Windows 10: Appear to have been attacked with Bitlocker

Glad you were able to restore; sorry you lost some data.
I'd suggest getting yourself a BackUPS to prevent data loss and other issues resulting from power blips in the future. *Wink

 

Today I started my computer and shortly thereafter, Bitlocker was running and going through my drives. I am running Malwarebytes and Bitdefender. No apparent protection. I presume it is a malicious attack.

Malware bytes is not helpful. Bitdefender flags a bunch of stuff but provides nothing I understand to recover. No relationship shown between files and where Bitlocker came from. Bitdefender has had an ongoing objective to remove control and information from the user. So it is harder now.

I have C and D drives. C is locked and needs a password. D was in progress when I stopped the process by a restart. But it too is already encrypted and needs a password.

Is there any way to recover from this mess? Searching, I have only really found information on how to set Bitlocker up. Not my problem. Searching has only yielded how to set up Bitlocker.

:)

 

Ransomeware and Bitlocker

Will installing Bitlocker stop ransomeware attacks?

 

BitLocker on Windows 10 Home edition

As much as I like BitLocker, it has no bearing on the current ransomware crisis.

BitLocker protects one's data from physical theft. It cannot protect against online attacks.

 

Is windows loading or not can you get to cmd prompt or safe mode. I am wondering if a its a fake or a script ran to do it which be on the system which may contain the password

 

The computer runs. It is the machine I am typing this on. That is part of the puzzle.

When I try to open C or D with explorer, I get a message about needing a password.

 

Bitlocker is part of Windows OS and should not be attacking your computer, is it possible that this is a ransomware attack that mimics Bitlocker? If so you need to find help of a forum that deals with malware. If this is actually Bitlocker that is malfunctioning you may be hooped and have to reformat.

 

Hi.
I realize I'm late to the party....but.... this does sound suspicious to me.
There is an encryption virus that uses Bitlocker to encrypt your drives and then demands a ransom.
Bit Locker Ransomware Support Help Topic - Ransomware Help & Tech Support

.

 

Please download and save FRST 64bit or FRST 32 bit to your Desktop.

http://download.bleepingcomputer.com/farbar/FRST.exe

http://download.bleepingcomputer.com/farbar/FRST64.exe

Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
Make sure that Addition option is checked.
Press Scan button.
It will produce a log called FRST.txt in the same directory the tool is run from.
Please copy and paste log back .
The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe).

 

At present, there is no known way out of the Bit Locker Ransomware.

 

Just saw the posts above. Unfortunately it will take a bit to download the file indicated. I just can't seem to win.

I recently installed a new router. Asus has included a TrendMicro service. Today I turned it on. It will not accept the bleepingcomputer site. I could find no way to tell it to stop screwing around, and let me go there. So, I tried to deactivate the application; it appears that is also a nono. Argh! My computer continues to take forever to go to most web sites. It did not do that until I got the Bitlocker issue.

I got the TrendMicro app to stop by going to another piece of the application in the router. Suddenly the web works again.

On the positive side, the application showed it had stopped some nasties. Talk about rock and hard place.

Ill be back.

 

OK. Got the files. I can only get to files if I use Revo or some alternate access. I can't get explorer to work.

FRST.txt
Addition.txt

I am not sure this worked.

 

Looking over the files:

Code: System32\Tasks\Spiceworks Surface Scan Launcher => explorer "hxxps://apps.spiceworks.com/tools/device-inventory?agent_uuid=cfd93948-757a-4731-a311-ebc4a35c38a1" <==== ATTENTION HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION[/quote] Did you put the Spiceworks scanner on the system?

Honestly, if you have the Bit Locker encryption malware, I don't expect to see a whole lot in these 2 FRST files, because it's using Windows Bitlocker to encrypt your files; just not giving you the key until you pay the ransom.

If you rebooted the computer before the ransom note was displayed, that could be why you never saw a ransom note. The Bleeping Computer site I gave you is all the information they have on this right now.

The only other thing is, if you somehow started Windows Bitlocker yourself, your key would be saved in your OneDrive account. But, from the description in your first post, it sounds like the infection hit you.

Would be interested to know, exactly what did it show?

I see you have Macrium on there. Can't you restore an image of the operating system from before this happened? and do you have Macrium backups of your data to restore? That is the way out of this.

 

Something else I found. Something has turned protected boot on in the BIOS. I have never enabled that. Does that feel like an attack vector could change it; or is someone trying to help.

I have not gotten a ransom screen. There is a message that the C drive failed Bitlocker install. I had not looked at that drive.

It says:
Attachment 184453

D drive has put up a message asking for me to enter passwords
Attachment 184454
I will continue looking.

 

You need to either use an online scanner or get a anti virus boot disk to scan the system. your av and windows are both showing faults so may not be working HouseCall - Free Online Virus and Spyware Scan