BT Broadband call

Hi,
Really hoping someone can help me out. Went to visit my mother in law yesterday and she has been scammed. She had a call and they said they were BT and that there was issues with her computer. It was definitely not BT I have checked the number and found this: comment on the number online She has actually been having issues so she believed them, they knew her full name and address she had no reason to believe it was fake. To cut a long story short she basically let them remotely control her computer to 'fix it' and shes now had every single file on her computer locked. She has a ransom note on her computer which is the only thing she can open, telling her to click some dodgy link and pay in cryptocurrency to get her files back. I have told her not to pay it but I cannot work out how to get all her photos back. Her other son died a few years back and she has lots of photos that are obviously not replaceable and very sentimental. I have looked online and it seems like not much can be done other than to pay it :/ any suggestions at all?

Thanks
Ann

Tough one, if its encrypted then maybe a brute force may work?

How much are they asking for? I don't now of any one who has managed to bypass one of these type of attacks.

They want £1500 and theres no guarantee they will give back access to the photos, what if we pay and they ask for more?

Have the police been informed.

As far as getting the photos back I am afraid it is likely to be bad news. It is almost impossible to crack this sort of encryption software - many large companies have tried it when they have been hit and it would cost a small fortune to even get someone to attempt it. And you are already aware that paying the money is no guarantee that they will unlock the files.

I am afraid without a backup of the files the chances of getting them back is very low.

Get the police in. Talk to them about it and I suspect they will give you the same advice.

Sorry that this has happened and I know it is too late but backups of important and personal information are essential and I am so sorry that it isn't going to help to resolve this.

There are ways to break the encryption on some (but not all) of these attacks - but it is a technical job that not everyone could do.
Can you post the *exact* name of the ransom note, and the *exact* text in it? That might identify the malware, and hence a fix.
Then leave the computer switched off for now.

We rang the police and they basically said they dont have the training or knowledge to deal with this type of crime. They aid to call the cyber crime team and report but apparently there is a huge waiting list as there are more hackers than people trained to fight against it. Tbh im really dismayed about the lack of support there is for such crimes. The police even said its up to us if we pay, they cannot advise either way, which I was suprised to hear.

As already suggested, call the police and do not pay it. The scammers will almost certainly ask for more money or simply take the money and not give anything in return. The more people who pay, the more these scams will proliferate.

I am afraid it is difficult to give a solution. As someone else posted it may be that it is a known encryption that could be broken but the majority can't be broken easily - many would take all the computing power you can throw at it thousands of years to crack - this encryption is used for the most sensitive data and it is designed to be effectively uncrackable. Most business end up just reformatting the devices and reinstalling from scratch (although some do pay the ransom as the financial loss from losing the data could be enormous).

Hey, this is the ransom note:


�= GANDCRAB V5.0.4 =�

Attention!
All your files, documents, photos, databases and other important files are encrypted and have the extension: .OBKBTXTN

The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.

The server with your key is in a closed network TOR. You can get there by the following ways:

| 0. Download Tor browser � hxxps://www.torproject.org/

| 1. Install Tor browser
| 2. Open Tor Browser
| 3. Open link in TOR browser: hxxp://gandcrabmfe6mnef.onion/bba886b160b8e97e
| 4. Follow the instructions on this page

������

On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.

ATTENTION!

IN ORDER TO PREVENT DATA DAMAGE:

* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW

�BEGIN GANDCRAB KEY�
�
�END GANDCRAB KEY�

�BEGIN PC DATA�
�
�END PC DATA�
�������

OK, you may just be in luck. They aren't using the latest version of the encryption malware, and there are reports of a bug in the 5.04 version that has been broken previously. I'll look into it a bit more...

OK, here's a website that may be useful - https://www.nomoreransom.org/en/index.html
I have no connection with them or any experience of the organisation that runs it - however I found the link from a source I trust. They make decryption tools available for free for cases where the encryption has been broken. The malware you have was broken a year ago by BitDefender working with the Romanian police (and EuroPol).
I'm not sure how technical you will have to be in using their tool, but if you need any help let me know.

Great suggestion, I never knew about this site.

That site is really where the UK police need to send victims of ransomware.

I should add that not every site that you might come across if you search for a decryption tool is to be trusted! Lots of criminals rely on distributing malware "removal" tools in order to install malware.

Edited by sheephouse (Fri 22-Nov-19 16:06:32)

Thank you so much sheephouse!

Well done sheephouse. Let's hope it works.

Do let me know how you get on. There's not many things that irritate me as much as relatively clever people misusing their talents by trying to be crooks.

Good sharing of intel research to help others out.

I would like to think I was of good IT knowledge and I didn't come across it when searching for something to decrypt it

Sometimes it's tricky to think of the most relevant search terms. This one works well:

https://www.google.com/search?q=decrypt+ransomware

I haven't managed to read all the 2.2million results yet, I will let you know when I have

In reply to a post by MoM:

I haven't managed to read all the 2.2million results yet, I will let you know when I have

No need, the first result after the adverts is the one we wanted!

I first found nomoreransom.org referenced on a non-public site that I refer to for cyber threats. As I mentioned previously, you do have to be careful with general search results, as some criminals provide malware removal tools which actually install malware (which may wait months before becoming active) and they tend to use SEO to push their wares up the search results.

Would .jpg files be accessible if one dual booted from linux?

