My dad is a writer but not terribly computer savvy. He was having trouble with his old (he since bought a new one) computer, took it to Staples (I know), and was told that it was riddled with viruses. He was told that ransomware was found on the hard drive, and that the entire contents of the drive had been encrypted. However, he never received an email seeking payment of the ransom, and he insists that he never opens attachments to unknown emails, so he's not sure how the viruses could have gotten on the drive. Staples was supposed to back up the drive during a previous appointment, and botched that up, and now tells him there's no way to decrypt it. He's rather upset. The OS is Windows Vista. I have the hd, which has been removed from the enclosure.

Does anyone know someone who might be able to decrypt the hd? There are old drafts and such on it that he'd like to recover.

Thanks.

If its a really old version of the ransomware there is a chance it could be recovered... Other than that, it is basically impossible without paying the ransom to get the key.

Also, they don't send an email to request the payment, there's a text file in each encrypted folder with instructions.

Not much you can do, I'm afraid. If you don't trust the diagnosis from staples, you could try installing antivirus and antimalware, and running the scans. But if it is truly encrypted, I don't think those programs will help.

It's a reminder to back things up frequently, to prevent something like this. But your dad is most likely hosed.

PS. I wouldn't bring my computer to staples for repair. I'd give it a 50/50 probability that they put the ransomeware on it.

PPS. Here is the Book of Whitt. Written extemporaneously on a white board during a meeting in 80's after a client's hard drive crashed. More true today than ever, it seems.

The main problem i see is that usually the people at stores to avoid sues and crap, they dont use tools that work too much with that kind of problem.

If the computer has been taken over by ramsonware and everything is encrypted, well... this is a good place to start.

http://malwaretips.com/blogs/remove-locker-virus/

Secondly, you have to run those in the affected computer obviously, so probably you will need your dad's computer and reinstall the hd in it.

Personally I would start trying to fix that machine using Combofix (download from bleeping computer), if the machine is just as bad as you can get, it will take maybe an hour with combofix. Then I would try the stuff the link is saying.

Another detail. do not connect that computer to the internet at all while you are running the fixes.

Good luck. :)

Is there anyway to install a fresh version of Windows on a new drive, ,make that encrypted drive a secondary drive and get the files that way? I'm only guessing that the ransom ware is dependant on Windows. I've retrieved files that way before.

probably worth the $90 for a new drive and a fresh installation.

My dad is a writer but not terribly computer savvy. He was having trouble with his old (he since bought a new one) computer, took it to Staples (I know), and was told that it was riddled with viruses. He was told that ransomware was found on the hard drive, and that the entire contents of the drive had been encrypted. However, he never received an email seeking payment of the ransom, and he insists that he never opens attachments to unknown emails, so he's not sure how the viruses could have gotten on the drive. Staples was supposed to back up the drive during a previous appointment, and botched that up, and now tells him there's no way to decrypt it. He's rather upset. The OS is Windows Vista. I have the hd, which has been removed from the enclosure.

Does anyone know someone who might be able to decrypt the hd? There are old drafts and such on it that he'd like to recover.

Thanks.

Without a key for an encrypted drive, one cannot even see any files on the drive. Is that in fact the case here, i.e., have you or your father confirmed that cannot see any files? Many computers won't even recognize an encrypted drive, so for example, when hooking it up as a second drive, it simply doesn't even show up. It would help to know if that is in fact what we're dealing with.

Is with this ransomeware thing?? Can't these guys get prosecuted? How is this not fraud?

Is with this ransomeware thing?? Can't these guys get prosecuted? How is this not fraud?

Sure they can be prosecuted if someone can find "them". I work in a small IT dept. It happened a year ago to a company user that did not back up any of his files. It's real and serious. I didn't directly solve the issue but watched a co worker deal with it. It's a leap of faith to pay the ransom. The "kidnappers" dealt in bit coin in this instance. The ransom was paid, around $600 as I recall and the key was provided. It took a good while to decrypt the drive.

