RANSOMEWARE TORPROJECT

[NeilMcMahon12]

Hi all,

 Tonight began one of the worst experiences I have come across. I was using my computer to watch some sport on youtube. I then went to watch a few things on my plex media server and it kept coming up with playback errors ‘check if file is mounted correctly’ so I navigated to the file and i noticed my mp4 and mkv files all had become macro enabled word files and they had a file extension.docm. They also had a .txt file in the directory telling me that all files were encrypted and I needed to do the following steps. I immediately thought I would scan with MalwareBytes and this quarantined a number of items. I then thought I would try a system restore but this would not complete successfully. I then tried to boot to safe mode to do the restore again. However this led to just a black screen. I had to restart the computer with the power button. I thought on restart I will press f8 when the boot up screen appears. However this screen never appeared. The screen remained black for a few moments until eventually the login screen appeared. I then tried to do an advanced reatart to reset the computer which again resulted in this black screen. I had to turn the computer off again at the power and try again. This time i tried to boot to safe mode using command prompt. AGAIN the black screen. I thought there must be something wrong with the Hard drive, i disconnected the hard drive and plugged in a brand new one and booted up. I expected the bios to load but no it was just the black screen again. Does anyone have any ideas what could be going on? Any advice would be appreciated. I hope this all makes sense

[Sauron]

What does this have to do with tor?

 

Anyway if you were hit by a ransomware, which you almost certainly were, your data is unfortunately lost. Don't pay, there's no guarantee they'll ever give you the key. To get your computer working normally again you'll need to reinstall Windows and be more careful with what you download.

[iLostMyXbox21]

how much are they saying to pay?

 

 

but as Sauron said, there is no guarantee they will give you the key. 

 

try geeksquad? i have heard of people getting them to remove ransomeware 

[Sauron]

3 minutes ago, iLostMyXbox21 said:

try geeksquad? i have heard of people getting them to remove ransomeware 

I find that very hard to believe, ransomware cannot simply be "removed" once the data is encrypted. They probably just reinstalled windows or restored a backup.

[GOTSpectrum]

1 minute ago, Sauron said:

I find that very hard to believe, ransomware cannot simply be "removed" once the data is encrypted. They probably just reinstalled windows or restored a backup.

I highly agree with this,

 

Also when did you get the new pfp? I preferred the last haha

[NeilMcMahon12]

What is very unusual about this is that the note is not in an obvious location. I understand I should reinstall windows but the problem is I cant do this? I cant even get into bios to change the boot up. The computer just shows a black screen. What do yous think? 

[iLostMyXbox21]

3 hours ago, NeilMcMahon12 said:

What is very unusual about this is that the note is not in an obvious location. I understand I should reinstall windows but the problem is I cant do this? I cant even get into bios to change the boot up. The computer just shows a black screen. What do yous think? 

remove the boot drive and use a different one

[NeilMcMahon12]

7 minutes ago, iLostMyXbox21 said:

remove the boot drive and use a different one

Hi, i unplugged the solid state drive which is my boot drive and plugged it into a spare SATA i had and it is just still the same. Straight to black screen

[The King of the Undead]

must have bean a rootkit to

[iLostMyXbox21]

3 hours ago, NeilMcMahon12 said:

Hi, i unplugged the solid state drive which is my boot drive and plugged it into a spare SATA i had and it is just still the same. Straight to black screen

i mean use a different drive completely, this one is the one with the windows that has the ransomeware, so try getting a different one for booting and consider wiping this one. maybe even wipe an hdd and use that? i have never had ransomware so i am not 100% sure how to fix it but this is just something that i think should fix it just cause if your windows is infected, getting fresh windows should fix it

[NeilMcMahon12]

6 hours ago, will1432 said:

must have bean a rootkit to

What would a rootkit do? And how would i go about fixing it?

[Origami Cactus]

9 minutes ago, NeilMcMahon12 said:

What would a rootkit do? And how would i go about fixing it?

