one is greeted by a boot menu. That menu includes a very nice Linux system but also a Windows system based on the perfectly legal PE. Once you get to desktop navigate to your jpegs and see if they function properly. If not right click on one and check "Properties" for attributes and permissions. Obviously they should have at least "Read Only" permissions for any User.

    Hirens comes with a few free versions of various AV and Malware scanners and due to the ability to connect to the internet (and the safety from being now an unwritable media) with no persistence, it can download the most recent updates and run them in RAM temporarily. Then you can scan your Windows system from this external, guaranteed clean environment. You will find many other useful tools on the disk including backup and disk cloning..

    One caveat! This bootable Hirens media contains extremely powerful tools and you can create havoc if you don't research or already understand how these tools work. As always the only real damage can be to software but it appears as if you have little to lose unless you really imagine these crooks will actually hand over the keys and let you go on your merry way. IMHO under no circumstances should you even respond to these criminals.

    FWIW torrents are not intrinsically illegal. Many people and companies use this method to mitigate the impact on bandwidth to any single server. That said one should be careful to verify legality of the specific torrent otherwise one opens the door to ruinous, unsavory elements.
     
  17. Jun 2, 2015 #16
  18. Jun 2, 2015 #17
    One point worth mentioning is never to download media files, even if you're quite sure they are legal, if the provider has 'packaged' them as an .exe file.
    There is no good reason for a provider to do such 'packaging' other than it's the easiest way to install malwares.
     
  19. Jun 2, 2015 #18
    One million times this, usually infection can be tracked to some "mistake" the user made.
    I truly believe a huge part of *ware is "social engineering" (this doesn't do true social engineering justice) were you gain the targets trust.
    What can be used for this online?
    Things like "I earned $ xxxx using this program last month" are an example probably works well.
    Then there's the warez environment and more dangerous, cracks and key generators for illegal software.

    Fortunately security programs are quite good nowadays, some even offering to run unknown programs in a sandbox.
    On my windowsboxes I use(d) comodo antivirus. At first it will require you to allow quite some programs to run.
    However in the 3 years I used it I never had a successful infection (successful for the creator of the malicious code)
    And if I can trust http://en.wikipedia.org/wiki/Comodo_Internet_Security#Reviews the recent versions are really quite good.
     
  20. Jun 3, 2015 #19
    If you will notice that thread is nearly 3 years old. It is my understanding that while Hirens used to be "greyware" it has not been for awhile at the very least since version 15.2. I suppose this may vary some from one country to the next but in the US it appears to be legal now and is available from common, reputable sites.

    If it worries you, build a similar bootable media with BartsPE which has always been legal. That legality was tested and it was found that the Preinstall Environment not only does not qualify for the protections of the full system (it is quite limited and not really useful as a full time system) but also it is expected that it is not likely to be running the full and fully licensed system at the very same time as the PE. In OPs case since he is attempting to fix his fully licensed copy he is well within both the letter and the spirit of the EULA.
     
  21. Jul 5, 2015 #20
Know someone interested in this topic? Share this thread via Reddit, Google+, Twitter, or Facebook




Similar Discussions: Ransomware software problem
Loading...