Hmm. I'm going to hook up my Time Machine drive right now.;)

If it's the "normal" ransomware, you can see all the files, they are just encrypted. Reinstalling Windows will do nothing. There is nothing you can do but pay the ransom. (Unless it's the really old version)

You can't find the evildoers to prosecute them, you have to use a Tor client to get in touch with them and the payment is Bitcoin so you can't track the money...

Why doesn't the ransomware infect the backup files, if any?

Because the backup drive is not connected to the infected computer. Otherwise, it will!

Wipe HD clean and reinstall OS.

Hopefully important/original files are backed up some where.

Had this happen at work but only involved graphics files...jpg, .gif....etc.
Saved by the backup drive.

Is there anyway to install a fresh version of Windows on a new drive, ,make that encrypted drive a secondary drive and get the files that way? I'm only guessing that the ransom ware is dependant on Windows. I've retrieved files that way before.

probably worth the $90 for a new drive and a fresh installation.

This is not a bad plan of action. If he's already gotten a new computer, might slave the 'bad' drive to it, make it the secondary ( non-OS) drive, and then possibly run some malware removal tools -- or at least see what you've got at that point.

Mike in AR:beer:

I think I would reinstall too, it's really likely to have something left behind. Interesting that the ransomware people actually decrypt the files after getting their money. Unfortunately, without the encryption key, it's really unlikely that the files can be decrypted. Microsoft allows you to do this yourself, and I've never been tempted.

If its a really old version of the ransomware there is a chance it could be recovered... Other than that, it is basically impossible without paying the ransom to get the key.

Also, they don't send an email to request the payment, there's a text file in each encrypted folder with instructions.

This has been the case in all situations I have seen with ransomware.

The main problem i see is that usually the people at stores to avoid sues and crap, they dont use tools that work too much with that kind of problem.

If the computer has been taken over by ramsonware and everything is encrypted, well... this is a good place to start.

http://malwaretips.com/blogs/remove-locker-virus/

Secondly, you have to run those in the affected computer obviously, so probably you will need your dad's computer and reinstall the hd in it.

Personally I would start trying to fix that machine using Combofix (download from bleeping computer), if the machine is just as bad as you can get, it will take maybe an hour with combofix. Then I would try the stuff the link is saying.

Another detail. do not connect that computer to the internet at all while you are running the fixes.

Good luck. :)

Combofix and MalwareBytes are the standby's I use at work to clean up malware infections. Usually with the drive on an isolated clean computer that is up to date and not attached to the network.

Is there anyway to install a fresh version of Windows on a new drive, ,make that encrypted drive a secondary drive and get the files that way? I'm only guessing that the ransom ware is dependant on Windows. I've retrieved files that way before.

probably worth the $90 for a new drive and a fresh installation.

You will be able to see the files but unfortunately they will still be encrypted and not readable so in this case it doesn't solve the problem.

Sure they can be prosecuted if someone can find "them". I work in a small IT dept. It happened a year ago to a company user that did not back up any of his files. It's real and serious. I didn't directly solve the issue but watched a co worker deal with it. It's a leap of faith to pay the ransom. The "kidnappers" dealt in bit coin in this instance. The ransom was paid, around $600 as I recall and the key was provided. It took a good while to decrypt the drive.

Hmm. I'm going to hook up my Time Machine drive right now.;)

I just had to deal with a ransomware infection this week. For the user's laptop, no back up so all data was lost. I told them the machine was taboo and was getting wiped. The important daily work data was always saved on the file server. Fortunately we have backups and were able to delete the encrypted files and replace with a previous days backup. Some ransomware will target shadow copies (right-click a file, previous version) so something to keep in mind that time is of the essence once a machine has been compromised.

If it's the "normal" ransomware, you can see all the files, they are just encrypted. Reinstalling Windows will do nothing. There is nothing you can do but pay the ransom. (Unless it's the really old version)

You can't find the evildoers to prosecute them, you have to use a Tor client to get in touch with them and the payment is Bitcoin so you can't track the money...



Wipe HD clean and reinstall OS.
Hopefully important/original files are backed up some where.

Backups! I'm running a couple. One SSD and one regular both via Thunderbolt chassis on the Mac for the sake of speed.