I got a call yesterday about my very favorite piece Malware around. This is a piece of ransom ware that locks you out of your computer warning that the FBI detected something on your computer that it doesn’t like. Now Tech Republic did a great Article about this a few months ago. The FBI locked your computer? Watch out for new spins on ransomware
Its a good article but it mostly dealt with what it is, now here is what you should do about it.
1 ) Don’t send them money! Lets face it if there was something on your PC that warranted the attention of the FBI you would already be in handcuffs. The whole purpose of this software is to hold your computer hostage. The bad news even if you did send the money they are not going to unlock your computer. The good news is that getting rid of this malware is relatively easy.
2) Don’t call the FBI. Trust me they know about it, there going to tell you to get your computer fixed and honestly they have other things to handle right now.
3) Depending on the variant booting the computer up in safe mode is usually the first thing I try. From there I can usually find the program and remove it manually then run my usual batch of scans. (See blog post It’s Infected Jim for my list of my favorite scanners) If not, and I have run into to some variants that actually lock out safe mode. I try safe mode with Command Prompt, and I dust off my old command line skills.
4) Try to get into another user account if available. The variants I have seen have been profile based meaning that they are isolated to just the user account that contracted them. If there isn’t another user account I try to get into the built in administrator account. (witch is usually hidden) In Windows XP just doing Ctrl Alt Del twice during the login screen brings the network based login witch lets me enter in the admin account. In Windows Vista or 7 I already know that the administrator account is disabled. This is just another good argument for everyone that uses there computer to have there own account.
5) As a last resort (as in before I pull out the hard drive, image it, and reload the OS) I would manually crash the system. Mostly to get the advanced repair system and run a go back to a restore point. I am not crazy about this option since it can be a bit of a guessing game about how far to go back and if the restore points might also be infected.
This malware is not a computer killer as much as a productivity killer. It’s one of the reasons why this has sent a few of my clients into a panic. If you do catch this stay calm, follow these instructions or feel free to contact Lanterns Light LLC and we can handle it for you.