3
1
My dad's computer got infected with an RSA 4096 ransom-ware virus. For those who don't know it is a virus that encrypts all the files on your PC using an RSA 4096 encryption key. Then you need to use a TOR browser to go to find a bitcoin address to pay for the key to unlock your files.
I've found a few google searches, but I don't know who to trust. Any guidance would be much appreciated.
I've included images of the screen shot my dad took of the problem.
Ransom-ware note:
John Somsky
Posted 2016-04-08T01:54:10.960
Reputation: 31
1Are you concerned with recovering the files? If not, format and reinstall Windows. – Michael Frank – 2016-04-08T01:55:37.380
Yes I would like to recover some files. But reformat/reinstall is probably a good solution. – John Somsky – 2016-04-08T01:59:16.910
You'll need the key then. Unfortunately, the bad guys have it. You either pay them and trust they give you the key, or accept the loss and start new with better security and backups. – Michael Frank – 2016-04-08T02:00:44.883
Good news, it's a relatively new computer (Dec 2015) so he has all his old data on an old computer. Bad news, he hadn't gotten his backups going since he moved to the new computer. – John Somsky – 2016-04-08T02:07:13.130
Of note: Some of the clones and versions of this type of software , the statements they make about the methods used were bullcrap. I mean does one seriously believe anything they say? EX: malwarebytes (group) found one version of these, the key was stored in the virus itself. So when it comes to "whom to trust" lets put the virus makers the lowest on the list for now :-) – Psycogeek – 2016-04-08T02:12:08.770
I agree Psycogeek. I just didn't see anything from virus makers I've had previous experience with (Norton, MacAffee, Kapersky, Trend Micro, AVG. I don't want to infect his computer more trying to fix it. – John Somsky – 2016-04-08T02:36:58.097
3Some old crypto variants had flaws and were easier to handle (there are tools out there to decrypt the files). The new ones however aren't as easy and it would take too much time. You'll need to know exactly which version you got infected with (look at what files it created, how it renamed them and the recovery note). I wouldn't recommend paying them unless you really really need the data. – Spokey – 2016-04-08T07:08:15.760
You can't remove it. You have two options, restore from a backup, or pay to receive the key so the files can be decrypted. Outside of a very small subset of ransomeware, these keys, can only be obtained by paying. Unless you can identify the specific variant, what your being told (restore or pay), really is all we can say on the matter. – Ramhound – 2016-04-08T12:14:09.027
Are there any sources on how often they don't decrypt the files when they're actually paid? It seems that no one would ever pay again if they didn't follow through, would be terrible for business (very loose interpretation of "business") – Xen2050 – 2016-04-08T16:35:01.437
How can I determine which variant of the virus he has? Also if someone wants to post a "reformat hard drive" answer, I'd be happy to mark that as my accepted answer. – John Somsky – 2016-04-08T22:47:24.817
I ended up just reformatting the computer. None of the data was worth the risk of reinfection and we didn't want to support the ransomers. Actually e used Windows 10 reset with the clean hard drive option. I've heard that the recovery partition is read-only and cannot be infected by viruses. Can anyone confirm this? – John Somsky – 2016-04-10T03:48:32.850