![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
snarpBelow the cut: the horrifying set of instructions I sent to a family member who got hit with ransomware.
-
"[stuff]
Some Windows rootkits are possible to deal with through less extreme means, but since you're getting actual phone calls, I'm giving you my standard scorched-earth instructions here. Let me know if there's anything you have trouble with.
- snarp
- HOW TO FIX IT IF YOUR WINDOWS INSTALLATION HAS BEEN HIT WITH A PERSISTENT BOOTLOADER/ROOTKIT VIRUS -
What you want to do in brief is:
1) Temporarily physically cut the computer off from the internet and any local network it may be connected to - pull the cord if wired, physically switch off the router if wireless.
2) Burn a Linux LiveCD boot disc on a separate, uninfected computer. (More-detailed instructions for this below.)
3) Boot into the infected computer using the LiveCD.
4) Once you've got the LiveCD OS open, mount the computer's hard drive and plug in a clean external USB storage device. (If there's stuff on it, format it before doing this.)
5) Copy ALL the files you want to save onto the external storage.
6) Plug the external storage into a separate, uninfected computer and make sure you can actually open the files, that they're uncorrupted and haven't been encrypted, etc.
7) If they are, copy them all to the uninfected computer.
8) Once you're sure you've got EVERYTHING you want to save onto the external storage: wipe all partitions, including any labelled "backup" or "restore.
9) Reinstall Windows. (Don't turn networking back on while doing this.)
9b) Or, if you don't have a Windows install disc and/or are concerned about getting reinfected, you may want to stick with Linux until you've reviewed your security habits and figured out how you got infected the first time. More instructions on that below, too.
-
To make a Linux LiveCD for booting into a computer with a messed-up Windows install:
THINGS YOU'LL NEED:
* A separate, uninfected computer with a CD-R drive
* At least one blank CD
* Some kind of USB storage device like a USB key or external hard drive, to save your files on
1) On a separate, uninfected computer with a CD burner, download the ISO for "Wary"-version Puppy Linux here:
http://puppylinux.org/main/Long-Term-Supported%20WaryPuppy.htm
(You can use most LiveCDs for this, but Wary Puppy is small, fast, reasonably user-friendly, and works on nearly all computers.)
2) Burn the ISO to CD. If your pre-installed CD-burning software doesn't support ISOs, download ImgBurn:
http://imgburn.com/
3) Leaving the CD in the UNINFECTED computer's drive, reset the computer and make sure you can boot into Puppy on a normal machine. You'll probably need to press F11, F12, F2, or Escape during the boot sequence to get to the boot menu; from there, you'll tell it to boot from CD. (If you can't get this to work, contact me or do some research online, depending on your stress levels.)
4) On the UNINFECTED machine, mount the local hard drive and make sure you can see and open your files. (If you can't get this to work, contact me or do some research online, depending on your stress levels.)
5) Turn off the UNINFECTED computer and remove the CD.
6) Put the CD in the INFECTED computer's CD drive, turn it on, and boot into Linux as you did before. If everything looks the same as it did on the uninfected computer, you can safely reconnect to the internet/local network, if you want.
7) Mount the local hard drive as you did on the uninfected computer and make sure you can see and open your files.
8) Plug in an external USB storage device and copy over ALL the files you want to save.
9) Plug the external storage device into the UNINFECTED computer and make sure you can see and open the files on there.
10) Temporarily copy the files onto the UNINFECTED computer.
11) Go back to the infected computer and do another sweep to make sure you've rescued ALL your files. Once you're absolutely sure you've got ALL the files you need off of it: Reformat ALL of the infected computer's partitions, INCLUDING any labelled "backup" or "restore." (THIS WILL DELETE EVERYTHING ON THE INFECTED COMPUTER. MAKE SURE YOU HAVE ALL YOUR FILES! DO YOU HAVE ALL YOUR FILES? DOUBLE-CHECK!)
12a) Reinstall Windows, and install virus protection BEFORE reconnecting networking. When you reconnect networking the first things you should do are:
* update your newly-installed virus protection.
* install either Firefox or Chrome as your web browser.
* download a HOSTS file and replace your system one with it.
