Mark Minasi's Tech Forum
Register Calendar Latest Topics Chat
 
 
 


Reply
  Author   Comment   Page 1 of 2      1   2   Next
mbarry

Still Checking the Forum Out
Registered:
Posts: 8
Reply with quote  #1 

Hello all.  Long time!

My sister in law called today.  She has a very old computer running XP and she has somehow gotten UltraCrypter on her computer.  Her Office, picture, and pdf files all have the cryp1 extension on it.  

It's ransomware.  The screenshots she was seeing can be found here:

http://sensorstechforum.com/tag/ultracrypter/

Ransomware is the nastiest stuff I've seen in a long time.  The URL above even looks a bit suspect to me.  Grammar is poor, and it's obviously some sort of advertisement for programs that claim to remove this stuff.

Is there ANY way for her to recover her files?  Has anyone beat this encryption?  Oddly enough, there is scarce amount of information on the net about this particular one.

Thanks!

Mike

0
donoli

Senior Member
Registered:
Posts: 505
Reply with quote  #2 
https://www.pcrisk.com/removal-guides/10058-ultracrypter-ransomware

Try a restore point.  It's a long shot but there aren't too many choices.  I guess that it's another case of no backed up files.
0
Mark

Hacked Mark's Facebook Account
Registered:
Posts: 273
Reply with quote  #3 
+1 there.

These bastards are good.  Although in truth just (1) don't open attachments you're not expecting and (2) use a browser with even the most basic safe filter and you're in good shape.
If she's on Windows 8 or later, Defender does the job admirably.

__________________
May I ask that everyone please populate the first name and last name in your user account profile.  Thanks!
0
mbarry

Still Checking the Forum Out
Registered:
Posts: 8
Reply with quote  #4 

Removal of genitalia wouldn't be too harsh a punishment for those responsible for this.  

Thanks for the help, guys.  I did try a restore point, and none of the dates on the calendar within Restore Point would register.  Tried changing the month and that wouldn't work either. 
Fortunately, last summer when my wife and I were visiting her I went about the process of moving her off this computer to a newer one, but had to stop because she needed to get Office.
I had backed up her email to a .PST file and move it and her documents to a flash drive.  I instructed her that under no circumstances was she to insert that flash drive into the infected computer.
So - there is a backup - of sorts.  It's just a bit old.

Will post back if there's anything of worth to be added..

Mike



0
donoli

Senior Member
Registered:
Posts: 505
Reply with quote  #5 
Ok, so you have some sort of backup. That's good. I would try to access the recovery partition, most times F11. As Mark said, only open attachments if you requested them.
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 810
Reply with quote  #6 
First things we are a Trend Micro House, so all the info I have is based off Trend Micro and their view point.

Its a damn good one in general I have to say.

some info and Trend tools for removal here:
https://esupport.trendmicro.com/en-us/home/pages/technical-support/maximum-security/1099580.aspx

There may be some help there

Trends latest version, out in mid June has several new features specifically designed to aid in stopping ransomware
Auto-backup of files prior to a write by a suspicious application
Checking the file post write and killing the application is Trend thinks its suspicious.

Its generating a lot of false positives and in reality showing up a LOT of bad applications.
Is the cure worse than the infection, in general yes.

But he biggest common factor on the sites is users having local or worse domain admin privileges.




__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
donoli

Senior Member
Registered:
Posts: 505
Reply with quote  #7 
The only time that I was a sysadmin, I used Trend Micro only because the office manager wanted some sort of AV program. I'm not a fan of any AV.  At that time, Trend Micro was the last, to have phone tech support.  Since then, that has changed.  The last time that I called, I was told that some 'engineer' would return my call in 2 or 3 hours.  You know what?  Don't bother!

According to David Perry, formerly of Trend Micro, 3/4 of a million new viruses are released daily.  No AV company can keep up with that rendering AV all but worthless.  No AV company can fix stupid as long as users happily click along in their Wonderful World of Windows where it's always 72F & no clouds in the sky.

0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 810
Reply with quote  #8 
Quote:
Originally Posted by donoli
The only time that I was a sysadmin, I used Trend Micro only because the office manager wanted some sort of AV program. I'm not a fan of any AV.  At that time, Trend Micro was the last, to have phone tech support.  Since then, that has changed.  The last time that I called, I was told that some 'engineer' would return my call in 2 or 3 hours.  You know what?  Don't bother!


So, based on this, do all users not need AV?
Are wasting our time with AV/ Antispam/ removing permissions/ setting security boundaries and all the rest...


Quote:
Originally Posted by donoli

 At that time, Trend Micro was the last, to have phone tech support.  Since then, that has changed.  The last time that I called, I was told that some 'engineer' would return my call in 2 or 3 hours.  You know what?  Don't bother!



I could say the same for just about every company I deal with.
The only exception to the list is probably Veeam.



