1. Welcome to NikonCafe.com—a friendly Nikon camera & photography discussion forum!

    If you are thinking of buying a camera or need help with your photos, you will find our forum members full of advice! Click here to join for free!

I'm being held hostage by ransomware

Discussion in 'General Discussion' started by Mike Buckley, Dec 6, 2018.

  1. Suddenly all of my Mozilla Firefox bookmarks and all of the backups Firefox supposedly automatically makes of them are completely gone. I've also lost all of my Mozilla Thunderbird email. The search function of Windows Explorer also no longer finds anything on my computer even though I can find stuff by manually navigating the hierarchy of directories, folders and files. I also think my backup software's ability to scan is no longer working, but I haven't taken the time to fully investigate that. Perhaps other capabilities of my computer don't work that I have not yet identified.

    The text file displayed at the end of this post is in my AppData >> Roaming >> Mozilla >> Firefox >> Profiles folder. It asks me to pay money to get my files back but, of course, I won't do it.

    I won't backup my computer again until I get this resolved. I've got two backups, one onsite and one offsite. Both backups were completed before my computer was attacked.

    Windows 10

    Any suggestions about who to hire to solve the problem? Any suggestions about who I report this to (not that I expect doing so to do any good)?

    ==========================================================
    ---= GANDCRAB V5.0.4 =---

    ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED***********************

    *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS*****

    Attention!

    All your files, documents, photos, databases and other important files are encrypted and have the extension: .ODRUDQJXZG

    The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.


    The server with your key is in a closed network TOR. You can get there by the following ways:

    ----------------------------------------------------------------------------------------

    | 0. Download Tor browser - [link deleted so nobody accidentally clicks it]

    | 1. Install Tor browser
    | 2. Open Tor Browser
    | 3. Open link in TOR browser: [link deleted so nobody accidentally clicks it]
    | 4. Follow the instructions on this page

    ----------------------------------------------------------------------------------------


    On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.


    ATTENTION!

    IN ORDER TO PREVENT DATA DAMAGE:

    * DO NOT MODIFY ENCRYPTED FILES
    * DO NOT CHANGE DATA BELOW

    ---BEGIN GANDCRAB KEY---
    [a lot of gobbledygook data appears here that I've spared you]
    ---END GANDCRAB KEY---

    ---BEGIN PC DATA---
    [a lot of gobbledygook data appears here that I've spared you]
    ---END PC DATA---
     
    Last edited: Dec 7, 2018
  2. sounds awful - I have no idea what to do
     
  3. Seems the GandCrab Ransomware is a prolific one that has been doing the rounds. Unfortunately Version 5.0.4, which you have, is apparently not currently decryptable by available tools that worked for previous versions and that you need to restore from backup. You might want to go back about a week or more for restoration.

    Some good info on Google.

    Goodluck.
     
  4. Growltiger

    Growltiger Administrator Administrator

    That is terrible, I am so sorry. I would say it is very likely that the Express Burn you downloaded was not the official version and was altered to add the ransomware.

    Just because you can find the files (documents and photos etc) doesn't mean they are OK. They may all be encrypted.

    Something similar happened to a friend a few days ago. In their case it started with a scam phone call that deceived them. I could not fix it, the system was a real mess and their data all gone. I did a Macrium image restore wiping the whole drive back to a good state from a year ago and then restored his latest data backup. After that it just needed Windows updates to get it back to normal. If you don't do a full image restore it can be hard to be completely confident that there is no remaining corruption.

    Good luck with it.
     
  5. Ouch Mike, that is dreadful news.

    From what I've read, it will take something along the lines of what Richard advises to recover. FWIW (not much probably) I keep three copies of my images, one on a laptop along with my regular activities, one on a desktop that is used solely for photography activities, and I also download the CF card each month or after any big shoot to an external drive that is only connected to the desktop at the time that the card is copied. All that of course is of no use at all to everything else that would be on an infected computer :( .
     
  6. Growltiger

    Growltiger Administrator Administrator

    This site has a tool you can download that fixes the problem caused by that version 5.0.4.
    It may be a lie, it may be another attempt to extort money. But given the mess you are in anyway it could be worth trying:
    Remove GANDCRAB v5.0.4 Cryptovirus - Restore Files

    I also see that some versions of 5.0.5, a version that no one can decrypt yet, are incorrectly calling themselves 5.0.4. If you have 5.0.5 then there is no current tool to help.

    If I had this problem here I would do a system drive image restore (takes 20 minutes) then restore my data from my backups.
     
    Last edited: Dec 7, 2018
  7. Pawl

    Pawl

    614
    Aug 10, 2013
    EC
    Sorry to hear your news Mike, Dayo and Richards advice is best IMO. My approach would be
    Re-format all hard drives connected since a day or more before the infection (inluding external and backup drives used in that period).
    Only after re-formating all drives woukd I then do (Richartd's suggested) image restore from a known good copy.
    Then the system updates to get fully up to date again.
    Then and only then restore any data files from backups created before the infection (and not touched since then).

    If possible, do not touch the off-site backups - leaving them as a fall-back measure if necessary.

