Ransomware removal HELP

[Sillymonkey]

My pc got infected with some ransomware and I was wondering if anyone could help me remove it. They are threatening to leak all my personal information if I don’t pay them 100-500 dollars or help them infect 4 other people. From what I could tell they used node js to infect my machine having me install some things on it. 

[Maurice Naggar]

Hello .

My name is Maurice.

Please provide some detail.  Is this message in a email ?

Also. Is this on a Windows machine ?

Did you in fact download and open some dodgy or unknown or questionable file ?

Did you open a attachment from an email?

 

[Sillymonkey]

Hello, I was installing something I thought was to host a bot for an app called discord for someone and It turns out it was malware. I did a command called npm install something or another and my pc restarted saying it was doing a windows update then it loads up to that screen. It is a windows 64 bit machine. 

[Maurice Naggar]

Did you scan with antivirus. Like Microsoft Defender in Windows 10 ?

Did you scan with Malwarebytes for Windows ?

In order to begin to help you properly, I will need a diagnostic report in order to review & diagnose.

Specifically the FRST Farbar diagnostic report. It is safe to get & use.

https://support.malwarebytes.com/hc/en-us/articles/360039025013-Run-Farbar-Recovery-Scan-Tool-to-gather-logs

Attach FRST.txt + Addition.txt with your reply. You may if you wish, ZIP the 2 into a zip file & then attach.

{ just please do not copy, paste their contents in main body of reply box here.)

[Sillymonkey]

I can’t access anything only my computer at the moment as soon as I boot up my pc it instantly brings me to that page without a windows load screen or anything 

[Maurice Naggar]

I am sorry to hear that. That sort of sheds light on how that screen ( in screen grab) came about.

Tell me, do you have another working computer ?  or else, if you may have access at another at like a neighbor or close friend ?

and do you have a USB-flash-thumb-pen drive ?

Is this pc running Windows 10 ?

Could you just try to POWER OFF the pc.  wait about a minute.  Then keep Holding the SHIFT key down all the time as you power up the machine.

[Sillymonkey]

I have 2 devices other than the infected machine a desktop and a laptop both running 64 bit windows.

I have a usb-drive around the 100-200GB range not sure on the exact number just know it’s around there. 
 

when I turned it off and waited a minute then turned it back on, I held shift the whole time it doesn’t seem to do anything. I also had a few friends tell me to try and rapidly press F8 and F10 both didn’t do anything. When I rapidly pressed F11 on startup I was still able to boot into the msi bios.

[Maurice Naggar]

Tapping F8 as soon as the pc is powered on is what can be done to be able to force the Advanced startup options.  such as to Safe mode, or Safe mode with networking, or a Command prompt.

Keep that in mind.  You are saying that F11 is how to get to Bios options.   Keep that in mind for later.

I am going to list 2 things here.  The first is a way to try getting into Safe mode /// better yet, I would opt for Safe mode with networking.

There is an article with a video that may be helpful.   Take some time to look at the video once or twice.

The article lists several ways to get into Safe mode, including a video at the top of the article.

https://www.digitalcitizen.life/4-ways-boot-safe-mode-windows-10

 

You will need to Power OFF the computer ( for a minute)  then power it back ON  and then be ready for action.

If neither the video or the top of the article work out, look at his #2     2. Interrupt the normal boot process of Windows 10 three times in a row

Just take your time doing all this.   The main goal we have is to get into Safe Mode or else Safe Mode with Networking.

Have a lot of patience.  I know it is frustrating.  I regret your troubles.

Give those some tries.   Let me know if that is a success.   and if so, stop and advise me of same.

>

[    2    ]

This here is about making ( formatting) a USB-thumb-flash drive  ( at least 8 GB capacity size)  BUT this needs to be a USB that is formattable / NOT one where you have saved data or backups or permanently saved files.   It needs to be a USB that can be repurposed or a new fresh USB.

>

Making USB with the Microsoft Media Creation tool   

Look at Option One on this article

https://www.tenforums.com/tutorials/2376-create-bootable-usb-flash-drive-install-windows-10-a.html

.

Let me know when that is done.

Let me know if you know how to adjust the 'problem-pc's BIOS boot-start options   so that  ( at a much later point) it boots up first from USB drive.