* installthe browser extension Adblock some browser ad blocker other than AdBlock (which is probably no longer all that safe). For many people, this is almost as helpful as a good antivirus suite in terms of personal security.
* install Dropbox, Google Drive, or some other sort of free automatic file backup program, and make sure it's catching your most important files.
* (the hard part) install the browser extension LastPass, a secure password manager. Then change all your important passwords, being sure to save each new one in LastPass.
12b) Or, if you don't have a Windows install CD or are worried about being reinfected, install some version of Linux instead. (No one really writes viruses for Linux, as of yet.) You can always replace it with Windows later if it doesn't work for you.
Puppy isn't intended for use as a local OS - it's always run from a CD or USB drive. You'll probably want some version of Ubuntu, which is best Linux distro for people used to Windows. You'll download it and burn it to CD the same way you did Puppy.
If your computer is pretty new and has at least 4 GB RAM, download the most recent plain-Ubuntu Long-Term-Service version here:
http://www.ubuntu.com/download/desktop
If your computer is pretty old or you're not sure how much RAM it has, you probably want the latest Lubuntu (Ubuntu Light) LTS version instead:
https://help.ubuntu.com/community/Lubuntu/GetLubuntu/LTS
Or you can do some research and pick something else. (Some people like Mint instead of Ubuntu - it looks a little more like Windows right out of the box - but I've found it to be a little temperamental over time, and Ubuntu's generally considered the best place to start.)
You still want to go through the last two steps in the windows instructions here:
* installthe browser extension Adblock some browser ad blocker other than AdBlock (which is probably no longer all that safe). For many people, this is almost as helpful as a good antivirus suite in terms of personal security.
* install Dropbox, Google Drive, or some other sort of free automatic file backup program, and make sure it's catching your most important files.
* (the hard part) install the browser extension LastPass, a secure password manager. Then change all your important passwords, being sure to save each new one in LastPass."
It should be noted at this point that the family member I sent this to is a literal rocket scientist. They know several programming languages, get flown various places to explain things to other rocket scientists, will with very little provocation start drawing pictures of rain falling on pagodas on dinner napkins as a metaphor for systems such as automated vehicular traction control, etc.
You Are Not Safe. Please take the precautions I described in 12a/at the end! You do not want to have to do all this.
-
"[stuff]
Some Windows rootkits are possible to deal with through less extreme means, but since you're getting actual phone calls, I'm giving you my standard scorched-earth instructions here. Let me know if there's anything you have trouble with.
- snarp
- HOW TO FIX IT IF YOUR WINDOWS INSTALLATION HAS BEEN HIT WITH A PERSISTENT BOOTLOADER/ROOTKIT VIRUS -
What you want to do in brief is:
1) Temporarily physically cut the computer off from the internet and any local network it may be connected to - pull the cord if wired, physically switch off the router if wireless.
2) Burn a Linux LiveCD boot disc on a separate, uninfected computer. (More-detailed instructions for this below.)
3) Boot into the infected computer using the LiveCD.
4) Once you've got the LiveCD OS open, mount the computer's hard drive and plug in a clean external USB storage device. (If there's stuff on it, format it before doing this.)
5) Copy ALL the files you want to save onto the external storage.
6) Plug the external storage into a separate, uninfected computer and make sure you can actually open the files, that they're uncorrupted and haven't been encrypted, etc.
7) If they are, copy them all to the uninfected computer.
8) Once you're sure you've got EVERYTHING you want to save onto the external storage: wipe all partitions, including any labelled "backup" or "restore.
9) Reinstall Windows. (Don't turn networking back on while doing this.)
9b) Or, if you don't have a Windows install disc and/or are concerned about getting reinfected, you may want to stick with Linux until you've reviewed your security habits and figured out how you got infected the first time. More instructions on that below, too.
-
To make a Linux LiveCD for booting into a computer with a messed-up Windows install:
THINGS YOU'LL NEED:
* A separate, uninfected computer with a CD-R drive
* At least one blank CD
* Some kind of USB storage device like a USB key or external hard drive, to save your files on
1) On a separate, uninfected computer with a CD burner, download the ISO for "Wary"-version Puppy Linux here:
http://puppylinux.org/main/Long-Term-Supported%20WaryPuppy.htm
(You can use most LiveCDs for this, but Wary Puppy is small, fast, reasonably user-friendly, and works on nearly all computers.)
