Ransomware Locks Computers in the Name of “Anonymous Hackers Group”
- Thread starter Jack
- Start date
- Status
I will try found this file 
Found MD5: dece32561247309ddb9ad5c0d1024e56
EDIT:
More informations:
SHA256: b3a55bcc6f88a60ca25e0a2687a6694756b91f45c6b9c82e249181ff69c93c0f
SHA1: c3a798c82069b57009b945cde46141c18263b023
ssdeep: 768:3XPI0QMD7FKjSuh6OWn/riItZblQGNv0IILiPsQs3D21Tf:3g07nOh6/nDTJJNs2PoD+f
File size: 47.0 KB (48128 bytes)
https://www.virustotal.com/file/b3a55bcc6f88a60ca25e0a2687a6694756b91f45c6b9c82e249181ff69c93c0f/analysis/
Found MD5: dece32561247309ddb9ad5c0d1024e56
EDIT:
More informations:
SHA256: b3a55bcc6f88a60ca25e0a2687a6694756b91f45c6b9c82e249181ff69c93c0f
SHA1: c3a798c82069b57009b945cde46141c18263b023
ssdeep: 768:3XPI0QMD7FKjSuh6OWn/riItZblQGNv0IILiPsQs3D21Tf:3g07nOh6/nDTJJNs2PoD+f
File size: 47.0 KB (48128 bytes)
https://www.virustotal.com/file/b3a55bcc6f88a60ca25e0a2687a6694756b91f45c6b9c82e249181ff69c93c0f/analysis/
treefrog'
New Member
- Oct 28, 2012
- 111
MalwareCenter said:I will try found this file
Found MD5: dece32561247309ddb9ad5c0d1024e56
EDIT:
More informations:
SHA256: b3a55bcc6f88a60ca25e0a2687a6694756b91f45c6b9c82e249181ff69c93c0f
SHA1: c3a798c82069b57009b945cde46141c18263b023
ssdeep: 768:3XPI0QMD7FKjSuh6OWn/riItZblQGNv0IILiPsQs3D21Tf:3g07nOh6/nDTJJNs2PoD+f
File size: 47.0 KB (48128 bytes)
https://www.virustotal.com/file/b3a55bcc6f88a60ca25e0a2687a6694756b91f45c6b9c82e249181ff69c93c0f/analysis/
Can't help noticing MSE - fail
- Jan 24, 2011
- 9,378
treefrog said:Can't help noticing MSE - fail
The fact that it doesn't have a signature for this threat can be understandable however the really tragic part is that this antivirus doesn't have any other real layer of protection that might detect or prevent this ransomware.
Now,regarding this ransom, I can only give +1 to the author for the imaginative text:
Still LOL-ling....
Gnosis
Level 5
- Apr 26, 2011
- 2,779
That is probably because Anonymous has FBI agents in their ranks. LOL
Assuming their are no Russian mafioso in their ranks, one day the Russian Mafia is going to kick the squat out of Anonymous and it is not going to be a cyber kick. It will be a real one in a dark alley in Moscow or St. Pyotrsburg. Then how anonymous will they be? Heck, there are probably Federal agents AND Russian Mafia in their clique. It just seems to work out that way most of the time. Crooks need protection just like victims need protection. That is where big government comes in.
kuttus said:
That is because it is literally the same thing, other then utilizing a different scare tactic. Most of these "ransomware" can be dealt with through "safemode", although i have come across one particular case where the Ransomware actually popped up in safemode as it loaded, leaving no way to attack it through that vector.
- Oct 5, 2012
- 2,697
thewolfsmith72 said:
We can try another alternative way...
Start the computer in Safe mode with Command Prompt. Inside the Command Prompt type
Code:
net user administrator /active:yesThis one will activate the hidden Administrative User account on your computer.
After that restart the computer in Normal mode. Now you will be able to see one Administrator user account in your login screen like this.
Now Login to the Administrator user account and Delete the infections manually or run our removal tools...
