Just Had A Ransom Notice My Computer Will Be Locked In 5 Minutes.

like fech it will be.

Tuesday, January 24, 2017 by starkers | Discussion: WinCustomize Talk

Yup, as the title says, I got stung by some of that crap ransomware... that if I didn't call a certain number within 5 minutes to make payment arrangements my PC would remain locked.  Well it has been longer than 5 minutes now and I'm still able to operate my machine as normal, thanks largely to Cybereason's Ransomfree.

Yeah, I was just looking for information on a band I had been told about, Disturbed, who had done a cover of Simon & Garfunkel's Sounds of Silence, when all of a sudden I am diverted to one of those shonky image hosting sites, URLShrink, that shoves up this ransom notice when I tried to exit. 

I instantly knew the site was shonky because all these ads were popping up for Viagra, adult services and pr0n, etc, so I was out of there in an instant... or so I thought.  Anyway, as soon as the ransom demand appeared I shut down my browser and began checking this and that to see what was still working, which it all was and still is.

Thing is, I wouldn't have paid any ransom anyhow.  I do not keep any important files on this machine, they're all backed up/stored on external drives, none of which were connected at the time, so if I'd been locked out I simply would have refomatted and begun again.  An inconvenience, yes, but no slimy ransomware bastard is getting his/her filthy hands on my money.

ALMonty
Reply #1 Tuesday, January 24, 2017 9:47 AM

Right click taskbar and bring up the Task Manager and close out your browser. I use IE and I find that this is the only way to close out the page. The only problem is you have to go back and find the page you were browsing.

DrJBHL
Reply #2 Tuesday, January 24, 2017 9:54 AM

You're welcome.

Vampothika
Reply #3 Tuesday, January 24, 2017 9:57 AM

maybe you should use a pop up blocker

ALMonty
Reply #4 Tuesday, January 24, 2017 10:08 AM

It's not a Pop Up your page get redirected.

Jafo
Reply #5 Tuesday, January 24, 2017 4:02 PM

Step 1 is to shut down the modem.

Step 2 - ctrl/shift/esc and shut down the browser page.

Step 3 is to go back and find the song....it's seriously good.....or you could just look here...

 

 

the_Monk
Reply #6 Wednesday, January 25, 2017 1:37 AM


I instantly knew the site was shonky because all these ads were popping up for Viagra, adult services and pr0n, etc, so I was out of there in an instant... or so I thought. Anyway, as soon as the ransom demand appeared I shut down my browser and began checking this and that to see what was still working, which it all was and still is.

 

For the record, you got lucky. 

Computers work in terms of nanoseconds and just having 'navigated to' a web resource (whether you did it or you were redirected) is/was enough for malicious code to interact with your browser and/or your machine.  Had it been a sophisticated browse-by attack the only protection for your browser and system at that point would have been 'least privilege'.  I'll keep saying it till I'm blue in the face.  Firewalls, AV and every other anti-malware under the sun do not offer as much protection as simply enforcing 'least privilege' system wide.  All of the aforementioned make good 'second lines of defense', but every person's 'first line' should be least privilege.

ZubaZ
Reply #7 Wednesday, January 25, 2017 9:24 AM


Step 3 is to go back and find the song....it's seriously good.....or you could just look here...
That is probably one of my favorite covers ever.  It doesn't hurt that the original is so good.

anotherside
Reply #8 Wednesday, January 25, 2017 6:08 PM

the_Monk

All of the aforementioned make good 'second lines of defense', but every person's 'first line' should be least privilege.

 

But what does it mean in a practical way?

This is what I can come up with:

Don’t use Administrator account

Set UAC to highest level

Disable Adobe Flash

Use Adblocker (you can still allow ads on sites you trust)

Use Scriptblocker for your browser if you are really serious, (but I have heard it can be annoying)

Use good antivirus/antimalware

Use anti-ransomware if you want (numerous anti-malware programs is a slippery slope I would argue)

Keep Windows up to date (guess I have to add this one although I don't feel too confident about MS anymore)

 

The best thing would probably be to sandbox the browser. Is Microsoft Edge immune to ransomware? That would be an edge over other browsers.

Still I can’t understand how ransomware works. There must be an executable involved that is encrypting your drive...? How can this run without triggering UAC?

