Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Ransomware: How do you prevent it from happening?

Dec 19, 2014 7:40AM PST
Question:

Ransomware: How do you prevent it from happening, and if you were held up, do you pay?


I've been seeing a lot of news headlines about ransomware in which I think it is when a hacker gets into your computer and puts a lock on it so that you can't do anything on it and demands a payment of a specific amount or else your computer will remained locked or will be wiped clean. Am I correct or is there more to it? This has me a bit concerned. Even though my computer doesn't hold top-secret materials, I still don't want to get caught in this mess. So how would one go about preventing this type of ransomware from being attached to my computer? Is an antivirus program good enough to keep this from happening? If not, what should I have installed to prevent this? And out of curiosity, if this were to happen to you where your computer were held up for ransom, would you pay up? Why or why not?

--Submitted by Steven H.

Discussion is locked

- Collapse -
Should I back up data my dat to another computer?
Jan 10, 2015 4:55AM PST

I have always backed up my data onto other physical drives on the same computer. I store very little data on the the computer's System drive, but although I back up the data that I have saved on, say the 'D' drive, I back up that data to another physical drive on the same computer. Should I back up important data on an external drive? What about password protecting the backup drives that are installed on the same computer that's being backed up?

Three networked computers
Custom built PCs
Windows 7
AVG Internet Security 2015 (purchased)
MalwareBytes Premium

Thanks,

Jim Sims

- Collapse -
Here's how to stop it
Dec 19, 2014 1:18PM PST

Being a computer technician, I see a ton of ransomware. The fbi virus is the most popular. All you need is a flash drive. You'll also need a computer to download HitMan Pro on, and then plug the flash drive in and let it install kickstarter on. Next, you'll put the drive in the infected computer, hold the power button till it turns off, press the button to turn it on, press F12 on the kyeboard constantly and boot to your flash drive. You'll notice nothing will happen except normal windows boot. Next, kickstarter will let windows boot, let the virus start and then boot over it. Go through the steps to get it fully removed, that's your best option. On the note of preventing it, get malwarebytes and have it scan once a week. The newer version is pretty fast and the most thorough. It's definitely what I use to prevent it. That'll solve all your problems and save you from taking it to a pro. Unless it's cryptolock, which is a whole different ballgame.

- Collapse -
Virus checking virus
Jan 9, 2015 11:48AM PST

HitMan Pro is a virus itself. Check Process Hacker to see.

- Collapse -
Virus checking a virus - chuck the Hitman
Jan 9, 2015 11:51AM PST

HitMan Pro is a virus itself. Check Process Hacker to see.

- Collapse -
I always thought so
Jan 9, 2015 10:16PM PST

I have come across Hitman Pro many times while doing PC Cleanups and have always removed it. I usually go with MSE, MBAM and CCleaner to do most of my cleanups. Also manually look thru all folders and clean them out, (from booting to ERD Commander, when possible, or Safe Mode when not possible). Then I also manually go thru the Registry, HKCU/Software and HKLM/Software, usually easy to spot and delete the real culprits.

Anyway, surprised to find folks here touting Hitman Pro. I will give it a little more research, and perhaps create a Hitman Pro Boot Flash Drive.

- Collapse -
MEDIA PLAYER 12 Update ?
Jan 11, 2015 2:54AM PST

I have yet to see a solution/fix that completelt removes the "MEDIA PLAYER 12 Update" bullcrap.

Let alone HOW to prevent it from downloading on one's PC.

Anyone care to tackle this one ?

- Collapse -
I'd top post this one.
Jan 11, 2015 2:58AM PST

This thread is pages long and you deserve your own discussion.
Bob

- Collapse -
system restore
Jan 9, 2015 1:32PM PST

Hold the power button till it turns off. Start computer in safe mode and run system restore. Has worked for me several times.

- Collapse -
Worked dor me last year....
Jan 9, 2015 4:33PM PST

Exactly what I had to do last year... I was Win7 at the time so not 100% sure how I'd get to that break point on Win8 SSD drive that boots super fast.

I use twin screens and was totally stuck with ransomware BUT noticed whilst powering off that the primary screen was basically launched to a URL and locked to it. It's not a cookie; mine was a 'software update' I'd accepted and was in two minds about so I knew what I'd done.

Safe mode and a restore point sorted me and I even reran the downloaded file just to check it. Yep.. it was one exe that caused all the trouble. That's NOT a virus; that was me doing something I should have known better and allowing some scumbag to dump their payload on me.

