Ransomware Removal Made Easy

Ransomware Removal Made Easy

My computer is infected with ransomware what now?

Ok first, are you sure every device is getting this message? You need to drill down which device on your lan is causing this and infected by the malware. If you connect with your phone and you get the FBI message, there are only about 3 reasons I can think of:

easy-ransomware-removal

PRISM SCMISM

Scenario 1. You got hit with a DNS rebinding attack (or malicious iframe pointed at 192.168.1.1) that used javascript to reconfigure your router to point all of your DNS requests to some site that returns the FBI message. This means you may not actually be running any malware.

Scenario 2. You have malware running on a device that is ARP spoofing your traffic for every host and rewriting all requests.

Scenario 3. Your router had remote access enabled and someone took advantage of one of the many backdoors that are hardcoded into default firmwares. I noticed you’re using a WNR2000* so it likely wasn’t the one I linked to, but there have been many router exploits since binwalk was released a couple years ago.

Things to check for to confirm one of the above scenarios:

Scenario 1. Check the DNS settings in Windows. In fact, set your primary DNS to Google DNS (8.8.8.8) anyway. Then check to see what your router’s DHCP configuration page says. Does the DNS server point to a server in a former Soviet Bloc State? Change it to google.

Scenario 2. This is gonna suck. Let’s hope it’s not this. Check the output of arp -a from the command line. Does the gateway’s MAC address match that of your router? Report back here. This will be a long fix.
Scenario 3. Much like the scenario 1 problem except that you may want to factory reset your router.

This should help you to understand the logistics of the infection an exactly how you are going about the easy ransomware removal process.

Easy 3 step ransomware removal

First, confirm if you can get to the internet on another PC. If you can, great. See the steps below. If you can’t, do a router reset (the pinhole, not just power on and off).

Second, the message states your files are encrypted. Are they? See if you can open a file from your desktop. If it opens, this is bullshit and probably an easy fix. If your files actually are encrypted, you’re probably fucked unless you have backups or are running Shadow Copies on your PC (which I is still backups, technically).

cryptolocker ransomware

cryptolocker ransomware

If your files aren’t encrypted, try the following.

  1. Download RKILL.exe (or RKILL.com), Malware Bytes, and Norton Power Eraser from another PC, put these files on a USB stick.
  2. Boot into safe mode, run those files in this order: RKILL -> Malware Bytes -> Norton. Clean any files found by MBAM but don’t reboot when prompted until after you start Norton.
  3. Reboot and let Norton Eraser do it’s thing. When done, it will prompt to reboot again. After this, if all is good, you’re good. If you’re still getting the message, do a reset on your router (the pin reset, not just power on and off).

If the files are actually encrypted though and you don’t have backups, your only option will be to pay, unless there’s nothing critical on the machine, in which case you could reformat and reinstall your OS. Similar to removing the Zeus trojan. Which is always a sure fire option to at the very least regain access to your machine.

Leave a Reply

comment-avatar

*