Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is this RansomWare?


  • Please log in to reply
6 replies to this topic

#1 puckducker

puckducker

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 28 May 2016 - 09:58 PM

While surfing around on firefox, I suddenly had a pop-up in firefox that told me my computer/files are encrypted and I need to pay to have the files unlocked.

Unfortunately I did click on the "cancel" button on the pop-up window (with no effect), but did not click on anything else. After, I went into task manager and shut firefox down.

Now I am unsure if this was just a pop-up scam, or if anything has been downloaded and is currently infecting my machine. None of my files actually are encrypted as far as I can tell (I have checked a bunch of different files, and they all open just fine). I had both Avast and Malwarebytes running, and they didn't detect anything (nor did they pick up anything on a scan)

So I have no idea if this is a serious threat or just a pop up hoping to scare me to do something stupid. I have since backed all my files to an external drive (and disconnected the drive), and disconnected my PC from the internet. All my files still open fine.

It seems to me if this was a real threat, they would not have given me ample warning to back up all my files and disconnect my PC. But still, is there anything I can do to be sure there isn't some ransomware program waiting to encrypt my PC as soon as I reconnect online?



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:56 PM

Posted 28 May 2016 - 10:59 PM

Hmm, that does sound odd. There's a million tech scams that work that way, but I haven't heard of a pop-up scaring you about encrypted files - yet.

That's good you backed up everything, that would be my first suggestion of course, and fully disconnect that external before turning the computer back on.

If you have everything backed up, I would first start in safe mode and run extensive scans. I recommend MalwareBytes and HitmanPro for second opinions. I would maybe throw MalwareBytes Anti-Rootkit in there too.

If you open a browser and happen to see it again, I would be very interested in seeing a screenshot, now that you know your data is safe.

Past those scans, I would suggest running FRST and posting a topic in the "Am I Infected" forum where the Malware Response team can help you in checking for any real dirty infections.

Edited by Demonslay335, 28 May 2016 - 11:02 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 puckducker

puckducker
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 28 May 2016 - 11:44 PM

I'll try those scans in the morning and report back.

In general though, if i do have some kind of ransomware somewhere, if my files haven't been encrypted yet I should be safe as long as i stay disconnected from the internet, yes?

Also, is it possible for my files to have been "tagged" in any way, so that even all the files i just backed up externally could actually become encrypted, even i were to wipe my pc and start clean?

#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:56 PM

Posted 28 May 2016 - 11:56 PM

They can't be encrypted if nothing is running. They don't encrypt themselves. If there is something dormant, we should be able to find it.

If you do find it to be a scam website, we can get it reported and put on some blacklists.

The Malware team can better advise on making sure the system is clean of course. Never hurts to be too cautious. I wouldn't plug that external in until you are 100% sure you're clean and know what you're dealing with.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:56 AM

Posted 29 May 2016 - 06:11 AM

From what you describe...it does sound like a pop-up scam...see Beware of Phony Tech Support Scams

As Demonslay335 noted, there are hundreds of such scams and more every day. Malwaretips.com Blog has previously reported a similar "All Your Files Are Encrypted" Scam after a browser redirect to a web page containing a malicious javascript code that does not allow you to close the browser window or switch to a different web page.

If you need individual assistance with a possible malware infection, you should start a new topic in the Am I infected? What do I do? forum.

OR follow the instructions in the Malware Removal and Log Section Preparation Guide. When you have done that, start a new topic and post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 puckducker

puckducker
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 29 May 2016 - 12:01 PM

Thanks guys. Quietman7, the link you posted looks/sounds exactly what I ran into.

 

I did drop down to safe mode and ran Malwarebytes, Hitman Pro, and the MalwareBytes Anti-root kit. They all found a few items (though given it's been a while since I've scanned anything, that's not too surprising on it's own). But after running the fixes and then restarting in safemode I ran all 3 scans again and they all came back clean. 

 

So I've reconnected my PC to the internet, and things seem to be fine. I'm going to leave my backup drive disconnected for a week or so, just to stay safe. 

 

I will start a new topic in the "Am I Infected" page, just to see if there is anything else still lurking around my PC that could be causing a problem.

 

Thanks again for the (speedy) help guys!



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:56 AM

Posted 29 May 2016 - 01:59 PM

You're welcome on behalf of the Bleeping Computer community.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users