Just imagine if someone showed up on your doorstep and said, “Hey, there’s mice in your house that you didn’t know about. Give us $100 and we’ll get rid of them.” This is the Ransomware Scam in its original form. There actually used to be people that would go around, let pests into your house and then knock on your door and point them out to you. “Good thing we saw them while driving by!” This scam must be making someone some good money because it’s still going on.
The scam needs a few things to be successful. First, the problem must be real. Whether the crook is putting mice in your crawlspace or malware on your computer, there is a real and verifiable threat. Second, they have to make themselves look like credible experts to make you think they can solve the problem. This could be an exterminator truck and coveralls, or the illegal use of an official logo like the RCMP. Third, they need to get your cash in hand quick before you can realize what’s going on. The exterminator might do this by saying something like, “Just give us $100 cash and we don’t have to charge you for a service call because we were already in the neighbourhood.” The online crook will take your credit card or a gift card.
Where things really take two different tracks between the real-life con and the online con is what can happen after you’ve paid them off. The real-life scum generally disappear, never to be heard from again. The online scum may leave behind malware that opens you up to them again and again. Or if they got your credit card and other personal information, they may just ruin your life as you know it.
First Things First
Yes, you’re going to get the whole “an ounce of prevention is worth a pound of cure” speech. Why? Because it is true.
Make sure that you are using a full gamut of security software – anti-virus, firewall, anti-phishing software, what have you. There are plenty of freeware versions out there that are very good. Make sure that all of your security software is up-to-date, and all the important security updates for your operating system are installed. Make sure that you are using your computers System Restore utility or back-up software. Try to stick only to reputable websites, don’t download pirated materials, and only open attachments that you are expecting to receive.
But, unfortunately, if you’re reading this, you probably missed a link in that chain somewhere. So what now?
Is It Ransomware?
So how do you know you’re being taken? Here’s a few clues:
- Microsoft does NOT make house calls.
- The police DO make house calls.
- The software that the ransomware claims to be is NOT the security software that you installed.
- Helpful people don’t disable the rest of your computer until you pay them.
If any of the above apply to your situation, you just might have ransomware.
Force your computer to power down. Most often this can be done just by holding the power button down for a few seconds. Before you get ready to power your computer up again, be ready to hit the F8 button. What I normally do is hit the power button and start tapping the F8 key about once a second until I get a text screen like the one below.
Now, chose Safe Mode with Command Prompt. You’ll see some text go flying by and eventually you’ll just see a line of text with a cursor blinking at you. At this point, type this in and hit Enter:
Why do you have to do this from the command line? You might not have to, but the most recent and virulent police/RCMP/ukash ransomware only seems to be able to be defeated in this manner. The command line mode of Windows only loads the MOST essential services and does not connect you to your network or Internet connection.
Once the System Restore utility opens, hopefully you’ll have a few restore points to choose from. Choose one that is definitely a time before you got the ransomware. Follow the prompts to restore your Windows installation to that point in time. The restoration process might take a little time, so relax.
Reboot your computer and allow it to go into Windows normal mode. That’s done by just sitting back and letting the computer do its thing. The ransomware should now be gone.
Run your antivirus software and perform as thorough a scan of all your hard drives as possible. This might take a little while so relax and have a fine beverage.
Once this is all done, you may want to scan your computer with another antivirus program. Let’s face it, yours missed it the first time. ClamWin is a decent one that can be run from a USB drive.
I Disabled System Restore
Why? I bet you feel a little silly now, don’t you? Fret not, there are still ways to remove this ransomware. You’ll need the following:
- An empty USB drive or CD to which you can burn files.
- A computer with an Internet connection that is not infected.
- A little patience and courage.
Get on the Internet and look for Windows Live Repair CD’s. There are a bunch of them out there, but any of the ones that Justin mentions in his article, Three Live CD Antivirus Scanners You Can Try When Windows Won’t Start. They are all EXCELLENT choices. I keep all three in my IT toolkit.
If you’re looking for bootable USB tools, you can try Dave’s article The PC Repair Toolkit in your Pocket: Boot CD on a USB Stick. Sure the article is from 2008, but the method and software are still valid and works like a charm.
How Do I Use The CD Or USB Drive?
Before you power down your computer, you want to put the CD into your CD drive. If you are using the USB drive option, wait until the computer is powered down to insert it.
Now restart the computer. As it is restarting you’ll need to tap the button that will give you the Boot Menu. On my Acer, it’s F12. It may be different on your computer. Once you get the boot menu, choose to boot from the CD/DVD drive or the USB drive – whichever applies to you.
Your computer is going to use the USB or CD drive as its operating system, so don’t expect to see anything like Windows. Use the antivirus software that is on the USB/CD to give a complete and thorough scanning and cleaning of your computer. Follow the antivirus software’s recommendations, which will usually be to delete the offending files. This process may take anywhere from 20 minutes to a few hours depending on the size of your hard-drive and the boot CD/USB that you are using. You can’t wander away though, stay there to respond to the alerts.
Once the process is done, log out of the USB/CD boot software, remove the USB/CD, and reboot your computer. You should now be ransomware free. If you are confident in your abilities, you may want to clean your registry once the computer reboots to remove any lingering bits and annoyances. Piriform’s CCleaner registry cleaning function is pretty good for this.
There it is. That’s as hard as it gets. I hope you don’t have to experience this issue, but if you do, I hope that I’ve been able to help you out. Worst case scenario, you shut the computer down and take it to your trusted IT person. Yes, you might be a little embarrassed that you got the ransomware in the first place – it usually comes from doing things you shouldn’t or those entertainment sites that aren’t for minors. But you’ll get the problem dealt with and enjoy a lesson learned. Plus your IT person has probably been to some of the same sites anyway – we’re all human.
If you’ve got any questions about what else you can do to remove or prevent ransomware, let us know in the comments. Our writers and fans are some of the best on the web, and can probably help you out – for free.
Image credit: Locked and chained computer via Shutterstock