Ransomware screen with audio; what should I have done?

N

nightfly

2[H]4U
Joined
Jun 7, 2011
Messages
3,812
Last night, while web browsing, all of a sudden I get a full screen ransomware type, with message on screen AND audio telling me I have to click on something and/or call them OR they will be forced to lock all the files on my computer 'to prevent the spread of the malicious files'. Before it even completed playing the audio, I just pulled the plug on the computer, removed the drive, and wiped it with another machine.

But in retrospect, what should I have done? The boot drive was only a 60GB SSD, I could have saved it if necessary so someone who knows more than I do could figure out what happened. Now, there's no way to figure out whether there was something installed a while ago, or it was a website I just visited? The only things that I had open at that point were tabs from youtube and the most recent thing that I had opened was a link off of a yahoo news page pretty much right before the ransomware screen popped up. . Assuming it was from that link, do I need to let yahoo know what I clicked on? I run malwarebytes every week, but this happened on a Friday so it's been five days since that scan. Also had Avast free version running, too.

No apparent infection anywhere, but just want to know how to proceed.
 
Kill the power and pull the drive and scan it from a known good machine in a drive caddy.

If you knew you had a good backup then wiping it would be OK too.
 
Pulling was the best thing.

Question is now what site did you visit that prompted this or what bad ad network had a bad site in, telling yahoo they wont do jack and will blame it on your computer.

There are MANY "fake" web sites like what you just said that give you all those windows that say "quick your infected call us" they are all BS and are often just a webpage, closing your browser usually does the trick,
 
But in retrospect, what should I have done?
Click to expand...
If you had no data you wanted to keep, it doesnt matter other than the time taken to get up and running again.
I would browse within a sandbox from now on.
If it goes titsup, delete the sandbox contents and you are back to square one.
 
DrLobotomy said:
Kill the power and pull the drive and scan it from a known good machine in a drive caddy. If you knew you had a good backup then wiping it would be OK too.
Click to expand...
I don't store data on the boot drive. So I don't lose anything; just repartition, reformat, and reinstall the OS. I believe that deleting the entire partition and then partitioning again with a slightly different size will essentially write over/delete anything that might be on the drive. Correct? OR....could there be something in that tiny alignment partition that goes on the drive before any OS partitioning is done?

MrGuvernment said:
Pulling was the best thing. Question is now what site did you visit that prompted this or what bad ad network had a bad site in, telling yahoo they wont do jack and will blame it on your computer. There are MANY "fake" web sites like what you just said that give you all those windows that say "quick your infected call us" they are all BS and are often just a webpage, closing your browser usually does the trick,
Click to expand...
I wasn't willing to take the chance. I figured that if it was still in the process of telling me what it MIGHT do, I could cut it off at the knees just by cutting the power. Seems to have worked out that way. Knowing the problems inherent in trying to resolve the problem had they actually encrypted the whole computer, I just didn't want to have to go through all that trouble if I could avoid it.

Nenu said:
If you had no data you wanted to keep, it doesnt matter other than the time taken to get up and running again. I would browse within a sandbox from now on. If it goes titsup, delete the sandbox contents and you are back to square one.
Click to expand...
Tried Sandboxie a while ago. Is that still a decent option?

I was just curious to ask if there was some sort of way to figure out where it came from, as I don't go to porn sites often (nothing recently, at least not this year anyway) and it basically came out of nowhere. I follow all the normal browsing precautions, and not opening emails from someone I don't know, not opening attachments without scanning first, etc.. It was just weird that it happened at all. If it happens again, I'll save the drive intact and then scan it to see what's there. Any recommendations of what to use that will show the date it was put onto the drive? While it's easy enough to get the install date of files, I don't know how to look at registry entries and figure out when they were put there. Though; I guess I'll just back up the registry with every boot. Then at least I'll have some idea.
 
Boot sector viruses are rare but if you really format it proper then that will get wiped too.

When in doubt use the manufacturers drive wiper. It is surprising the amount of tools manufacturers make public that peeps seem to overlook.

Knowing how to search the registry is just from years of manually hunting down bugs. Registry cleaners etc usually suck the big one when it comes to anything useful. They usually fuck up more than they fix, usually because most peeps don't know what all the recommended fixes really are and they just click 'OK'. So beware.
 
diskpart
clean all

In another computer...

or Dban, that should remove anything for certain.
 
You must log in or register to reply here.
Back
Top