Today I had my first run in with the infamous Homeland Security / FBI Ransomware. For those who are not aware, it is a form of malware that hijacks the use of a computer at start up and demands the user pay a sum of money, typically $300 from what I have heard from other techs. After selecting a profile to load, a single window pops-up that appears to be a notice from the Homeland Security Department claiming that you have violated internet laws. To further scare the user an “English” Voice blasts the speakers demanding restitution in the amount of $300. I must admit, I was somewhat impressed by the presentation and excited as I have heard that it was pretty difficult to cleanse from your system. I do not take viruses or malware very lightly, but boy was I disappointed as it took little effort to remove this notice from the system.
My first action was to restart the computer and boot into Safe Mode with Command Prompt. Being in Safe Mode allows only the essential applications to run, hopefully giving some wiggle room to un-compromise the system. As I entered the desktop, I used the command prompt to access the desktop using explorer.exe. I let the system run for two minutes before proceeding and I was shocked that the Ransomware did not load (I know I should be thankful). I continued with my action plan by using Windows Restore feature on Windows 7.
Now I have a theory on how this malware works. I do not believe it activates automatically, but is triggered after a certain action has been taking by the user or time elapse, similar to how a Logic Bomb works. Knowing this, I did not go back three days prior when the system was working without a hitch but instead 30 days. I can say with a degree of certainty that this system including its registry was not infected last month, so it’s a safer bet that starting at that point would be okay.
The restoration process took about 10 minutes, but after it was completed and the computer was restarted, everything appear to be right on the outside. For precaution, I scanned the system with Malwarebytes, TDSKiller and did a boot time scan with Avast; after which, I found remnants of some infected files and I removed them (unclear if they were related) and updated Windows.
The entire process took less than 3 hours (with multiple scans) and although I was disappointed on how easy it was to get rid of this version, I learned a very valuable lesson as a tech. Don’t underestimate the use of Windows Restore. Educating your friends, family and clients on keeping updated restoration points on their systems is invaluable. It can solve close to 60% or more of any software troubles that you may have, especially the ones that have altered the registry without the user’s knowledge.
Written by Sage NC