Nasty ransomware overwrites your PC's master boot record

Useful ways to find and remove ransomware highjackers.
If only page captured disconnect router, delete offending page, reconnect router.

If encrypted by ransomware the following options are available.
Ctrl + Shift + Esc together will open Task Manager, in Processes find the intruder, write down the name for future reference, right click on it to kill process and also open file location to delete.

Windows Logo + R opens Run box where you can open Regedit and Msconfig, both offering access to the infection.

By looking in Hidden Files and Folders will again reveal intrusions.

If you have previously created a Restore Point then you can reset.

Hi there

Macrium Reflect -- decent bootable restore image will kill any of this nonsense. Another reason for taking REGULAR BACKUPS !!!!!!!!. Keep a few versions so you don't restore a version with the ransomware still on the system.

This type of SCAM is so old hat I'm surprised people are still getting caught by it --- NEVER pay any money and forward any emails / phone recordings to Police or whoever is the Fraud regulator in your jurisdiction.

For recording phonecalls -- this (albeit slightly expensive system) from the UK is one of the best -- if not the best that I've ever come across.

http://www.dstele.com/truecallcallscreening

Cheers
jimbo

dmex said:

Yes. If you installed Windows via UEFI then that ransomware doesn't do anything since EFI doesn't use boot sectors such as the MBR and uses a EFI file located on the partition. It also helps to have Secure Boot enabled since that also prevents any tampering with the EFI files.

If it's true that UEFI systems are impervious to ransomware, isn't that the most logical protection for any OS that supports it? Since I have no need for partition setups that MBR can't accommodate, I've avoided switching to GPT to save the extra space it needs. But shielding against ransomware seems to be a strong reason for making the change.

COMPUTIAC said:

Its better to get it from the source.
Introducing Malwarebytes Anti-Ransomware Beta - Malwarebytes Anti-Ransomware Beta - Malwarebytes Forums

Thanks for the heads up folks .........I Just scored beta 6 there @ the link above after a Google search inquiry

No UEFI here.... I didn't want to fool around with all that GPT partitioning on the one PC here that can use it (the HP Elitebook ) the other three desktops are regular CMOS legacy Bios.

OTOH all this makes a good argument for UEFI mainboards .

dencal said:

Useful ways to find and remove ransomware highjackers.
If only page captured disconnect router, delete offending page, reconnect router.

If encrypted by ransomware the following options are available.
Ctrl + Shift + Esc together will open Task Manager, in Processes find the intruder, write down the name for future reference, right click on it to kill process and also open file location to delete.

Windows Logo + R opens Run box where you can open Regedit and Msconfig, both offering access to the infection.

By looking in Hidden Files and Folders will again reveal intrusions.

If you have previously created a Restore Point then you can reset.

Thanks for all that ..I've done the regedit and hidden file hunt before and some of the usual one time use cleaners for the big nasties (mostly on OP boxes ) outside of some toolbar hijackers and unwanted Crapafee shields from legitimate downloads [ like Flash @Adobe ] on my boxes before Chrome Pepperflash ....and so on if I didn't uncheck the right tix box .

.I never been stupid or unlucky enough to get all that hijacked so far . I copied and pasted all that into my Windows 10 tips folder that will be included in my regular back ups outside this OS of in case somebody can use it or I forget but I shouldn't it's good to know and fairly simple and routine outside the newbies .

FWIW (so far this works here ) ....when I see a ransomware looking or any dodgy redirect ....I kill the browser app & processes in Taskman ,relaunch the browser and go on about my business

jimbo45 said:

Hi there

Macrium Reflect -- decent bootable restore image will kill any of this nonsense. Another reason for taking REGULAR BACKUPS !!!!!!!!. Keep a few versions so you don't restore a version with the ransomware still on the system.

This type of SCAM is so old hat I'm surprised people are still getting caught by it --- NEVER pay any money and forward any emails / phone recordings to Police or whoever is the Fraud regulator in your jurisdiction.

For recording phonecalls -- this (albeit slightly expensive system) from the UK is one of the best -- if not the best that I've ever come across.

http://www.dstele.com/truecallcallscreening

Cheers
jimbo

right .........a good clean back up is a sure thing

dmex said:

Yes. If you installed Windows via UEFI then that ransomware doesn't do anything since EFI doesn't use boot sectors such as the MBR and uses a EFI file located on the partition. It also helps to have Secure Boot enabled since that also prevents any tampering with the EFI files.

Thanks.. for reassuring

I do use UEFI with the secure boot. I used UEFI originally because it handles the 2TB hard drive limit when using MBR. I do have a couple of 3 & 4 TB drives. Such a hassle getting them usable in an MBR system.

So if you enable UEFI without secure boot, you could still be protected and even use windows 7 64 bit and Linux 64 bit systems?

UEFI and secure boot will not protect you against ransomware. All they need to do is gain access to your system and encrypt your precious files. They don't need to encrypt the MBR.

Offline backups will protect you.