Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

cohidem


  • This topic is locked This topic is locked
6 replies to this topic

#1 AhhhLeah

AhhhLeah

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:37 PM

Posted 04 February 2017 - 08:28 PM

Did not know this thread existed till now. Posted a few days ago under virus & malware log thread but received no response. I did not take a screen shot of the ransom note. I did write down the page link that popped up. It was cohidem.com/+2now0628 and I also have the phone number which I did not call.

I immediately did a system restore. It hung up at the end so I held the power button until it shut off. I then rebooted into safe mode and received confirmation that the system restore worked. Then did Malwarebytes (nothing), CCleaner (normal stuff), and Spybot (minor stuff) scans. Before being hit, I was cleaning up the laptop and, not realizing I might be jeopardizing things, I un-installed Adobe Reader, 2 Java programs, and an ActiveX program. I have looked for a link to a program here to ID the ransomware but can't find one so I am at a loss as to what to do to ID it for you. Have only been in safe mode since I was hit. Thank you for your time and expertise.

BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,513 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:37 PM

Posted 04 February 2017 - 11:46 PM

There is no "program" to identify, you must upload a ransom note and encrypted file to ID Ransomware; link is in my signature.

Are your files actually encrypted, or was it just something saying you have to call a number? I've never seen a real ransomware with a support number before (the one that did was a spoof). It sounds more like you stumbled across a tech support scam on a website, which can do nothing to your computer if you didn't let them remotely control the computer.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 AhhhLeah

AhhhLeah
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:37 PM

Posted 05 February 2017 - 09:04 AM

I don't see any evidence my files are encrypted. My concern is that last week I was also hit (different laptop). I now know I had visited the same (clearly hacked) website both times. It's a popular website I have visited regularly for 3 years but I remember it was acting funny and the tab was in the process of closing both times. The first time a voice told me my files had been encrypted, it told me a phone number to call, and the ransom note appeared. I do not remember a phone number being on the ransom note. A system restore failed, my hard drive was quickly wiped, and it would not power up after 30 minutes. After the attempted system restore I was able to power up briefly in safe mode but never again saw the ransom note. This week I received 3 beeps over the audio and the ransom note popped up with the phone number printed on it. A system restore worked. I have not seen the ransom note since. I'm just afraid to go out of safe mode in case it's a virus. It's clear the first one was ransomware but this is acting more like it could be a virus. Due to the fact I watched my hard drive being wiped last week, I could only assume I was heading down a similar road this week. I don't know what my next move should be.

Thank you for a quick response!

#4 AhhhLeah

AhhhLeah
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:37 PM

Posted 05 February 2017 - 09:44 AM

You can lock this thread. The malware thread is now helping me. Thank you for your time and expertise.

#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,513 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:37 PM

Posted 05 February 2017 - 11:00 AM

Good. Gary will get you taken care of.  :thumbup2:

 

I would definitely take the opportunity to be sure you have good backups. Even if this is not actually a ransomware situation, it very well could have been. I always recommend having a hard backup (flash drive, external drive, DVDs, etc. not connected to the PC when not in use), as well as a cloud backup since that is automatic and offer revisions (important for if ransomware overwrites the files!). My recommendations (in no particular order) would be CrashPlan, Carbonite, Dropbox, or Google Drive. Most have free plans up to 5-10GB usually, and past that is usually $5-10/mo; it is very much worth it if you care in the least about your data.

 

Also I would request if you happen to stumble upon the URL that was giving you the phone number, you may PM it to me, and we can see about getting it reported (and hopefully taken down).


Edited by Demonslay335, 05 February 2017 - 11:01 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:37 PM

Posted 05 February 2017 - 07:10 PM

... I did write down the page link that popped up. It was cohidem.com/+2now0628 and I also have the phone number which I did not call...

Yes that sounds like a common scam.

Actual ransomware usually will have obvious indications (signs of infection)...it typically targets and encrypts data files so you cannot open them on your computer (and all connected drives at the time of infection), in most cases it appends an obvious extension to the end or beginning of encrypted filenames (although some variants do not), demands a ransom payment by dropping ransom notes in every directory or affected folder where data has been encrypted and sometimes changes Windows wallpaper. Less obvious symptoms include adding or modifying registry entries and deletion of Shadow Volume Copies so that you cannot restore your files from before they had been encrypted but leaves the operating system working so the victim can pay the ransom. Further, when dealing with real ransomware, the cyber-criminals generally instruct their victims to contact them by email or website for decryption...they do not provide a phone number to call for assistance.

If there are no obvious extensions appended to your file names, no ransom notes, no demands of payment and your data is not actually encrypted, then you most likely are dealing with fake ransomware, a fake web page in your browser, some version of a Tech Support Scam or something else.For more information about how these scams work and resources to protect yourself, please read Beware of Phony Emails & Tech Support Scams...there are suggestions near the bottom for dealing with scams and a list of security scanning tools to use in case the usual methods do not resolve the problem or you allowed remote access into your computer.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:37 PM

Posted 05 February 2017 - 07:28 PM

BTW, your other topic is here and Oh My! is now assisting you.

Since you are currently receiving help from the Malware Response Team, you should NOT be asking for help elsewhere. The Malware Response Team should be the only members that you take advice from, until they have verified your system is clean. If you have any questions or concerns about the tools you are instructed to run, please ask your helper.

To avoid confusion, I am closing this topic.

Good luck.
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users