Infected file locations are as below
* C:\Documents and Settings\{Your User Name}\Local Settings\Temp (In Windows XP)
* C:\Documents and Settings\{Your User Name}\Start Menu\Programs\Startup (In Windows XP)
* C:\Users\{Your User Name}\Appdata\Local\Temp (In Windows Vista, Windows 7)
* C:\Users\{Your User Name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup (In Windows Vista, Windows 7)
* C:\Users\{User Profile}\AppData\Local\Microsoft\Windows\[Random]\ [Random.exe]
* C:\Users\{User Profile}\AppData\Local\Microsoft\Windows\ [Random]
* C:\Program Data\lsass.exeC:\Program Data\[Random.exe]
* C:\Program Data\csrss.exe
* C:\Users\{Your User Name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.exe
If you wish you can create a new user account also from the Safe mode with Command Prompt
Code:
net user UserName Password /add
Code:
Net localgroup Administrator UserAccountName /addTo Disable the Administrator user account
Code:
net user administrator /active:nokuttus said:thewolfsmith72 said:
We can try another alternative way...
Start the computer in Safe mode with Command Prompt. Inside the Command Prompt type
Code:net user administrator /active:yes
This one will activate the hidden Administrative User account on your computer.
After that restart the computer in Normal mode. Now you will be able to see one Administrator user account in your login screen like this.
Now Login to the Administrator user account and Delete the infections manually or run our removal tools...
Infected file locations are as below
* C:\Documents and Settings\{Your User Name}\Local Settings\Temp (In Windows XP)
* C:\Documents and Settings\{Your User Name}\Start Menu\Programs\Startup (In Windows XP)
* C:\Users\{Your User Name}\Appdata\Local\Temp (In Windows Vista, Windows 7)
* C:\Users\{Your User Name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup (In Windows Vista, Windows 7)
* C:\Users\{User Profile}\AppData\Local\Microsoft\Windows\[Random]\ [Random.exe]
* C:\Users\{User Profile}\AppData\Local\Microsoft\Windows\ [Random]
* C:\Program Data\lsass.exeC:\Program Data\[Random.exe]
* C:\Program Data\csrss.exe
* C:\Users\{Your User Name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.exe
If you wish you can create a new user account also from the Safe mode with Command Prompt
Code:net user UserName Password /add
Code:Net localgroup Administrator UserAccountName /add
To Disable the Administrator user account
Code:net user administrator /active:no
With that particular one, you will not get that far, did not matter which mode in safe mode you chose, even to repair the computer or set it back to last know good state, as soon as it started to load drivers and open, the Ransomware would be there blocking you from accessing anything. Worse one i have seen yet. Luckily, this person i was working for, did not mind a factory reset, had nothing on his system he needed to save, and was able to get a start up repair running and access the factory reset through it.. "Of course no disk, or internet at his place either" I was not prepared as it was a last minute call.. So no bootable anti virus with me either.. But i did manage to reset it, and send him on his way happy to have his system back.. Has anyone else seen a Ransomware like this, as all the research i did on it, pointed to being able to use safemode, but like i said, this was not happening on this system.
- Jan 24, 2011
- 9,378
It's important to note that some users have reported that this type of ransom will in some cases will encrypt the files and folders. If you stumble upon a computer with encrypted files , you can try to run the following utilities:
- https://support.kaspersky.com/faq/?qid=208286527
- http://majorgeeks.com/story.php?id=34161
- https://support.kaspersky.com/faq/?qid=208286527
- http://majorgeeks.com/story.php?id=34161
- Oct 5, 2012
- 2,697
I think this will be a rare case... We used to get 20-30 FBI cases Every day.. Normally what we will be doing is.
1. Will Try Directory Services Restore Mode.
2. Safe mode with Command Prompt (Either Activate the Administrator User Account, or Create a new User)
3. System Restore from Recovery Console. (In Windows Vista and 7)
4. If customer is having another user account login to that one
5. Bootable Recovery Tools.
If non of this is working then we have to go with System Recovery... Taking as the very last Option.
- Status
Similar threads