    The primary purpose in the advice given is to not just restore the latest copy of the safe system and files but also to ensure you have full confidence in the process such that you are happy to carry on safely and confidently afterwards. There is nothing wosre than being unsure of the system you are using.
    My tools of choice for this kind of recovery are from www.r-studio.com
    Disk Recovery Software and Hard Drive Recovery tool for Windows, Mac, and Linux
    I have had tremendous success with their tools, in your case R-Drive Image for the system image restoration (although you may have to use the tool you use to create the image originally it if it's a proprietary format, of course)
    I've mainly used R-Studio for data recovery for folks and it's been superbly successfuly, you can judge their confidence in the software as you can do a read-only trial and see what they would recover with the tool.
    R-Drive Image is often used prior to recovery to ensure you only work on duplicate hardware, in your case I'd use (buy if necessary) a drive of the same capacity as your main drive, take the old drive out and use the replacement and use R-Drive Image to restore the saved system image then you know you have a clean copy to build upon. Just my approach you choose how you wish to proceed, of course. Shout if you need help, it's hard remotely but there are a lot of good folks here to help.
    Good luck.
     
  8. This is terrible Mike. I hope you are successful in ridding yourself of this virus and restoring your system. I'm sure you have search "the internets" far and wide by now looking for a solution. If you found this file in your Mozilla profile but it has not yet popped up on your screen, it is possible that it has not yet finished encrypting your files and you might be able to stop it before it continues. One site I read says V5.0.9 is already in the wild. Most sites agree this is spread through spam email.

    It is so important for everyone here to never open attachments or load images of rich text emails in your spam folder. These are often poison pills designed to exploit bugs in your OS or browser to infect your computer and do dreadful things. As Mike has done, we all need to be vigilant with backups and have more than one copy (one that is always disconnected from your computer so it minimizes the risk of also getting infected).
     
  9. Butlerkid

    Butlerkid Cafe Ambassador Moderator

    Apr 8, 2008
    Rutledge, Tennessee
    Karen
    YIKES! So sorry to hear this, Mike. What a horrible time to have this happen, especially after all the work you've been doing!
     
  10. Thanks, everyone! I don't understand half the stuff you folks are recommending so I'm going to hire a pro. If anyone can recommend someone in or near the northern Virginia suburbs, I would be grateful.

    My current state of affairs is that the problematic computer is turned off and I don't plan to turn it on again until a pro shows up to fix it. Both backup drives are disconnected from the computer, though I fear they might be infected. That's because this issue happened to occur on the one evening of every week the offsite drive was onsite so I could do my weekly backup. I tried using it and the onsite backup unsuccessfully to restore the Mozilla bookmarks before I realized I had the malware. I didn't backup onto either drive, so maybe they're OK.

    Anything else I should do while waiting for a pro to get involved?
     
  11. Not really, leaving everything off and disconnected is the best thing. Meanwhile, I'm sure you have some nice wine waiting to be tested ... :) .
     
  12. Growltiger

    Growltiger Administrator Administrator

    Do you have an image backup?
    Or just file backups?

    A. If you have an image backup the pro can restore from it.
    For future reference you should consider making image backups, I use Macrium Reflect 7 Free edition. This is software used by pros, the free version does what a home user needs.

    B. If you don't have an image backup then the pro can do a clean install of Windows and then restore all your files from the backup drive. You or the pro will also need to install all your other software.
    Perhaps you could do this yourself?
    Do you have another computer you can use to download Windows 10 to? You put it on a USB stick, and then boot from the USB stick and do the installation like that.
     
  13. 480sparky

    480sparky

    May 27, 2013
    Cornpatch
    This is why I rotate three backup drives every 3 months. If I get hit with something like this, I can go back 3, 6 or even 9 months and recover. Yes, the further back I go the less I'll recover in terms of recent files, but that's better than losing everything.
     
  14. +1 for Macrium Reflect
    It has saved me a few times.
    I keep several weekly backups on two separate external drives.
     
  15. Growltiger

    Growltiger Administrator Administrator

    I meant to ask before, what version of Windows are you running, and what anti-virus do you use?
     
  16. I don't know what an image backup is so I assume I don't have one.

    I have data file backups but don't think they include Mozilla bookmarks; my biggest fear based on what you folks have explained is that I've lost years of bookmarks.

    I have no problem installing the software programs, as I always do that every time I change to a new computer.

    I'm using a Windows 10 notebook computer to post this message, so that could be used as Richard describes to install the OS. However, I'll use a pro to install the OS and presumably he'll have better resources.
     
  17. I'm using Windows 10 and McAfee antivirus. Yesterday after concluding that I had a virus, I ran its Quick Scan but it found nothing. I didn't take the time to run its Full Scan because I guessed that turning off the computer was my best option.
     
  18. Growltiger

    Growltiger Administrator Administrator

    Your anti-virus software should have detected the bad file and warned you or stopped you.
    I'm not a believer in paying McAfee, I am happy running the Windows Defender that comes built into Windows 10, which McAfee disables.
     
    • Agree Agree x 1
  19. The McAfee software warned me that there might have been a problem with downloading the Express Burn software, not that a problem had been definitively detected. That was when I thought it was ImgBurn. Knowing that you had recommended ImgBurn, I ignored the warning.
     
  20. So obviously this ransom ware turns off access to a restore point ? That has been my only defense over the years, but that was win 7. Hope you get it fixed Mike.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.