What is Ransomware?

Ransomware is a type of malware.  Unlike other forms of malware, the purpose of ransomware is not to steal information from the system or to use the system's resources as part of a botnet in order to perpetrate larger attacks against "better" targets.

The intent of ransomware authors is to extort money from users.  After getting infected, the system may become unresponsive and display a screen asking the user to pay a certain amount of money to obtain an "unlock code."  Some variants of the malware may even display an officially looking screen, claiming to be the FBI, the Department of Homeland Security, or just about any other law enforcement or government entity.  For example, the message may look like one of these:




Obviously, the look and layout of the lock page is only limited by the attacker's imagination.  For example, a recent variant, named Kovter, seeks to add credibility to the "lock" by utilizing the victim's Internet browsing history.  Kovter checks if any of the sites present in the computer's browser history is present in a remote list of sites (usually, but not necessarily pornography related) whose content is not necessarily illegal.  If it finds a match, the website is displayed as part of the lock message.  If the users' Internet history does not have a match with the remote list, a random site (also usually pornography related) is included as part of the lock message.  The lock message may also contain the IP address and the host name (name of the computer) to establish additional credibility.  

How to Remove It?

Contrary to what the "lock" screen says, there is no need to pay to unlock your computer.  After all, if the FBI was really investigating a user for downloading illegal content, chances are that remotely paying a few hundred dollar fine would not cut it.  Additionally, illegal behavior triggers things such as knocks on the suspect's door and sometimes an arrest, chances are that the suspect won't be able to go to 7-Eleven or Walmart to resolve the problem. 

So, there is no need to pay.  There are several options for removing the "lock" created by ransomware.  Microsoft Windows contains a feature to facilitate system restore, allowing the user to restore the system to a previous state (prior to the ransomware "lock").  You may find information about system restore on Microsoft's website.  If your system has saved restore points, the process of restoring the system is very simple. 

You need to restart your computer and press F8 during the restart.  If your timing is right, you should see the Windows advanced boot options menu (if not, try again, pressing F8 multiple times during the boot process).  The screen should look similar to this:



After selecting Safe Mode with Command Prompt, you will see a command prompt.  There, you must type:

C:\windows\system32\rstrui.exe

You should see a screen similar to this:


From there, you may select a restore point and follow the instructions.

If your system does not have a restore point, you should still have little problem in getting rid of the "lock" screen.  There are many free utilities that provide boot disks that can be used for cleaning up the system.  As a word of caution, be careful with downloading free tools from unknown sources, otherwise, you may trade one piece of malware for another.  Some reputable boot environments are BitDefender, Kaspersky, AVG, and Norton Symantec.  

For example, Norton has an online video demonstrating how to use its product, see below:


This Information Security post has been presented by AVM Technology, LLC, a leading Computer Forensics, E-Discovery, and Computer Security consulting company with its main office in Richmond, VA and serving clients throughout the United States. AVM technology can be reached at (804) 332-5752.
2

View comments

    Loading