No doubt there will be more sophisticated attacks but the key message is DO NOT accept software upgrades from web sites, and do NOT accept go browsing the shadier/pirate/freebie elements of the web on a windows PC. If you d then the very least you should do is download, save it and scan it before you allow it to run.

Oh and keep ALL your data on a separate drive or partition. Have it where you an backup the whole lot without fuss and messing about with multiple profile paths. One location, one simple backup.

- Collapse -
Ransomeware & hitman Pro
Jan 9, 2015 1:34PM PST

Excellent advise iNosey. I got nailed with that FBI scan a couple years ago on my desktop. I did some research on my laptop, found hitman Pro and followed the instructions. Didn't take long at all and my desktop was back in tip-top shape. I keep the flash drive with the hitman pro on it in my desk drawer in the odd chance it happens again. It's a great tool to have.

- Collapse -
fbi ransomware
Jan 10, 2015 3:33AM PST

I run Norton 360. Several times the FBI (or other) ransomware has come up and basically froze my web browser, but norton has stopped the bad stuff. I use task manager to close out the browser and go about my business.

- Collapse -
How to stop it
Jan 10, 2015 9:54AM PST

Norton 360 will always get you up and running...amen! Has save me many time because of kids on the home computer learning things...

- Collapse -
Put the kids on a guest..
Jan 11, 2015 12:25PM PST

or limited account and they can't hurt the PC - especially if you have Parental Control set to white-list applications and processes for that account. That is probably one of THE most effective malware stoppers known.

- Collapse -
There was a real bad one a couple of years ago
Jan 10, 2015 5:42AM PST

I was helping out a friend and It had a lot of attention so I knew its name. I Googled it and found a 3 stage fix that used malwarebytes and it cleaned it up where with others it was just regenerated.

Recently I downloaded an app on my tablet and agreed to ads but it loaded something called Crime Alert that acted pretty much like Ransomware, trying to identify the actual site that I was on as sending a message of infection which actually came form Crime Alert and was false. Again I looked it up and Malwarebytes was the solution. I use it as a one time use but I think you can install it also.

- Collapse -
Will these same instructions work for a Mac?
Jan 10, 2015 6:52PM PST

Hi! Thanks for the clear and detailed answer (& if someone has a step-by-step version & for a Mac or Macbook Air/Pro that's what I'd appreciate.) I have Malwarebytes on my PC, but not my Mac (I use Bitdefender on my Macbook Air due to low power usage [& I tried Intego first, who's info I preferred but drained power too fast] and had best tests for near 100% malware removal, at least in AVG 2014 tests.) Any additional comments on using HitMan Pro, the flash drive boot, etc., from a Mac perspective are welcomed! Thanks in advance!

JL

- Collapse -
ClamXAV is specific to OS X and is very economical when
Jan 11, 2015 12:06AM PST

it comes to processor cycles.
Updated regularly, it also has a good price, Free.

Apple also has its own, built-in, malware checker which is updated, whether you like it or not, by a push from Apple.

You have already found that Symantec & Intego are resource hogs so if you are happy with Bitdefender, continue to use it.

Hitman Pro is not one that I am familiar with, but I do see many reports of it being a "virus" in itself. Fortunately the fix offered does not work on a Mac.

The only real advice I can offer is that you be careful of where you go when you surf and to avoid clicking on anything that doesn't look right or just looks too good to be true.

One very important thing; Turn OFF the "Open "safe" files after downloading" in Safari Preferences > General. This prevents anything from running automatically after it downloads.

P

- Collapse -
Malwarebytes as a solution to the FBI virus
Jan 11, 2015 5:41AM PST

One thing to note in this infection is that whatever worked to remove it will not work the second time around. It will be beneficial to you to have multiple spyware removal options, like SuperAntiSpyware or Spybot, on a flash drive so that removal is easier with an infected PC or device.

- Collapse -
This should be an easy fix for everyone
Dec 19, 2014 1:26PM PST

The first thing you should do is buy yourself an external hard drive, larger than your system, or C:\ drive.

The second thing you should do is buy yourself a very good backup program. I use Acronis True Image 2015, but that's just me. Look around and get yourself not just the best, but one that you will use, and use often.

The third thing you should do is backup your system, or C:\ drive onto the external drive.

The forth thing you should do is get in the habit of backing up your system, or C:\ drive on a regular basis. Like once a week. Most good backup programs have a scheduling feature, where they will back up your drive for you every day, or every week, or every month. Whatever you set it for. I would set it for every week.