Dual booting doesn't help - the files will have been encrypted, so the content of a .jpg file isn't readable as a jpeg. It is quite possible that only the first part (maybe 1MB) of each file is encrypted, but that will contain the metadata making the whole file unreadable.
Fortunately in this case there is a decryption tool available. In general a backup on a separate computer or DVD etc is the only foolproof protection.

I was wondering earlier where the original photos were/are, and if any have perhaps ended up in MS OneDrive, Google Drive and suchlike.

Unlikely, but worth an ask.

Edit: Also emailed or similar to other family members or friends. Even actual prints than can be scanned. Were any older ones copied from an older computer and if so is that still available.

Edited by RobertoS (Fri 22-Nov-19 18:27:28)

In reply to a post by sheephouse:

In general a backup on a separate computer or DVD etc is the only foolproof protection.

External hard drive is ideal, these days USB sticks are larger in capacity and may also be sufficient for users with less data.

Unplugging after backup is key, although things like File History encourage the external storage to be connected at all times.

It is important that backups are not permanently accessible by the computer - if they are they will be encrypted too. Attached backups can protect against hard drive failures etc, but not against malware.

In reply to a post by sheephouse:

Dual booting doesn't help...

Thanks for the reply - I thought that maybe dual booting into linux might be a way of copying across encrypted files (particularly .jpeg, plain text documents, etc. from a Windows OS) and perhaps opening them on the linux partition might be possible.

Yep, it's a trade off. Permanently connected external storage with File History provides excellent backup coverage but puts them at risk of malware encrypting all the files.

I wonder how many people are sufficiently motivated to keep plugging in and out their backup device before and after each regular backup (until it's too late).

In reply to a post by Oliver341:

Yep, it's a trade off. Permanently connected external storage with File History provides excellent backup coverage but puts them at risk of malware encrypting all the files.

I wonder how many people are sufficiently motivated to keep plugging in and out their backup device before and after each regular backup (until it's too late).

Also, perhaps, disconnecting other booted machines, using the same OS, from the LAN? Or perhaps a user has to intentionally transfer files?

In reply to a post by 4M2:

Also, perhaps, disconnecting other booted machines, using the same OS, from the LAN?

Yes, if the device is connected to the LAN, and the infected PC knows the SMB password for it, or it has no password, it most definitely is at risk too.

In reply to a post by Oliver341:

In reply to a post by 4M2:

Also, perhaps, disconnecting other booted machines, using the same OS, from the LAN?

Yes, if the device is connected to the LAN, and the infected PC knows the SMB password for it, or it has no password, it most definitely is at risk too.

I thought that was possible - I no longer have a XP machine connected to the LAN (always offline) together with a Win7 machine. Bit of a nuisance but better safe than sorry.

In reply to a post by sheephouse:

I first found nomoreransom.org referenced on a non-public site ...

I saw it referred to a while ago on the Action Fraud site;
https://www.actionfraud.police.uk/campaign/ransomaware

Wouldn't you think the dumb police would know about it and refer the OP to it? Luck of the draw I guess, whether you get a copper worth their salt when you call them, or get one who's useless.

I had a similar problem a few years ago. It was ransomware that loaded a ransom message when I logged on to my laptop. After searching I found out it was attached to my windows login.
I found a video on youtube how to remove it by starting in safe mode. side loading maiwarebytes which removed the malware and then going into the registry to remove the remnants of it.
I don't know if this will be helpful as it might be different to what you are experiencing but search youtube to see if you can find something similar to what you are experiencing.
https://www.youtube.com/watch?v=G2sUQFME0bE

In reply to a post by funkydan:

I had a similar problem a few years ago. It was ransomware that loaded a ransom message when I logged on to my laptop. After searching I found out it was attached to my windows login.
I found a video on youtube how to remove it by starting in safe mode. side loading maiwarebytes which removed the malware and then going into the registry to remove the remnants of it.
I don't know if this will be helpful as it might be different to what you are experiencing but search youtube to see if you can find something similar to what you are experiencing.
https://www.youtube.com/watch?v=G2sUQFME0bE

Great video Dan and "can" work.

I have been in the registry many times but it can be a minefield to find certain files but certainly worth a try.

Good find funkydan and good luck to the OP on hopefully restoring your files.

Scum like these need a large injection IMO.

Hi had a similar thing happen to a friend and sorted her pc out by downloading a file from beeping computer , it might be worth a try and dont worry its a safe prog.

RKill is a program developed at BleepingComputer.com that was originally designed for the use in our virus removal guides. It was created so that we could have an easy to use tool that kills known processes and remove Windows Registry entries that stop a user from using their normal security applications. Simple as that. Nothing fancy. Just kill known malware processes and clean up some Registry keys so that your security programs can do their job.

good luck hope you get it sorted

this decrypter tool may decrypt the files https://labs.bitdefender.com/category/free-tools/

A despicable crime, but great to see the wide knowledge of TBB members so generously given as always. AnnHannah, I hope you can solve your relative's problem.

In reply to a post by Malwaremike:

A despicable crime, but great to see the wide knowledge of TBB members so generously given as always. AnnHannah, I hope you can solve your relative's problem.

I had a RoBo call from a scammer po porting to be BT IIRC,saying that my bb was going to be cut off if i didn't act, then you get the press 1 to speak to an adviser (scammer) but i had to go out so i didn't waste their time like i would normally have done, the number was not displayed on caller id, but was recorded on the 1471 service, a mobile numbers, so spoofed