Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Ransomware - can I still use the USB-stick?

  • This topic is locked This topic is locked
1 reply to this topic

#1 DefinitelyNoExpert


  • Members
  • 41 posts
  • Local time:05:27 AM

Posted 14 March 2016 - 05:14 AM

Friday at work, all my files suddenly got an audio-pictogram and I couldn't open them anymore.

I could however still open a picture-file (I don't remember the extension) and it asked me to pay for a decryption. I thought it was a joke at first and restarted my computer, but when the problem stayed I realised I'd been infected by ransomware - it took me quite a while to realize this, especially since I was working online and not really minding my files...


It looks like the screenshot from Locky Wallpaper, but I don't recognize the other descriptions - I haven't enabled macro's or anything like that.

I haven't downloaded any attachements from unknown sources, nor clicked on any .exe files on websites.

I find it very disturbing that I can't remember which action might have caused the infection.

Is it possible to get something like this WITHOUT clicking on an .exe file?

Just by visiting a website, maybe? I really can not remember downloading anything, but then again who remembers everything they've done while being online?


My main question is this: I had 2 USB-sticks connected while I discoverd my problem. One of them had its files (2GB) infected, but the other one seemed fine.


At work, they checked the infected USB-stick and couldn't find an .exe-file on it - they weren't clear on whether I could use it again or not.

I didn't think about having the other one checked because it seemed fine. They're currently too busy to help me with this and I need some files that are on the other stick so I would like to give it a try - and scan it with Panda Free Antivirus. Should I or shouldn't I?


If I disconnect my computer from the internet, does this mean the ransomware can't be activated (when it is on the stick), or is it very naive to think like that?


Any ideas? Since I don't know where the ransomware came from I'm quite taken aback to do anything on a computer now...


Thank you in advance.


BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 52,047 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:27 AM

Posted 14 March 2016 - 07:43 AM

Any files that are encrypted with Locky will have the .locky extension appended to the end of the filename and leave a file (ransom note) named _Locky_recover_instructions.txt. When Locky encrypts a file it will actually rename the file to the format [unique_id][identifier].locky...(i.e. something like F67091F1D24A922B1A7FC27E19A9D9BC.locky).

Locky will change the Windows wallpaper to %UserpProfile%\Desktop\_Locky_recover_instructions.bmp, which contains the same instructions as the text ransom notes.

Locky installed via fake invoices

Locky is currently being distributed via email that contains Word document attachments with malicious macros. The email message will contain a subject similar to ATTN: Invoice J-98223146 and a message such as "Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice"...Attached to these email messages will be a malicious Word document that contains a name similar to invoice_J-17105013.doc. When the document is opened, the text will be scrambled and the document will display a message stating that you should enable the macros if the text is unreadable.

Crypto malware ransomware is typically programmed to automatically remove itself...the malicious files responsible for the infection...after the encrypting is done since they are no longer needed. Unfortunately, most victims do not realize they have been infected until the ransomware displays the ransom note and the files have already been encrypted. As such, they don't know how long the malware was on the system before being alerted or if other malware was installed along with the ransomware. If other malware was involved it could still be present so be sure to perform full scans with your anti-virus.

If your antivirus did not detect and remove anything, additional scans should be performed with other security programs like Malwarebytes Anti-Malware and Emsisoft Anti-Malware. You can also supplement your anti-virus or get a second opinion by performing an Online Virus Scan...ESET is one of the more effective online scanners.

There is an ongoing discussion in this topic where you can ask questions and seek further assistance but as noted above there is no solution to fix your encrypted files yet.Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

The BC Staff
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users