Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Defender detected "Ransom:JS/TechBrolo.A"


  • Please log in to reply
12 replies to this topic

#1 CloseToHome

CloseToHome

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 02 August 2016 - 12:07 PM

Hey Bleeping Computer community!

 

Today, Windows Defender detected "Ransom:JS/TechBrolo.A" on my computer. Right now, it is quarantined, but not fully removed. Although, I don't seem to have any problems using my computer right now since I can still browse and open programs. Should I still be concerned? I Google'd this ransomware, but not much info is found on it aside from the information on the Microsoft website.

 

Thanks for any help!



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:32 AM

Posted 02 August 2016 - 12:11 PM

The Microsoft page on that is certainly lacking of any indicators or details...

 

Make sure you have proper backups in place. If you can safely extract the file from quarantine and "disable" it (just rename the extension to something link ".bin" so you can't double-click it by accident), you may submit the malware here for analysis: http://www.bleepingcomputer.com/submit-malware.php?channel=168


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,076 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:12:32 PM

Posted 02 August 2016 - 12:14 PM

Brolo is a web page which "locks" your web browser and claims to be law enforcement. It doesn't touch the system and does not encrypt any files. You don't need to do anything as Windows Defender stopped the webpage from loading.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#4 CloseToHome

CloseToHome
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 02 August 2016 - 12:20 PM

The Microsoft page on that is certainly lacking of any indicators or details...

 

Make sure you have proper backups in place. If you can safely extract the file from quarantine and "disable" it (just rename the extension to something link ".bin" so you can't double-click it by accident), you may submit the malware here for analysis: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

I guess it's a new one since Microsoft added this on July 26. Thanks for the suggestion!

 

Brolo is a web page which "locks" your web browser and claims to be law enforcement. It doesn't touch the system and does not encrypt any files. You don't need to do anything as Windows Defender stopped the webpage from loading.

 

xXToffeeXx~

 

That's a relief. I have seen this page from streaming TV shows online. When the ransom page opens, I Ctrl+Alt+Delete and end all Google Chrome tasks. Thank you very much for the info!



#5 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,076 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:12:32 PM

Posted 02 August 2016 - 12:32 PM

 

Brolo is a web page which "locks" your web browser and claims to be law enforcement. It doesn't touch the system and does not encrypt any files. You don't need to do anything as Windows Defender stopped the webpage from loading.
 
xXToffeeXx~

 
That's a relief. I have seen this page from streaming TV shows online. When the ransom page opens, I Ctrl+Alt+Delete and end all Google Chrome tasks. Thank you very much for the info!

 

Glad you know what to do. Invest in an adblocker like uBlock Origin if you haven't already, it should hopefully cut down any annoying redirects like that.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,469 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:32 AM

Posted 02 August 2016 - 02:46 PM

For others reading this topic...

How to tell if you've been hit by fake ransomware

...If you can't identify the ransomware, then there's a chance it could be fake. In such cases, your files aren't actually encrypted; the attacker simply pops up a scary message and locks the screen. The ransom demand typically shows up inside a browser window and doesnt let the user navigate away, or it locks the screen and displays a dialog box asking for an encryption key. Because the victim cant close the message, it looks real.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 vygrip

vygrip

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 03 August 2016 - 08:11 PM

Hello Bleeping Community,

 

I had the same experience as the original poster, that Windows Defender detected "Ransom:JS/TechBrolo.A" on my computer after (I promise!) the FIRST time I ever clicked a streaming program link and I am having a new problem even after deleting the Trojan  using Windows Defender - links are appearing as suggestions below the address bar when I type in my browser; however, I am not being redirected. 

I am using an ASUS tablet with Windows 8.1 and IE 11.

When the ransom threat happened, I first I tried to close window with Ctrl + W and then just shut the computer off in a panic. I saw a message with a phone number and an audio file played threatening that it was sending my credit card information, etc., and that is about all I could say about it.

When I restarted, I ran Panda Cloud Cleaner and eset online scanner and CCleaner and MBAM (some simultaneously - I was panicking). They found nothing. I actually thought the Windows Defender message was part of the virus as it has never detected anything, but I looked and saw the detection message, and deleted the Trojan.

However, I am seeing strange links in my menu when I type in links, links that are not in my favorites and did NOT appear before including www.girlsgogames.com and www.gamefaqs.com

 

Many thanks for any help!



#8 vygrip

vygrip

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 03 August 2016 - 08:39 PM

One more thing: I can get rid of the links by going to Internet Options>Content>Autocomplete Settings>Address Bar>Suggested URLs, so should I just turn them off and not worry?