Back in the days of XP I was infected with a worm (Blaster or Sasser) just by connecting to the Internet without antivirus. So I know it’s possible to get infected by malware without clicking an executable. There have also been infected PDFs spreading malware I think.

It would be nice with some kind of “best practice”. Malware creators make money by creating malware. Anti-malware creators make money by creating anti-malware. Bloggers make money writing about malware/anti-malware.

But it’s hard to find “the truth”. I refuse to think that the solution to anti-ransomware is to run yet another anti-malware program on my computer. Anti-malware programs are a problem by themselves I think and should only be used as last resort, because Windows is a big target for malware creators.

@Monk It would be nice if you could expand on your “least privilege” argument. Are you talking about corporate environments with locked down machines where you can’t do anything? Or special settings or software?

starkers
Reply #9 Wednesday, January 25, 2017 9:01 PM

ALMonty

Right click taskbar and bring up the Task Manager and close out your browser. I use IE and I find that this is the only way to close out the page. The only problem is you have to go back and find the page you were browsing.

Yeah, did that in an instant to prevent further interference/contact, etc.  As for returning to the page, no, I'm not tempting fate twice.  I just wanted some info on the band and other music they do, but I'm sure there's another site I can get that from.

DrJBHL

You're welcome.

Yup, I'm sure that Ransomfree saved my bacon on this occasion, and have no doubt it can/will again.  It's such a shame we can't send these mongrel things back to the originating machine and programme it to blow up the battery with extreme force.

Vampothika

maybe you should use a pop up blocker

I have one, but this is a different thing altogether, where the intended page is intercepted with a redirect script that takes the user to a different page instead.  Luckily, I had Ransomfree loaded as a safeguard and I was able to close the browser.


Step 1 is to shut down the modem.

Step 2 - ctrl/shift/esc and shut down the browser page.

Step 3 is to go back and find the song....it's seriously good.....or you could just look here... 

Steps 1 and 2 were taken care of and no damage was done.  As for the song, and the band, I will get back to researching later today... though Karol [the person who told me] bought the CD and is bringing it over for me to listen to.  I would have gotten back to it yesterday but we had visitors and had a little party before one headed off to Cairns this morning.

starkers
Reply #10 Wednesday, January 25, 2017 9:34 PM

the_Monk



I instantly knew the site was shonky because all these ads were popping up for Viagra, adult services and pr0n, etc, so I was out of there in an instant... or so I thought. Anyway, as soon as the ransom demand appeared I shut down my browser and began checking this and that to see what was still working, which it all was and still is.



 

For the record, you got lucky. 

Computers work in terms of nanoseconds and just having 'navigated to' a web resource (whether you did it or you were redirected) is/was enough for malicious code to interact with your browser and/or your machine.  Had it been a sophisticated browse-by attack the only protection for your browser and system at that point would have been 'least privilege'.  I'll keep saying it till I'm blue in the face.  Firewalls, AV and every other anti-malware under the sun do not offer as much protection as simply enforcing 'least privilege' system wide.  All of the aforementioned make good 'second lines of defense', but every person's 'first line' should be least privilege.

Not entirely lucky!  Yes, the threat was made, but Ransomfree negated it before it could take effect.  And yes, I know that you recommend the 'least privelege' line of defense, but I have read there are inconveniences to that and I've been reluctant to try it.

ZubaZ


Quoting Jafo,

Step 3 is to go back and find the song....it's seriously good.....or you could just look here...

That is probably one of my favorite covers ever.  It doesn't hurt that the original is so good.

Yup, the original is an exceptional song that stands the test of time... it is an eternal classic.  As for the cover by Disturbed, well I've still not heard it.  With one distraction or another, never listening to radio or watching MTV, etc, and not being able to see video clips on WC for some reaon, I've yet to hear it.  Not to worry, Karol is coming over later with the CD.

the_Monk
Reply #11 Thursday, January 26, 2017 12:14 PM

anotherside

But what does it mean in a practical way?

@Monk It would be nice if you could expand on your “least privilege” argument. Are you talking about corporate environments with locked down machines where you can’t do anything? Or special settings or software?

 

To be clear.  When I talk about 'safe computing' I am never talking about adding software as a 'protection' layer.  Why?  Because if your OS (which runs all software) is compromised it doesn't matter what 'software protection' you are running.

