Recently, a friend of mine asked me for some help with her Windows PC. Her son got bitten by a nasty bit of ransomware. A giant screen came up saying “YOUR COMPUTER HAS BEEN LOCKED”, claiming that the NSA’s PRISM program had detected illegal content on the machine. Only by paying $300 to the “NSA” could the computer be unlocked. The screen is insidiuos; there’s no way to get around this splash screen. You can launch other apps, but they’re instantly covered up by the screen.
I don’t do a lot with Windows these days (and this incident reminded me why I don’t have a Windows machine at home for my kids to use), but I figured I could help out. I thought it would be much like other malware I’d encountered in the past.
Apparently, this ransomware has been around in one form or another for a few years. The message changes (kudos to the bastards who write this for changing the graphics to take advantage of all the recent PRISM publicity), but the app is the same. Much of the advice I found online was from web sites that are 100% focused on malware — for some reason, I am quite skeptical of these sites. I don’t know what their motivation is — are they just copying content from elsewhere on the web, are they just trying to sell their own software/services, or are they just publishing wrong information. I had hoped to find some individual guy’s blog article on the topic. Since I didn’t find much like this, I figured I would write an article to share my experience.
The malware in question is known as “W32/Reveton”. Here are a few links:
There was a lot of advice online about booting into safe mode. This doesn’t seem to help. The app still launches as soon as you log into your machine in safe mode. It blocks any attempt to interact with other software, so you can’t run any sort of anti spyware software.
Some sites advised botting from UBCD4Win. I didn’t pursue this, because I needed a windows machine to build a minimal windows image on the CD. This seemed like too much of a hassle.
Finally, I stumbled across Windows Defender Offline. You have to use another Windows machine to run the executable which builds the ISO, but it seems less complicated than building a UBCD image. I was able to build this ISO on a virtual machine on my Mac. Booting from this CD was exactly what I needed to do. The application found W32/Reveton right away and cleaned up the infection.
I hope this helps somebody out there!