Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New infection ransoms your computer with fake encryption message


  • Please log in to reply
35 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,273 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:19 AM

Posted 04 December 2010 - 06:10 PM

A new infection is making its rounds that makes it so you cannot boot your computer unless you pay a ransom of $100 USD. This malware will modify the Master Boot Record of your computer so that it displays a message stating that your computer's hard drives were encrypted and that unless you pay the ransom you will not be able to access your files.
The reality is that the infected hard drives are not actually encrypted, but just not being made available until you enter a password. When this infection is installed on your computer it will move the infected hard drives Master Boot Record, or MBR, to another location and install a new MBR that displays a message stating that the hard drives were encrypted and that you need to visit www.safe-data.ru in order to receive help. The message that you will see is:

Your PC is blocked. All the hard drives were encrypted. Browse www.safe-data.ru to get an access to your system and files. Any attempt to restore the drives using other way will lead to inevitable data loss !!! Please remember Your ID: , with its help your sign-on password will be generated. Enter password:

When you visit www.safe-data.ru it will state that your hard drives are encrypted and unless you spend $100 USD, you will lose your data. It also states that any attempts at tampering may cause loss of data. I strongly suggest that noone manually visit the safe-data.ru site as it is run by malware distributors and cannot be trusted to exploit visitors in some manner. The truth is that this infection can be fixed without spending any money, so for no reason should you purchase the code. Instead, if you are infected with this malware, please create a topic in the Am I Infected forum in order to receive help removing this infection.


BC AdBot (Login to Remove)

 


m

#2 TheTechDude

TheTechDude

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:19 AM

Posted 04 December 2010 - 07:12 PM

That's a new idea. Infect their computers then make them pay to fix them. The problem is is that people, especially older people, will pay for it not knowing any better.

#3 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 34,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:08:19 AM

Posted 04 December 2010 - 08:14 PM

Ransomware has been around for a while. Here is an article discussing it from 2006. http://www.securelist.com/en/analysis?pubid=191951869

scroll down to CodeBreakers - the struggle against RansomWare

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 70,544 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:19 AM

Posted 04 December 2010 - 10:42 PM

Any attempt to restore the drives using other way will lead to inevitable data loss !!!
Please remember Your ID: , with its help your sign-on password will be generated.
Enter password


A particularly shrewd scare tactic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 KarstenHansen

KarstenHansen

    The Dane


  • Members
  • 1,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:19 PM

Posted 05 December 2010 - 07:15 AM

Not new nooo, Ransomware has been here a long time!

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,317 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:19 PM

Posted 07 December 2010 - 05:53 AM

The most scary thing for most people is that, when booting from a Live CD or PE CD the HD does no longer show up, which makes it pretty easy to believe that what they claim is true.

In fact the partition table is wiped, which causes partitions not to show up, but all data is intact.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 red_devil028

red_devil028

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:19 PM

Posted 07 December 2010 - 11:17 AM

OK... as posted in previous topic...

If not allright you can just delete my post i am just trying to help :P

I had this first moment it came out i think, on my Win7 Laptop ((MSI 620))none of the topics were from it yet... Being monday the 28th

However, i Fixed it by doing the following:

((i only tried Win7, My xp did not get infected...))
1) Windows 7 CD... boot from it...
2) Repair your computer..
3) It will NOT show any drives...
4) hit ok... > Hit startup repair... your computer will reboot by itself...
5) Boot again from the CD
6) Repair your computer... it WILL show your drive with 0GB on it... select it and hit ok... AGAIN startup repair...
7) Now you need the latest hirens CD (( 10.6 )) boot it... And select boot from win7... Normally it Will boot
8) Run antivirus, regfixes, Malware removers, Anything... be sure to be fast... make it remove it before you try to reboot...

ive read in my norton that it detected it as a version of Rmvirut... i know it very well as it layed a company of a customer down to the wire... for a week or 2 infecting all their pc's... you will need to disinfect every posible data device... Preferrably on a different, good security protected system... if you choose to back up your files and then format, format it twice...
Current systems: CM STACKER Custom PC / MSI CX 620 / ACER Z5751 Touchscreen

Current role: PC Technician @ Computrac Belgium - Specialisation: Hardware.

#8 CrimsonSpider

CrimsonSpider

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Matrix
  • Local time:04:19 PM

Posted 07 December 2010 - 02:31 PM

Wow,

That is so intriguing! Very unique too!

Security and Protection is something i'm very interested in pursuing.

Of course, if i had received such Ransomware, i wouldn't be a very happy bunny.

but the way it works is awesome :)

CrimsonSpider
"Don’t worry if it doesn’t work right. If everything did, you’d be out of a job."
(Mosher’s Law of Software Engineering)

#9 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,240 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:08:19 AM

Posted 07 December 2010 - 05:20 PM

Looks like ransomware is in vogue this season as there's another one that likes to encrypt your files and charge for the decryptor.
Posted ImageVery subtle, no?

#10 Sightless

Sightless

  • Members
  • 435 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Up in the Clouds
  • Local time:12:19 PM

Posted 07 December 2010 - 05:54 PM

HAHAHAHAHA

Don't try to tell someone about this message...

Because they would definitely find out....not.
Posted Image

#11 Martel

Martel

    Drfixup Human Internet Solutions


  • Members
  • 1,454 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina U.S.A.
  • Local time:12:19 PM

Posted 07 December 2010 - 06:05 PM

Regular thugs.

Seems like the bank account could be used to track them.

Love to see them behind bars



.

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,317 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:19 PM

Posted 08 December 2010 - 02:43 AM

Looks like ransomware is in vogue this season as there's another one that likes to encrypt your files and charge for the decryptor.

The difference is that this one indeed encrypts files. The one Grinler posted about, does not actually encrypt data.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 red_devil028

red_devil028

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:19 PM

Posted 08 December 2010 - 07:56 AM

Looks like ransomware...

The difference is that this one indeed encrypts files.


Thing is too if you post this shot on a forum without any explanation... people might starting to think the person made the desktop image by itself... o,O

Anyhow: Interesting... i had something like this on my XP like 5Years ago :P


And no... This one actually just hides the partition table... If you let windows find out your partition table... it will be back again... you just have to remember your PC to Read that file of that table... and remove the other after you did that...

Still, no customers with this one on XP ... Luckyly...

Edited by red_devil028, 08 December 2010 - 07:58 AM.

Current systems: CM STACKER Custom PC / MSI CX 620 / ACER Z5751 Touchscreen

Current role: PC Technician @ Computrac Belgium - Specialisation: Hardware.

#14 Cowboy24

Cowboy24

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:19 AM

Posted 08 December 2010 - 11:25 AM

I'm just a nobody from down the street but couldn't you just rewrite the MBR in order to bypass this problem

#15 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,273 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:19 AM

Posted 08 December 2010 - 11:37 AM

Yes, but one of the main issues as Elise said is that your partition table is wiped. You need to use specialized tools to restore that.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users