Yes I always advocate to NEVER use your PC using an admin account and, yes if you are running the 'pro' version of any MS OS I strongly advocate learning about and then potentially using the 'local security policy' of your OS (in corporate environments this is performed by the admins using 'group policy' etc.) to harden your system installation.  You can access your local security policy on PC's running the 'pro' edition of any MS OS by typing 'secpol.msc' into a RUN dialog box.

 

From an elementary level here is an illustration:

 

OS  -  the low level kernel operations of the OS as well as local and network system operations (things the user never sees, things the non-admin accounts don't have blanket access to modify,  and operations the 'local security policy' has the capability of affecting/hardening)

|

|

Software - the higher level (topical) operations the user sees and interacts with.  All 'security software' operates here and while security software often hooks into the lower level OS operations to perform its duties that amounts to giving out MORE privileges (in order to 'stay safe') rather than restricting them properly in the first place.  Should those additional agents with more privileges now get compromised (as has happened to quite a few security software products in the past) you have now effectively made your installation LESS SAFE by using those additional agents.

the_Monk
Reply #12 Thursday, January 26, 2017 12:24 PM

starkers
Not entirely lucky!  Yes, the threat was made, but Ransomfree negated it before it could take effect.  And yes, I know that you recommend the 'least privelege' line of defense, but I have read there are inconveniences to that and I've been reluctant to try it.

Yes actually you were lucky!  Please read my reply to anotherside above this.  Anytime a 'software product' is actually capable of 'stopping' (and how do you know it did so?  because the software said so?) an attack the user 'got lucky'.

I realise some people might see locking their homes and gates/doors as an 'inconvenience', but I would personally rather do that than rely on police and/or security team response times and their efficacy at recovery.  So what if the police catch the guy who trashed your place........wouldn't you rather a locked door/window and or gate have prevented him entry in the first place?

People need to begin to understand that all of the security software in the world is equal to a 'security response' after the breach has begun (and if the breach is an 'intelligent' breach.....well you're fucked!).  If you want to be locking your windows and doors you need to harden your OS.  I've illustrated simple ways to go about doing that.

starkers
Reply #13 Thursday, January 26, 2017 10:29 PM

the_Monk


Quoting starkers,
Not entirely lucky!  Yes, the threat was made, but Ransomfree negated it before it could take effect.  And yes, I know that you recommend the 'least privelege' line of defense, but I have read there are inconveniences to that and I've been reluctant to try it.



Yes actually you were lucky!  Please read my reply to anotherside above this.  Anytime a 'software product' is actually capable of 'stopping' (and how do you know it did so?  because the software said so?) an attack the user 'got lucky'.

I realise some people might see locking their homes and gates/doors as an 'inconvenience', but I would personally rather do that than rely on police and/or security team response times and their efficacy at recovery.  So what if the police catch the guy who trashed your place........wouldn't you rather a locked door/window and or gate have prevented him entry in the first place?

People need to begin to understand that all of the security software in the world is equal to a 'security response' after the breach has begun (and if the breach is an 'intelligent' breach.....well you're fucked!).  If you want to be locking your windows and doors you need to harden your OS.  I've illustrated simple ways to go about doing that.

Okay, I get your point and will more seriously consider running from a non-admin account,  In the past I have been reluctant to do so because we're already inconvenienced by various things already built into the OS [UAC, etc].  However, given this latest development, I would feel safer when online if I were running a non-admin account, and if I need to make changes or install new software, etc, I simply log off, disconnect from the net and log back on using my regular admin account.  Sound okay to you?

the_Monk
Reply #14 Friday, January 27, 2017 1:18 PM

You don't need to disconnect from the net when using your admin account to install/modify things I would just advise to never browse (as in open a browser) while logged in as admin.

Yes, you will find just taking the step to perform all internet connected activity (browsing, email etc.) with a non-admin account will provide you with much more security and peace of mind than any third-party program out there.

starkers
Reply #15 Friday, January 27, 2017 2:05 PM

Okay, so an admin account would be safe if not browsing, etc!  Good, that's one inconvenience I don't have to worry about, then.