 

 

Brolo is a web page which "locks" your web browser and claims to be law enforcement. It doesn't touch the system and does not encrypt any files. You don't need to do anything as Windows Defender stopped the webpage from loading.

 

xXToffeeXx~

Thank you for this information. I've never even heard of ransomware or fake ransomeware, and I breathed a huge sigh of relief!

 

For others reading this topic...

How to tell if you've been hit by fake ransomware

...If you can't identify the ransomware, then there's a chance it could be fake. In such cases, your files aren't actually encrypted; the attacker simply pops up a scary message and locks the screen. The ransom demand typically shows up inside a browser window and doesnt let the user navigate away, or it locks the screen and displays a dialog box asking for an encryption key. Because the victim cant close the message, it looks real.

 

Thank you for the article. It was a little unclear to me how I could tell it wasn't real, then I re-read and... well, your quote covers it very well.



#9 vygrip

vygrip

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 03 August 2016 - 08:58 PM

Demonslay335, on 02 Aug 2016 - 07:11 AM, said:

The Microsoft page on that is certainly lacking of any indicators or details...

 

Make sure you have proper backups in place. If you can safely extract the file from quarantine and "disable" it (just rename the extension to something link ".bin" so you can't double-click it by accident), you may submit the malware here for analysis: http://www.bleepingcomputer.com/submit-malware.php?channel=168

Yes, Demonslay 335, the MS page was not helpful. I wish I had not deleted it, but all traces are gone from WD. I should have come here first!



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,469 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:32 AM

Posted 04 August 2016 - 06:48 AM

This is the Microsoft Malware Protection Center page...Ransom: JS/TechBrolo.A
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 vygrip

vygrip

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 06 August 2016 - 03:29 AM

Hello Bleeping Computer Community,

This is my first time posting about a problem and I would appreciate your patience. To clarify:

I had the same experience as the original poster. I clicked on a streaming program link and an audio file and screen popped up indicating my credit cards, passwords, etc. were being sent over the internet. I shut off my computer in a panic.

I restarted my computer and was able to log onto the internet without a problem. I ran Panda Cloud Cleaner and eset online scanner and CCleaner and MBAM (some simultaneously). They found nothing.

Windows Defender had detected and quarantined "Ransom:JS/TechBrolo.A" on my computer. I deleted the Trojan.

I am using an ASUS tablet with Windows 8.1 and IE 11.

 

However, I am concerned that I might have been infected with something else as I am seeing "suggested links" in the menu below my address bar that I am certain did NOT appear before I clicked on the troublesome link; these new links include www.girlsgogames.com and www.gamefaqs.com

I can get rid of the links by going to Internet Options>Content>Autocomplete Settings>Address Bar>Suggested URLs

My questions is: should I worry about these suggested links (I am NOT being redirected) in the sense that they might indicate I was infected by something else, or should I just turn them off and not worry about them?

Thank you for any help/advice.



#12 vygrip

vygrip

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 06 August 2016 - 03:34 AM

quietman7: Apologies for being unclear. I was trying to express 1) the MS page was, as Demonslay 335 stated, "lacking any indicators or details" and 2) I wish I hadn't deleted the Trojan so I could extract it and send it for analysis by Bleeping Computer.

 

Demonslay335, on 02 Aug 2016 - 07:11 AM, said:

The Microsoft page on that is certainly lacking of any indicators or details...

 

Make sure you have proper backups in place. If you can safely extract the file from quarantine and "disable" it (just rename the extension to something link ".bin" so you can't double-click it by accident), you may submit the malware here for analysis: http://www.bleepingcomputer.com/submit-malware.php?channel=168

Yes, Demonslay 335, the MS page was not helpful. I wish I had not deleted it, but all traces are gone from WD. I should have come here first!

 

 

 

This is the Microsoft Malware Protection Center page...Ransom: JS/TechBrolo.A



#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,469 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:32 AM

Posted 06 August 2016 - 06:07 AM

We can only go by what any actual scan logs show (what was detected, removed) and your description of whatever signs or symptoms of infection you are experiencing. Usually when a computer is infected with malware there most likely will be other obvious indications (signs of infection and malware symptoms) that something is wrong.

If you need individual assistance with a malware infection, you should start a new topic in the Am I infected? What do I do? forum

If you want a more comprehensive look at your system for possible malware by experts, there are advanced tools which can be used to investigate but they are not permitted in this forum. Please follow the instructions in the Malware Removal and Log Section Preparation Guide. When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team. If you choose to post a log, please reply back in this thread with a link to the new topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users