Quote:
Originally Posted by donoli

According to David Perry, formerly of Trend Micro, 3/4 of a million new viruses are released daily.  No AV company can keep up with that rendering AV all but worthless.  No AV company can fix stupid as long as users happily click along in their Wonderful World of Windows where it's always 72F & no clouds in the sky.



So, of those 3/4 million, most are basic copies of someones else work.
So you could probably reduce that by a factor of 10 or maybe 100 and possibly be neared the "new original virus" number.

Why do people hack
Malicious Intent by Foreign Governments and Militants
Financial Gain
Idealism
Help Identify Security Breaches
Thrill/Challenge

There are at least three good reasons in there for me to try my hand at it, why not the script kiddies!


__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
donoli

Senior Member
Registered:
Posts: 505
Reply with quote  #9 
AV is a false sense of security.  If that weren't true, this thread wouldn't exist. Whatever the daily new virus number is for a particular day, AV companies can't possibly maintain full protection, not even close.  The average user doesn't know that & no one else wants to admit it.   I don't know if the "new virus" number can be reduced as you described.  It depends if the virus signature was changed or not.  If it changed, it's new & a new dat file was needed yesterday not next week.


0
Mafervus

Grumpy Old Men
Registered:
Posts: 31
Reply with quote  #10 
The sad truth is, most ransomware would not be an issue if people kept their systems up to date and avoided things that didn't look right. It is a sad state since so many nations allow criminals to operate with no repercussions. When you can buy "profit sharing" ransomware and hijackers offer services with 99% uptime, the battle has far surpassed "normal protection". Having said that, knowing there are almost a million variants of existing released in 2015, it is hard to imagine things being better without some form of protection.
__________________
The problem with troubleshooting is that trouble shoots back. ~Author Unknown
0
donoli

Senior Member
Registered:
Posts: 505
Reply with quote  #11 
In my previous post, I said that AV is a false sense of security. The best AV is your brain.  Another false sense of security is law enforcement. Just as the AV companies can't defend against all viruses, law enforcement can't stop all criminals nor do they want to stop them. 
0
DennisMCSE

Senior Member
Registered:
Posts: 150
Reply with quote  #12 
I don't think that AV is a false sense of security. Even if it doesn't block all the new 3/4 million of new viruses every day, it will at least block older viruses that have been around for a while. Yes, your brain is the best AV, but how often are people distracted for that one second or that accidental click that happens. Anyone get stuck with one of those annoying ads that pop up when you just scroll over a link, you don`t even have to click the link anymore. Then there are the web pages that have been hacked that have a browser redirect to a website with a virus on it.

Anyone have to support their parents or grand parents computer? If my mom's computer didn't have AV installed on it, I'd have a lot more "I don't know what I did" phone calls.

Not having AV on a computer, in this day and age, is not a good thing. Same with not installing security patches on a computer or turning automatic updates off, is not a good thing. In my opinion, not having AV or installing security patches on computers is why law enforcement can't stop criminals. I attended a meeting of law enforcement officers in Canada (local police, RCMP, CSIS) and they said that their biggest problem to stopping the criminals is people that don't have enough protection on their computers. It just increases the work that law enforcement needs to cover and they don't have the manpower to stop the number of outbreaks that could easily have been prevented by people following simple security measures on their computer.


0
jsclmedave

Administrator
Registered:
Posts: 445
Reply with quote  #13 
Agree with Dennis.  AV is not a magic solution but an additional layer just like AppLocker, BitLocker a decent pass-phrase and not logging in with an Admin account and staying up to date on patching.  There is no 1 solution to provide absolute protection.  The more layers used the better...
__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
donoli

Senior Member
Registered:
Posts: 505
Reply with quote  #14 
Quote:
Anyone get stuck with one of those annoying ads that pop up when you just scroll over a link, you don`t even have to click the link anymore.


I never understood that "hover" thing anyway where the mouse passes over something & it activates. Why did MS implement that?  I forgot how to disable it.  Maybe someone can explain it.

Quote:
Anyone have to support their parents or grand parents computer?


At one time I had to support my father's PC. He was 80 at the time. My sister must have clicked on something & it sent a virus through her address book.  Besides myself, my father was the only one smart enough NOT to open it.  Two of my brothers clicked & had a world of problems.  I spent a lot of time on the phone that week.
Moral of the story: Sometimes the old timer has better sense.

Quote:
 and they said that their biggest problem to stopping the criminals is people that don't have enough protection on their computers


In some cases, you can say that or you can say that it's a PBKAC. That's a Problem Between Keyboard & Chair.  Who is between the keyboard & the chair?  The user. I don't like to blame the victims for malicious acts committed against them.  However, if it happens once, it's time to look for a way to prevent it from happening again.


0
Familll

Still Checking the Forum Out
Registered:
Posts: 1
Reply with quote  #15 
Why not use another lap to google UltraCrypter and find removal steps to remove it? It seems that there are lots of free guide on the Internet. Here the google result.
1
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.