The other concern is downloaded files.  One can still download software and updates while logged into a non-admin account for installation in the admin account later on, right?  I would still want to go to majorgeeks.com for software files and updates, etc.

As for 'least privelege', I always thought I was the least priveleged as a kid.  While all the other kids had bikes, all I had was an inner tube that I had to blow up orally and push along in front of me.  Yeah, I got to places quicker if it was downhill, but that was the only advantage... and now I'm gonna operate my PC with the least privelege.

Seriously, though, all being well when I arise later [it's 5.00am and I've not been to bed yet] I shall set me up a non-admin account on those machines I intend to use for internet related stuff.

gevansmd
Reply #16 Friday, January 27, 2017 6:42 PM

There are fake ransomware sites, that display a message similar to real ransomware but are harmless.  Simply close the webpage and you'll be fine.  From what I've read, real ransomeware displays a message directly on your desktop, not through a browser.  

 

Article:  How to tell you've been hit by real ransomware.

 

http://www.infoworld.com/article/3062552/security/how-to-tell-if-youve-been-hit-by-fake-ransomware.html

anotherside
Reply #17 Friday, January 27, 2017 8:20 PM

the_Monk

To be clear. When I talk about 'safe computing' I am never talking about adding software as a 'protection' layer.

This is a good starting point. I think the best approach is to deal with the OS itself before looking for external solutions.

the_Monk

security software often hooks into the lower level OS operations to perform its duties that amounts to giving out MORE privileges (in order to 'stay safe') rather than restricting them properly in the first place.

Yes this is kind of backward. Like security is an afterthought.

gevansmd

There are fake ransomware sites, that display a message similar to real ransomware but are harmless. Simply close the webpage and you'll be fine. From what I've read, real ransomeware displays a message directly on your desktop, not through a browser.

This was my thought also.

Computer security is complicated and nothing is black or white.

Here’s a link to a former Firefox developer who thinks one should uninstall AV software except Windows Defender.

http://robert.ocallahan.org/2017/01/disable-your-antivirus-software-except.html

I don’t think all AV vendors are bad guys like he seems to think but one should be aware that installing anti-malware software gives said software full access to your machine and can potentially open security vulnerabilities.

starkers

As for 'least privelege', I always thought I was the least priveleged as a kid.

I also use Administrator account because I want to feel privileged.

So now I need to take care of my own system. I always thought that Windows 8/10 users were using non-Admin account by default. Not like Windows 7 where Admin account is the default.

starkers
Reply #18 Friday, January 27, 2017 11:42 PM

gevansmd

There are fake ransomware sites, that display a message similar to real ransomware but are harmless.  Simply close the webpage and you'll be fine.  From what I've read, real ransomeware displays a message directly on your desktop, not through a browser.  

 

Article:  How to tell you've been hit by real ransomware.

 

http://www.infoworld.com/article/3062552/security/how-to-tell-if-youve-been-hit-by-fake-ransomware.html

Now I'm not too sure if this one was fake or real, so be honest.  It all happened so fast that I just closed the browser and checked to see if I could still perform normal operations.  Thing is, now that I look back on it, when the browser redirected me to the 'not requested' image hosting site, it was a separate dialogue box that popped up with the ransom demand when I attempted to shut the browser down.  I'm not sure whether that dialogue box was a part of my browser or a part of Windows Explorer because it was closed within an instant of Firefox being closed down. 

At the end of the day, however, whether Ransomfree saved my bacon or not, I didn't lose control of my machine or files and [as the_Monk said] I was lucky. 

anotherside

Quoting starkers,
reply 15
As for 'least privelege', I always thought I was the least priveleged as a kid.

I also use Administrator account because I want to feel privileged.

Yeah, I always wanted to be in control of everything that could be controlled, and the Admin account gave me that.  However, since this [fake or real] ransomware attack, I'd rather relinquish that control to a non-admin account to prevent further attacks when I'm online.

 

Please login to comment and/or vote for this skin.

Welcome Guest! Please take the time to register with us.
There are many great features available to you once you register, including:

  • Richer content, access to many features that are disabled for guests like commenting on the forums and downloading skins.
  • Access to a great community, with a massive database of many, many areas of interest.
  • Access to contests & subscription offers like exclusive emails.
  • It's simple, and FREE!



web-wc01