Encryption attack (ransomware)

[Radiant]

Well, I woke up this morning to a big red screen on my computer stating "they" have encrypted all my files so that I can't use them any more, and if I would please go to such-and-such website and enter my credit card data to get my files back.

Of course, I didn't actually do that; I did a reboot and a system restore, and started updating my security software (apparently I was a few updates behind). Plus being the geek I am, I actually have several other computers in my house, plus backupsof all the important stuff (i.e. game design). I didn't notice any documents missing or unreadable so far; clearly the hack can't encrypt my whole hard drive because that would stop windows from working (and then I couldn't send them my credit card), I'm not sure if it only does the My Documents tree which I never use, or that I rebooted my computer before it could actually finish.

Still, pretty weird situation. Has anyone encountered something similar? Any tips, other than the obvious ones of (1) keep backups and (2) update your security software?

[WHAM]

The ones I've seen were fairly well localized to look like the Finnish police had "locked this workstation due to illegal internet activity". The popup had managed to block task manager from opening, had disabled the CTRL & ALT keys and explorer.exe, and was demanding that I pay 40 â,¬ to an account as a fine to recover my PC.

I found that shutting down, starting Windows in safe mode and logging in with a separate user account allowed me full access and I was able to clear the invader out. As long as you have Windows 7 or later and have UAC enabled, no malicious software should be able to affect anything outside of the user account currently logged in, so that helps with the recovery.

In summary:

1) Ensure that your UAC is enabled (despite it's bad rep as "annoying", it's really useful for security)
2) Keep your antivirus up to date
3) Avoid any website with suspicious content or banner ads
4) Backup anything and everything

[Crimson Wizard]

There was a period of similar attacks in Russia about 2 or 3 years ago, which was even covered in general media. The only difference was that they were asking to send paid SMS by mobile phone and get unlocking password (credit card payments are still not so common here).

My father got this on his home PC, and had to boot from system repair CD (provided by antivirus company). After malicious program was removed, all computer contents were found untouched.

Unfortunately, I do not remember if he had Win 7 or XP. Maybe it was Win 7 with UAC disabled.

[Radiant]

It's cryptowall 3, in case people were wondering.

[Radiant]

Huh.

Systems scan reveals that the malware spent a substantial amount of time encrypting my recycle bin and my google cache, and has left most of my personal files alone, although I have no idea why. Several folders contain the "hey everything is encrypted now" warning file, without any of the files having been changed.

It's worth noting that this kind of malware has a list of file extensions that it looks for (e.g. TXT, DOC, JPG; this is because encrypting AVI files takes like forever) and that AGS projects tend not to contain any of these, so generally speaking these appear to be safer than most. That's good to know.

So anyway, I'm guessing I wasn't hit by the real thing, but by a mockup made by some script kiddie. Maybe. Or perhaps my security software did manage to somehow block most but not all of the damage. Not that I'm complaining, mind you