Try that to maybe have a chance to get your data back:

https://www.avast.com/ransomware-decryption-tools

[NeilMcMahon12]

Thnaks. Has anyone any idea how I get the conputer past a black screen when it has just turned on? Its not even giving me an option to get into the bios

[dfsdfgfkjsefoiqzemnd]

Try unplugging all hard drives and SSDs before booting the PC (power cable or data cable, doesn't matter.  Unplug one and the disk won't be recognized). 

If that works, so much the better.  If it doesn't, we'll need to reset the BIOS.  I'll cover that in the next bit

 

if the PC has a "clear CMOS" button at the back, use that.  Otherwise unplug the PC and remove the CMOS battery from the motherboard for a couple of minutes.  that will clear the BIOS.

 

 

 

 

Once you've gotten into the BIOS, we'll need to look into which drive is causing the problem.  To do that, reboot the PC with one drive connected and try to get into the BIOS again.  Keep doing that until you've checked every drive. 

Whichever drive is giving you issues is either dead or will need to be formatted.  However I wouldn't format it under windows.  A linux bootable stick will do miracles here.  You'll be able to boot into linux, then attach the drive and wipe or format it using Gparted.

[Sauron]

8 hours ago, Ben Quigley said:

I highly agree with this,

 

Also when did you get the new pfp? I preferred the last haha

The old one was getting boring, I had it for over 2 years

[AngryBeaver]

Ok I am going to touch this. First the encrypted data is a loss at this point.

 

You will need to remove ALL storage devices on the machine and also from what you are saying I would clear the cmos. Now if this was a nasty enough attack they could have done something bad to your bios firmware, but I feel that is unlikely.

 

Now you will need a brand new ssd or Hdd and a thumb drive or disk with windows.

 

You will want to just install windows as usual. Now while windows is installing get some take or sticky notes and label the drives as infected or do not use or whatever you need to so you don't insert them. 

 

Now if you care about that data I would hold on to the disks for another 6 months to see if one of the many AV vendors releases a way to decrypt them. If not there are ways to safely format these drives and use them again.

 

Now for the worst part. These attacks are normally a worm based attack so it is important you take steps to scan and isolate any other devices on your network that this might have hit.

 

I am guessing being a plex server it was partially exposed to web traffic or your password for plex was fairly easy to crack. Just use this as a learning experience and move on. Hell, the source might be another device in your network that is still passing around this ransomware.

[flibberdipper]

On 6/21/2019 at 3:52 AM, Sauron said:

The old one was getting boring, I had it for over 2 years

Weak.

 

Real men have the same pic for 6 years until they're tired of people yoinking it and acting like complete retards.

[Sauron]

Just now, flibberdipper said:

Weak.

 

Real men have the same pic for 6 years until they're tired of people yoinking it and acting like complete retards.

you changed your name tho

[The King of the Undead]

10 minutes ago, flibberdipper said:

Weak.

 

Real men have the same pic for 6 years until they're tired of people yoinking it and acting like complete retards.

bow mortals! never changing the default from google and using that for everything wins!

[flibberdipper]

10 minutes ago, Sauron said:

you changed your name tho

ssssssshhhhhh it's a secret

[mremannn]

There is no way to recover from ransomware no ideas man if the data was unrecoverable.

[jake9000]

Here's a quick procedural rundown: 

0. Run a full antivirus/antimalware scan on every computer that is capable of accessing your server, as well as the server itself. 

1. Use the tool at https://www.nomoreransom.org/. You upload two encrypted files and the URL in the ransom note, and if your strain has been cracked then it will provide a decryption tool. 

2. If that didn't work, restore from backup. 

3. If you don't have a backup, either pay the ransom or wipe the system and start all over again. 

4. If you pay the ransom, make an offer for like 50% of what they're asking. These guys are usually willing to haggle.