OutdoorKing Repair Forum Forums General Discussion Forum Off Topics A Bad Computer Virus - Warning to Members

While I was on my break I had a very bad virus attack my computer.
It is called Ransom Locky.When Locky is first installed it will check to see if the computer is using the Russian language, and if it is, will not encrypt the computer. Otherwise, it will connect to a remote Command & Control server that is under the Locky developer's control and send it the ID associated with the victim's infection. This ID is generated by taking the first 16 characters of a MD5 hash of the GUID for the storage volume that Windows is installed on. Once it sends the ID, Locky will respond with an RSA key that will be used during the encryption process. Locky will then create a Windows registry key that it will use to store configuration information. This registry key is located at HKCU\Software\[random]. Locky will now scan the computer's local, removable, mapped drives, and unmapped network shares for file types that it targets for encryption.
Once it has encrypted your files it will give you a ransome note.Giving you instructions of how to remove as below.

However your files will be encrypted.It gives you instructions of how to do this.
Once you have install a tor browser and gone to their website.That's where they want you to pay .05 of a bitcoin or $230US.

Please I urge do not,I repeat do not go on the deep-web with a windows based computer it is far to dangerous,for your computer.

All I can say is guys please please make sure you back up your files.Unfortunately I didn't back up everything and I lost quite a bit.The worst being photos especially our wedding photos.So be careful with horrible things like that out there,like I said back your files up.Paying for this encryption key after searching the deep-web I found that I could pay but I wasn't going to get the key.
The best thing to do is keep your antivirus up to date and use some kind of Malware program on your computer.A virus like that is more likely to show up on a malware program.As my anti virus never detected it at all.
I only noticed two days after my computer got it and the first 2 of my hard-drives were encrypted.
I hope none of you guys get it I'm still even weeks after it trying to recover my files and fixing my computer.I properly never will get my files and photos back,but have to try.
Sorry I just wanted you guys to be aware of terrible viruses that are out there doing damage.
Thanks.

Blumby, I wish I had the slightest idea what you are talking about, all mumbo jumbo to me. I think if that happened to me my computer would go in the bin and I would go back to using paper and stamps to send letters

Yes trust me in feels like that.I lost most of my mower manuals and stacks of photos.It's very disheartening when so many years of ones digital life is taken from you.So many many hours of sorting and scanning manuals gone.Some of which where others that had sent me copy's and I'll be hard pressed to get again.I did question on whether to start again,and decided yep but this time backing up twice now.Wasn't good.

I'm sad to hear this, I've had viruses attack my computers in the past and it is an unpleasant experience.You have to be vigilant and a good anti-virus program helps, also stay away from dodgy websites like Outdoorking.

vires come from looking were peoples should not be looking
my frend told me don't look porn rude type things people try hack in side my computer I don't now how
outdoorking site safe for me no plobem

Unfortunately guys this ransom locky doesn't get picked up by an antivirus program as it doesn't behave the same as a virus.Viruses basically infect files a ransomware encrypts files and locks them away leaving you only one option to pay the ransom.That's why everyone should have some kind of malware program on their computer.I run AVG antivirus on mine and it didn't even know it was there.Bad evil stuff it is.

Thanks Blumbly for the warning. Any idea where you got it from?

That is a very big question tiger.I can't answer that as my computer picked it up on Wednesday June 22 at 3.22PM. I was at work at that time.I didn't discover it until Friday the 24th.
The most common way to get it is through a spam email that has a word document in it that usually comes up with a name of "invoice".Which will look something like the picture below.


Now we all know about opening emails that are zipped up or an .exe file,but until recently nobody realized about doc files.
In that 50 KB document there is a hidden .exe file.Up until the February update it wanted you to click the options button in the picture below,which then activated,but the updated version I got I believe it doesn't need that process.


Once that document is activate the ransomware (in the background) installs it's self.Immediately once it is installed it then sends a request to it's server to receive the rest of the files (and the encryption key it will use) it requires to complete it's installation.
Now this ransomware was updated on Tuesday February 16th 2016.
While ransomware infections had been detected at a rate of between 10,000 and 15,000 per week in January and early February 2016, the number began to rise, coinciding with Locky�s appearance on February 16, and detection's stood at more than 20,000 in the week leading up to March 8.


As you can see above the amount of infected computers was on the rise.
One of the most recent emails came through as a subject name of �Scanned Image�.
There has been some talk about certain web sites also sending a small file to start the infections,but I can't retrieve that information as that was pages found on the deep-web and currently I haven't got an os safe enough to go into the deep-web.
I'm sure that most sites that have any info on this haven't been updated since late February or earlier march.
I know over time they will change the way it is executed and these mongrels are getting away with it and making easy money.The more people that pay the more they will develop it.
This image is a threat Scorecard,just to show you the level of the threat.


I'm sorry to go on about it.I just don't want anyone else to get it it really is a mongrel of a thing,and it is a real problem.
So hopefully if you guys are aware of it and what and how it's starts at least when you see it pop up you know to delete it.
Also don't forget a good Anti-Malware software as Anti-Virus won't detect it.
Hope this helps protect you guys.

Thanks I was totally unaware of this one.

Thanks for the heads-up on this one, Blumbly.
I tend to be less than fully aware of Windows nastyware and virii, as I run a Linux system. This one is very nasty, as it will affect all drives the infected PC has write access to, not just the local C: drive. Including removable drives that are plugged in at the time.

A couple of good rundowns on Locky Ransomware are here: SITE 1 and SITE 2.

Both of these have info on commercial antimalware programs that will specifically prevent ransomware from acting.
'Malwarebytes', a very respected malware protection/removal software company, has a specialised anti-ransomware offering in beta testing now, too.

'Site 2' also includes info on a copycat ransomeware known as 'AutoLocky', which can be recovered from fairly readily, unlike the original 'Locky'.

If you become aware of the Locky attack soon enough, it may be possible to recover some [though probably not all] of the trashed/encrypted files with 'file recovery software' - after removing the malware. From Site 1:

Lastly, while MS Office documents are well known to be high-risk for malware via macros, PDF files can also carry nasty payloads.
So it's not a good idea to open PDF's attached to e-mails from untrusted sources.
See SITE 3 for a useful rundown.

Awesome work Gadge you have done your homework.Unfortunately for me as I had the latest and greatest (so to speak) of the ransomlocky R-Studio or Photorec were unable to recovery my files that were not written in Russian. I am about to try another program call On track Easy recovery which has come highly recommend and is also an Australian company.I have herd they have had some success.The big problem is that it deletes a program call shadow copy so recovering from that can't happen,or a previous restore date are removed.
Mongrels that's all they are.