The hope of using the MCT USB is simply and only just to get to a Recovery Command prompt  ( NOT to install Windows)  and from there to run a special report.

Once you have built up this USB flash-drive then STOP  and let me know.   I will guide you further after that.

[Maurice Naggar]

I would like to inquire:  Did this pc ( prior to this infection) have a full backup on offline media ?

Before this infection incident, did this pc have installed on it Malwarebytes for Windows Premium ?

[Maurice Naggar]

IF your infected-computer is connected to any local network, do disconnect it from the network.

It's imperative you keep all your other computers / devices safer.  To that end, some tips.
Tips to help protect from infection
https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/#comment-1372004

If your Windows 10 pc only has Microsoft Defender antivirus, be sure it has the Premium Malwarebytes for Windows  ( which has anti-ransomware protection, as well as anti-exploit protection).
For non-Windows devices, there are versions for Android, Apple OS, iOS, Chromebook.
>

>

as Trendmicro says

Users and organizations should follow important security recommendations in order to keep their devices and systems protected from ransomware, including enforcing the principle of least privilege, disabling local admin accounts, and limiting access to shared or network drives.

The following are other vital recommendations for users and organizations to prevent ransomware attacks:

Unverified emails and links embedded in them should be opened with caution, as ransomware has been known to spread in this manner.
Important files should be backed up using the 3-2-1 rule: Create three backup copies on two different media with one backup in a separate location.
Regularly update software, programs, and applications to protect them from the latest vulnerabilities.
Keep personal information safe, as even this could give out clues to security information on used systems.

cf. https://www.trendmicro.com/en_us/research/21/c/new-in-ransomware-alumnilocker-humble-feature-different-extortio.html
>
Chat apps such as Discord have been used in facilitating propagation of ransomwares.
as per Lawrence Abrams at Bleepingcomputer.com

Quote

 

Discord is commonly used by threat actors to distribute malware or harvest stolen data.

As threat actors turn to Discord, it is critical for administrators and network security tools to monitor Discord traffic for threats or other abnormal behavior.

 

cf. https://www.bleepingcomputer.com/news/security/new-ransomware-only-decrypts-victims-who-join-their-discord-server/
>

I suspect your machine is the victim of a ransomware quite similar to Humble ransomware.
cf. https://www.trendmicro.com/en_us/research/21/c/new-in-ransomware-alumnilocker-humble-feature-different-extortio.html
>
Pleae be very aware that Malwarebytes has no decrypter for ransomwares. User files, documents, image files, and other files encrypted by ransomware cannot be recovered except from a Backup that was saved before.
>
At this point, there's no clue as to whether in fact your user files have been changed ( encrypted) or what the "extendion" of their file-names is.

And by the way, you need to report this incident to the FBI if you are in the USA.
Report incidents immediately to the FBI thru IC3.gov https://www.ic3.gov/Home/FileComplaint   , with  CISA at us-cert.cisa.gov/report

I do hope that you have a Backup offline from before the infection. If so, Scan backups. If possible, scan backup data with an antivirus program to check that it is free of malware.

 

[Maurice Naggar]

You have advised me that you have done a new install of the Windows OS.  I will relay some tips here, safety related, and then close the case.

I would urge you to install and have the Premium Malwarebytes for Windows so that this system has active anti-ransomware protection. Protect all your devices. You can get a license with as many seats as you have devices, including Windows, Apple Mac, Android, Chromebook. 
Note for iOS devices that license is a separate purchase thru Apple.

>

Let me suggest that you get your browsers each, as applicable, to have the Malwarebytes Browser Guard.

See Support article how-to

https://support.malwarebytes.com/hc/en-us/articles/360038520374-Install-Malwarebytes-Browser-Guard

The Windows 10 / 11 Edge browser can use the same Guard as the one for Google Chrome.
Note: If your pc has  Opera or Brave or Vivaldi browser, you can install the Chrome version of the Malwarebytes Browser Guard ( on each as appropriate).
>

Do use PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download

SAFETY TIPS:

Backup is your best friend.  Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html

Only using the Standard-access-level user account when surfing and downloading / installing would have been a tremendous way to prevent the infections of this machine.

Don't remove ( or change )  your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"  

>

I am marking this case for closure.
I wish you all the best. Stay safe.
Sincerely.

Maurice