Now you are completely protected from Ransomware. If it does happen to you, just whip out your emergency boot disk that you made with your backup software. Boot to it, and use your latest backup on your external hard drive to restore your system. If you have it set to back up every week, you may lose a couple of things, but within half an hour your system will be up and running like new.

A recent backup is the answer to a host of computer problems, and you will thank yourself the first time you use it to get out of a bad situation. Be that a nasty virus, like ransomware, to a complete system crash. I hope this helped.
Regards,
Mr. Windows

- Collapse -
scheduled backup
Jan 9, 2015 6:17PM PST

When ransomware hit the scene it occurred to me that the malware could work its way to my backed up files on my external drive. To deal with that possibility, I run my automatic backups to a second internal drive. Then, periodically, I run Bleeping Computer's ListCrilock exec to see if there are any encrypted files on my computer. From what I've read, the ransomware encrypts files until it completes the job and then presents the ransom screen. If there are no encrypted files, I plug in my external drive and copy over the backup files. When done, the drive is disconnected.

- Collapse -
Backing up c:\
Jan 9, 2015 7:01PM PST

Mr. Windows,
The advice is good, except for one thing. If you backup drive is connected when attacked it will also become encrypted and then useless. Be sure to unplug/remove the backup drive when the backup is finished. I have a back blanking plate installed that I bought from Ebay, that enables me plug a HDD in without having to open the case. Then run Ghost32 (or whatever you have). This takes less time time to back up, (as it is drive to drive and not USB), and if need be it is simply replace the system HDD and restore your latest data backup and your are away. This usually takes about half an hour.
Cyclenut

- Collapse -
Dont trust automatic backups
Jan 9, 2015 9:56PM PST

Certainly wouldn't leave a backup drive connected so it can automatically backup infected files!
Set a reminder using your desktop notification system, instead, and do it manually (after a virus scan.)
Also only let it backup your most current files.
No need to let it backup PROGRAMS automatically, just documents etc.
You can always re-install the programs from another backup drive where you've saved them (or CD, etc.)

- Collapse -
System Restore has gotten rid of my Ransomrware
Jan 10, 2015 1:55AM PST

The Subject title says it all.

- Collapse -
Malwarebytes for Ransonware
Dec 19, 2014 1:31PM PST

For about $25.00, you could get a subscription to Malwarebytes. This organization is located in San Jose, CA. I had the problem you describe. I downloaded their free Trial Version of Malwarebytes, I was able to get rid of the Malware causing the issue. I would never pay a ransom. I don't negotiate with ransomists. If they lock-up your screen, try to go to another USER-ID if you have one setup on your computer. With that USER-ID, download Malwarebytes. Another option is to shut-off your computer and try to come up in SAFE-MODE. Once in safe mode if you can get to the internet, download Malwarebytes. Good Luck!

- Collapse -
Malwarebytes is Great, BUT...
Jan 9, 2015 2:35PM PST

If your data gets encrypted, Malwarebytes can't fix it. It may help you keep from getting locked in the first place and it can clean many viruses but it can't unencrypt your files.

- Collapse -
Don't pay --- back-up, back-up, back-up!!!
Dec 19, 2014 2:37PM PST

You should be backed up - so if this happens - just disconnect from the network and reformat and restore from back-up --- done!

- Collapse -
Nobody holds my computer for ransom and lives!
Dec 19, 2014 2:44PM PST

1. Nothing like this can happen unless YOU click something to activate the ransomware.
2. Don't panic.
3. In Windows Right click on the Task bar and click the Task Manager - click Applications - click the list one at a time and click the END TASK button. You may get lucky.
4. Next try in Windows is to Restore to the latest Restore Point:
-START - Right click COMPUTER - click PROPERTIES - click System Protection - click System Restore - click a restore point or check the Show More Restore points and then click one - click NEXT and continue. After the reboot there is a good chance the ransomware will be gone...possibly along with any software you installed and updated.
4. Next option is recover your OS with a backup image if you have one.
5. Next option is recover your factory OS install.
6. I would clean install my OS before I would pay for ransomware.
If you are not making some attempt to keep file backups of some kind you do not get my sympathy.

- Collapse -
Clearly you fail to grasp the concept of RANSOMware
Jan 9, 2015 12:14PM PST

First, of all: You are correct. Technically, nothing like this can happen unless you click something to activate the ransomware, but I see far too many end-users clicking on things they shouldn't, but don't know any better (i.e. "Your computer is infected, click here to repair."

