A 'ransomware' bypass refresher?

"Please leave a message at the beep, we will get back to you when your support contract expires."

Moderators: phlip, Moderators General, Prelates

User avatar
Soupspoon
You have done something you shouldn't. Or are about to.
Posts: 2193
Joined: Thu Jan 28, 2016 7:00 pm UTC
Location: 53-1

A 'ransomware' bypass refresher?

Postby Soupspoon » Mon Feb 22, 2016 11:19 pm UTC

(Had searched for a prior topic upon this subject, apologies if I missed one. Admins/etc are welcome to merge or move.)

An elderly gentleman of my acquaintance just got partly fooled by a phone-call, pretending to be from his ISP.

Long version of the story:
Spoiler:
He got to the stage of going to a website (not the ISP's... I think he said "weable.<com or net or somesuch>", but it's probably an opportunistic address, and not useful in the long run), seeing the "ISP's letterhead" (sic) and logging in with the details he was provided to get a form pop up, apparently to fill in for a refund although (had he not had enough reservations to ask enough awkward questions to have the person on the other end put the phone down on him), I suspect it would have been account draining, instead.

(We don't think he was asked for money to unlock. Sounds like they just gave up on him trying to understand their accents. Or just haven't yet proceeded to the next planned stage in the scam.)

However, all is not yet well. Whether by that point, or between then and the moment that I encouraged him over the phone to turn the machine off (he also cleared the browser history, before that, which I never asked him to! ...I think he's picked that up as a 'security tip', recently) something else happened. When I get there and boot back up (disconnected from the network, for safety) and there's an XP (yes, it's XP; yes, I know, but that's not the problem; no, I'm not going to force him to get used to a newer version of Windows) administrator password required, of the "syskey" variety. And a basic bootable Linux USB stick that I happened to have requires me to input a password to mount the drive. I should have asked him to keep the machine on and disconnect the network cable, but I had my doubts that I could have directed him towards the right cable, and my priority was to prevent further damage happening.

Long story short(er), I'm going back tomorrow with the right tools to fix the problem. I previously have used a tried-and-tested bootable CD with everything I normally need for all kinds of problems, including this one, but I haven't used it for months and suspect that I left it with the last person I did anything of import for. So now I have a night to assemble a bootable stick (or several) of the tools I suspect I'll need to use. I was thinking that you lot might have thoughts on this.
...
My shopping list is as follows:
1) Possibly a distro with a disc image/backup utility, before I get started.
2) Very likely this password remover, to get past the first block.
3) I'd like to have a good malware finder on an independently-booting disc(/USB), although the machine already has a valid active AV (and MalwareBytes and HijackThis, just needing updating) after prior scares, and after stage 2 I'm sure I can probably go in and scan for residuals via safe-mode. (I suspect that no 'malware' was involved, merely a temporary manually-allowed hijack. Better safe than sorry, however!)

But additions/amendments to that list are welcome, and why I'm pestering your good selves. I've already considered replacing #2 with a Hijackthis-like password brute-forcing solution, and from that knowledge I can then get in and later properly disable the syskey passwords from within Windows. But the time needed would be somewhat unknowable, in advance, especially if the target solution ends up being something like ten random alphanumeric characters, or worse, rather than just one of the trivial permutations of a typical word-list. Simpler to go with the above solution, I think.

I'm not currently bothered about a combined boot-disk solution (the one I've misplaced was Ok, but had a few out-of-date tools on it, and I hadn't gotten around to updating it), and have a number of spare thumb-drives at hand so I don't need to mess with setting up multi-distro boot options. Separate "LiveUSBCreater"-type installs onto separate sticks is probably easiest, off the bat.

And perhaps someone can remind me of any other problems I might need to be prepared to deal with, but have temporarily forgotten about.

(And, once I've solved this problem - touch wood! - I would like to get my new utils disc/stick rebuilt, so the thread needn't stop once the emergency job is over.)

(Update: I've equipped myself with CloneZilla (for the first part of my shopping list) and the Trinity Toolkit (covers #2-3, if not #1 as well). Or at least I've created the USBs for them. Not yet tested that they boot up, yet, as I've no machine at hand that I can comfortably stop running its current task for a test-reboot, just yet! ;) )

cphite
Posts: 1117
Joined: Wed Mar 30, 2011 5:27 pm UTC

Re: A 'ransomware' bypass refresher?

Postby cphite » Tue Feb 23, 2016 10:18 pm UTC

Toolkit sounds fine.

