Beware – Ransomware

So this evening I was sitting at home when I get a panicked call from a friend in some distress. When he eventually explained what he was seeing on his computer screen at that moment, I immediately suspected a Ransomeware infection.

Ransomware, for those who have been living on the third moon of Jupiter for the last few years, is a type of malicious software that basically holds your PC for ransom. The user is prompted to pay a fee to ‘free’ their computer.

Having seen a few infections in the past, this was by far the most scary looking. I can image many naive users being fooled by this, especially I imagine older PC users.

See below for yourself – the reasons your PC has been ‘locked’ are quite serious – pirating content, or one to scare the life out of any user – the mention of your PC being used to view child pornography. What gives it even more sway is that the Garda (Irish police force) logo is displayed.

The designers has also used the ‘McAfee Secure’ logo – which is obviously to give the user a sense that this is legitimate – take it from me it’s not.

This screen prompts immediately after start up, and the designer has even gone as far to disable ALT-F4 and CTRL-ALT-DELETE, so you can’t exit the application, or kill the process from the Windows Task Manager.

The infection itself is quite simple to remove. After booting into safe mode and checking the usual places like the Windows folder I came across a suspiciously name folder in ‘C:\ProgramData’. It was a randomly named folder with a name like ‘ajklvnksnvsdfvfv’.

Inside, a 158mb HTML page, and all the necessary images, and CSS files etc. There was also an .exe in the root of the ‘C:\ProgramData’ folder, the name of which I can’t remember, but it was name similarly to the folder with the HTML file, images etc. (I didn’t have a USB key handy regretfully).

Deleting these files and folders removes the infection, so it doesn’t seem too complex in the methods it employs to evade detection.

Pass this on to any naive users you may know who could potentially see this infection – it may save them a lot of worry.