But I've also seen it happen on an infected web server without any user interaction, or permission. I was looking for royalty-free stock images for a book cover I was designing. I'm in the habit of searching Google and then loading each of the results into their own tab (middle-click). So I must have opened at least 10 sites that looked promising. Some I hadn't heard of, but I was happy to try something new. Obviously I had opened a site with an infected server. Within seconds my entire screen was one big, giant ransom note. In this case, I believe the cause was my out-of-date Java runtime version known to have a security hole. I had intentionally let Java become outdated because I didn't want new versions messing up my programming environment. Ironic.

Your suggestions are good ones for regular, run-of-the-mill viruses and rogue programs, but they don't work with Ransomware. They might work, if you could do ANYTHING in Windows. But you can't. Ransomware, like Cryptolocker, LOCKS Windows. ALL you can see is the ransom screen. You cannot ESCape it. You have no access to Windows Explorer your mouse or your keyboard (other than to take actions to pay the ransom). You cannot CTRL+ALT+DELETE your way into Task Manager. You have NO access to Windows. No keyboard shortcuts to anything. Seems ridiculous, right? Unless you've seen it happen. Go ahead and restart the computer. It will reboot... right back into the ransom screen.

So here's what I learned (how to avoid, if that's possible) and how I got rid of it (thankfully whatever ransomware variant, I had did NOT encrypt my files, or permanently delete them):

Prevention:
1. Keep Java up-to-date (if you need it at all). If you don't know what Java is, or don't use it, GET RID OF JAVA! Uninstall it. Most people don't need it anymore—just Android developers, mostly.
2. Surf in incognito modes, if you must surf unsavory sites. This may prevent the ransom-ware from getting outside the browser environment. It might not. This one is just a theory.
3. Use Webroot SecureAnywhere (Anti-virus). Ransomware behaves differently than a virus. Webroot SecureAnywhere (Antivirus) claims that because of the way their software runs "in the cloud", they are the only software capable of "predicting" CryptoLocker patterns. That said, I was using Webroot Secure Anywhere 2011 in 2012, at the time I got hit. Perhaps I'm a glutton for punishment, but I still believe Webroot is the best option (though not perfect). I still use Secure Anywhere, and haven't been hit in over 2 years since.

Removal:
First, I agree with everyone who has espoused good backup habits. I agree. I actually CLONE my hard drive, rather than traditional "backups". That way, if everything crashes, I just have to swap out the hard drive and I'll be back up and running in less than 5 minutes. Whatever method you use, make sure you know how to restore your data from that backup.

Reboot into SAFE MODE.

1. Run a virus scan. In my case, Webroot still detected no virus (so much for my praise above; but I still use them).
2. Now install Malware Bytes Free version (still in SAFE MODE) and run a scan. I don't remember if Malwarebytes found anything or not. It's a second line of defense. A second opinion, if you will.
3. Now run ComboFix from BleepingComputer.net. Whether either of the first two scans detected anything, ComboFix will. Use it as a last resort. It's powerful and takes no prisoners—including the possibility of killing some of your valid programs. In addition to killing the ransomware, it also took out a handy Windows macro program I found very useful. I wish I could remember the name of that program. It's GONE now! Oh well.

When you reboot into normal Windows, now the Ransomware is gone (in my case). I don't know what variant I had. I don't know if it was CryptoLocker or not. But I'm confident that if it ever happens again, I'll have what I need to deal with it quickly and move on.

- Collapse -
recovery from ransomware
Jan 9, 2015 6:28PM PST

The writer has covered the bases well. My setup here is full backup to an external drive. To recover from malware or a hard drive crash, I can boot from a recovery disk and then override the internal hard drive with the backed up level of my choice. Be sure to keep the external protected data safe as I posted earlier.

- Collapse -
This was the 1st place IT types went to..
Jan 11, 2015 12:40PM PST

Most forums recommend this site for prevention, but other advice here in this discussion is good too.

<span id="INSERTION_MARKER">https://www.foolishit.com/vb6-projects/cryptoprevent/

Don't let the goofy spelling of the URL dissuade you, this genius just has a twisted sense of humor, but he kicks butt on cryptolocker!

- Collapse -
IT SEEMS TO ME YOU ARE OVERLOOKING THE OBVIOUS
Jan 9, 2015 12:19PM PST

by definition (computer is locked), you cannot use your computer !