2) Burn the ISO to CD. If your pre-installed CD-burning software doesn't support ISOs, download ImgBurn:
http://imgburn.com/
3) Leaving the CD in the UNINFECTED computer's drive, reset the computer and make sure you can boot into Puppy on a normal machine. You'll probably need to press F11, F12, F2, or Escape during the boot sequence to get to the boot menu; from there, you'll tell it to boot from CD. (If you can't get this to work, contact me or do some research online, depending on your stress levels.)
4) On the UNINFECTED machine, mount the local hard drive and make sure you can see and open your files. (If you can't get this to work, contact me or do some research online, depending on your stress levels.)
5) Turn off the UNINFECTED computer and remove the CD.
6) Put the CD in the INFECTED computer's CD drive, turn it on, and boot into Linux as you did before. If everything looks the same as it did on the uninfected computer, you can safely reconnect to the internet/local network, if you want.
7) Mount the local hard drive as you did on the uninfected computer and make sure you can see and open your files.
8) Plug in an external USB storage device and copy over ALL the files you want to save.
9) Plug the external storage device into the UNINFECTED computer and make sure you can see and open the files on there.
10) Temporarily copy the files onto the UNINFECTED computer.
11) Go back to the infected computer and do another sweep to make sure you've rescued ALL your files. Once you're absolutely sure you've got ALL the files you need off of it: Reformat ALL of the infected computer's partitions, INCLUDING any labelled "backup" or "restore." (THIS WILL DELETE EVERYTHING ON THE INFECTED COMPUTER. MAKE SURE YOU HAVE ALL YOUR FILES! DO YOU HAVE ALL YOUR FILES? DOUBLE-CHECK!)
12a) Reinstall Windows, and install virus protection BEFORE reconnecting networking. When you reconnect networking the first things you should do are:
* update your newly-installed virus protection.
* install either Firefox or Chrome as your web browser.
* download a HOSTS file and replace your system one with it.
* install
* install Dropbox, Google Drive, or some other sort of free automatic file backup program, and make sure it's catching your most important files.
* (the hard part) install the browser extension LastPass, a secure password manager. Then change all your important passwords, being sure to save each new one in LastPass.
12b) Or, if you don't have a Windows install CD or are worried about being reinfected, install some version of Linux instead. (No one really writes viruses for Linux, as of yet.) You can always replace it with Windows later if it doesn't work for you.
Puppy isn't intended for use as a local OS - it's always run from a CD or USB drive. You'll probably want some version of Ubuntu, which is best Linux distro for people used to Windows. You'll download it and burn it to CD the same way you did Puppy.
If your computer is pretty new and has at least 4 GB RAM, download the most recent plain-Ubuntu Long-Term-Service version here:
http://www.ubuntu.com/download/desktop
If your computer is pretty old or you're not sure how much RAM it has, you probably want the latest Lubuntu (Ubuntu Light) LTS version instead:
https://help.ubuntu.com/community/Lubuntu/GetLubuntu/LTS
Or you can do some research and pick something else. (Some people like Mint instead of Ubuntu - it looks a little more like Windows right out of the box - but I've found it to be a little temperamental over time, and Ubuntu's generally considered the best place to start.)
You still want to go through the last two steps in the windows instructions here:
* install
* install Dropbox, Google Drive, or some other sort of free automatic file backup program, and make sure it's catching your most important files.
* (the hard part) install the browser extension LastPass, a secure password manager. Then change all your important passwords, being sure to save each new one in LastPass."
It should be noted at this point that the family member I sent this to is a literal rocket scientist. They know several programming languages, get flown various places to explain things to other rocket scientists, will with very little provocation start drawing pictures of rain falling on pagodas on dinner napkins as a metaphor for systems such as automated vehicular traction control, etc.
You Are Not Safe. Please take the precautions I described in 12a/at the end! You do not want to have to do all this.
no subject
Date: 2015-10-10 05:23 pm (UTC)no subject
Date: 2015-10-10 06:30 pm (UTC)no subject
Date: 2015-10-10 08:54 pm (UTC)