I know you don't want to hear this but running XP - especially for someone like your friend who is prone to clicking on things he shouldn't and actually providing data - is a problem in and of itself. If your friend is just using the machine to surf the web and that sort of thing, you might want to consider having him try some variant of Linux - Ubuntu, Mint, there are several that aren't too difficult for someone to learn.

If he's going to stick with XP then frankly I'd consider the machine compromised. Unless there is data that he absolutely must have, it should be wiped clean and re-installed. Take an immediate image after the install, and show him how to keep his personal stuff on some external device. And set him up with a non-administrative account.

User avatar
Soupspoon
You have done something you shouldn't. Or are about to.
Posts: 2193
Joined: Thu Jan 28, 2016 7:00 pm UTC
Location: 53-1

Re: A 'ransomware' bypass refresher?

Postby Soupspoon » Tue Feb 23, 2016 11:55 pm UTC

cphite wrote:Toolkit sounds fine.

For the record, that item from the link in the the second in the list did everything it promised (except that I also had to unlock/undisable and blank-password the Administrator and user accounts with it - it didn't seem to zero the given passwords like it said it would, when it nuked the syskey setting...). It looks a little different from the old one I used (might not have been the same, mostly I've only needed jiggle with the Hives a bit), but was certainly well-enough designed for me to easily use, when putting it to the purpose I needed to.

I know you don't want to hear this but running XP - especially for someone like your friend who is prone to clicking on things he shouldn't and actually providing data - is a problem in and of itself. If your friend is just using the machine to surf the web and that sort of thing, you might want to consider having him try some variant of Linux - Ubuntu, Mint, there are several that aren't too difficult for someone to learn.

Elderly gentleman, a technophile by heart but a little stuck in his ways and there's also quite a lot of specialist software (picture editing, OCR, etc) that would take a lot of effort to relearn...
Spoiler:
Last year, somehow his version of Photoshop - originally supplied on a disc with the transparency-capable scanner that he got whilst he was still on Win9x - stopped working and then refused to re-install. It was something wrong with the 16-bit subsystem. It took a while to get him used to a natively 32-bit version and the new interface to the necessary TWAIN drivers to support slide-scanning. I'm a GIMP man, myself, but the differences would have been far more had I changed him over to that...
...I'm not saying I couldn't sort him out with Linux but... on balance.

If he's going to stick with XP then frankly I'd consider the machine compromised. Unless there is data that he absolutely must have, it should be wiped clean and re-installed. Take an immediate image after the install, and show him how to keep his personal stuff on some external device. And set him up with a non-administrative account.
(Almost) all data already is on an external drive. (Machine has just 80Gb of HDD... I was repairing it with tools (rattling around!) on a 256Gb stick! (Meant I could fit three uncompressed disc images on it, if I wanted to! Just got the one, so far, but I'm going to make a post-'fixed' one in a few days time when I next go round.)

Anyway I've already swept the thing high and low, both with 3rd-party tools that I know and love and manually (everything from native MSConfig/regedit scanning to examining the MBR for residual oddities), and I'll also be going through the image shortly to double-check there aren't any residual files that I can't account for. But it's also unplugged from the router, for the time being (after initial AV scans, I put it temporarily online to update the databases and then offline again with the latest signatures in the scanners' repertoires).

It's already set up (via the "ctrl userpasswords2" setting) to auto-login to the non-administrator account. A view of the Run-box history shows (as well as the URL for the site they used to remotely initiate the hijack, and the usual log-viewer "to be shown that there are errors") signs of what was done to get the syskey to run. (Might have been scripted from the remote-access feature, as my 'client' is adamant that nobody showed him the 'error logs', something that he's already aware of as a warning sign, yet the evidence is there in the Run history that something (possibly that backgrounded it, for later use). Probably just a permanent bit of the 'zealous autoconfig'-like script, so that 'proof' is available if the conversation turns in that direction.)


Anyway, he's had a bit of a fright (including me shouting at him over the phone to turn the machine off, when I first got his call that he was concerned about something). He already knew many forms of phishing and scamming to avoid, and now he's got another one to add to the list. He'll never trust anyone phoning him pretending to be from his ISP again. (Some might say that this is a problem if his ISP actually does want to contact him, by phone. But his ISP is TalkTalk, so it's probably beneficial to ignore them even if it is a genuine call. ;) )


At some point, I'm going to have to work out the best way of setting up a multi-booting USB, though. Everything I'd can, on one stick, including a handy cross-system partition available to store partition images/etc.


Return to “The Help Desk”

Who is online

Users browsing this forum: Google [Bot] and 7 guests