Windows 10: I was a victim of ransom wareyes they had false Microsoft ID I did not pay but they left...

I need help after I was duped by alerting beeping that would not stop and I could not remove, they disguised as Microsoft and anyway I toold then I could not pay for the protection they left but also left wallpaper of a very unattractive Trojan warrior; I have I have ran 3 full scans by a variety of programs I quarantined many threats, the latest full scan came up clean, i used Defender, Malwarebytes, and also ran a safety scan and the trojan wallpaper remains? My computer is functioning fine, and I have no idea how this occurred, thank you

:)

 

New Trojan that Demands a Ransom

There is a new virus out there discovered by virus hunters known as "Cryzip". The Trojan encrypts your files and then demands a $300 ransom for the decryption password to get your files back. After encrypting the files, the virus leaves a nice step-by-step guide of how to go about paying the ransom off. It's supposedly spread through email Spam, and has successfully evaded anti-virus scanners.

Source: eWeek

 

How crypto ransomware spreads... is it decryptable...should I pay the ransom

Since we receive a lot of questions from victims in regards to how they were infected with file encrypting ransomware, is it decryptable and should they pay a ransom, I thought it might be helpful to post the following information.

Crypto malware (file encrypting ransomware) is typically
spread and delivered through
social engineering (trickery) and user interaction...opening
a malicious email attachments (usually from an unknown or unsolicited source), clicking on a malicious link within an email or on a social networking site. Crypto malware can be disguised as

fake PDF files in email attachments which appear to be legitimate correspondence from reputable companies such as banks and other financial institutions, or
phony FedEx and UPS notices with tracking numbers. Attackers will use email addresses and subjects (purchase orders, bills, complaints, other business communications) that will entice a user to read the email and open the attachment.
Another method involves tricking unwitting users into opening
Order Confirmation emails by asking them to confirm an online e-commerce order, purchase or package shipment.

Some attackers will use
Shortened malicious URLs to mask a malicious link, obfuscating a malicious destination and malicious script (i.e. JavaScript (.js) file) downloader. Still another technique uses spam emails and social engineering to infect
a system by enticing users to open an
infected word document with embedded macro viruses and convince them to manually enable macros that allow the malicious code to run.
Social engineering has become one of the most prolific tactics for distribution of malware, identity theft and fraud.

Crypto malware can also be delivered via
malvertising attacks,
exploit kits and
drive-by downloads when visiting compromised web sites...see

US-CERT Alert (TA14-295A). An
Exploit Kit is a malicious tool with pre-written code used by cyber criminals to exploit vulnerabilities (security holes) in outdated or insecure software applications and then execute malicious code. Currently
the Angler, Magnitude, Neutrino, and Nuclear exploit kits are the most popular but the
Angler EK is by far the largest threat.

• Angler EK Drops TeslaCrypt Via Recent Flash Exploit
• Angler Exploit Kit pushes a new variant of TeslaCrypt/AlphaCrypt ransomware
• TeslaCrypt Distribution...exploit kits such as Angler, Sweet Orange, and Nuclear
• CryptoWall 4.0 being distributed by Angler Exploit
  Kit as part of large Malware Campaign
• CryptoWall 4 being distributed as a NSIS installer through
  Exploit Kits
• Exploit Kit Infrastructure Activity Jumps 75 Percent in 2015

Some victims have encountered crypto malware from ransomware malware executables,

packaged NW.js application using JavaScript or following a
previous infection from one of several botnets such as
Zbot (frequently used in the cyber-criminal underground) which downloads and executes the ransomware as a secondary payload from infected websites...see

US-CERT Alert (TA13-309A).

RaaS (Ransomware as a Service) is a ransomware hosted
on the TOR network that allows "affiliates" to generate a ransomware and distribute it any way they want. The RaaS developer will collect and validate payments, issue decrypters, and send ransom payments to the affiliate, keeping 20% of the collected ransoms.
Another scenario has involved attackers installing and spreading ransomware by
targeted Remote Desktop or Terminal Services Attacks, especially on servers. The attacker brute forces weak passwords on computers running Remote Desktop or Terminal Services. Once the attacker gains access to a target computer,
they download and install a package that generates the encryption keys, encrypts the data files, and then uploads various files back to the hacker via the terminal services client. Kaspersky has reported

brute force attacks against RDP servers are on the rise.

There also have been reported cases where crypto malware has Cryptolocker Being Spread On YouTube Ads and on
social media, a popular venue where cyber-criminals can facilitate the spread of all sorts of malicious infections.

• Ransomware Tops List of Social Media Security Threats
• How ransomware scams on social media often work
• Experts Warn of Mobile Ransomware Deluge on Social Media

If anyone encounters a new malware (ransomware) spreading vector, be sure to post it here so we can keep this information current.

About Encryption: Crypto malware encrypts any data file that the victim has access to since it generally runs in the context of the user that invokes the executable and does not need administrative rights. It typically will scan and encrypt
whatever data files it finds on computers connected in the same network with a drive letter including removable drives, network shares, and even DropBox mappings...if there is a drive letter on your computer it will be scanned for data files and encrypt them.
Some crypto malware will scan all of the drive letters that match certain file extensions and when it finds a match, it encrypts them. Other crypto malware utilize a white list and will encrypt all files unless it has certain excluded extensions or is located
at a certain area on the system.

Whether you can recover (decrypt) your files or not depends on what ransomware infection you are dealing with and a variety of factors. All crypto malware ransomware use some form of

encryption algorithms, most of them are secure, but others are not. The possibility of decryption depends on the thoroughness of the malware creator, what algorithm the creator utilized for encryption, discovery of any flaws
and sometimes just plain luck. Newer ransomware variants use a public and private key system where the public key is used to encrypt and the private key is used to decrypt. The private key is stored on a central server maintained by the cyber-criminals and
not available unless the victim pays the ransom or at some point, law enforcement authorities discover their hideout...seize the C2 server, access the private RSA key and release it to the public. In some cases, the cyber-criminals, for whatever reason, choose
to release the master keys after a period of time.

• Ransomware Encryption Explained – Why Is It So Effective?

Some of the more popular crypto malware ransomware use
RSA encryption,
AES Encryption or a combination such as
ECC (Elliptic Curve Cryptography) to encrypt data.

• AES and RSA Encryption Explained

RSA uses
asymmetric key encryption algorithm which utilizes a key pair system (two different keys)...a public and a private
key. Encryption with the public key can only be decrypted by the private key generated and stored on the command-and-control server used by the malware creators. Since the private key cannot be calculated from the public key, these properties make decryption
impossible.

• The Math Behind Estimations to Break a 2048-bit Certificate

AES uses
symmetric key algorithm encryption and shares the same (single, secret) cryptographic key for both encryption and decryption.
AES has a fixed block size of 128-bits and permits the use of 128, 192, or 256-bit keys. Breaking a symmetric 256-bit key by brute force requires several thousand times more computational power than a 128-bit key.

• Time and energy required to brute-force a AES-256 encryption key
• How secure is AES against brute force attacks?

ECC (Elliptic Curve Cryptography) uses a combination of symmetric and asymmetric encryption to encrypt files. AES is
used for encryption and the means to decrypt the files are encrypted with the ECC public key ensuring that only the malware developers have the corresponding private key required to decrypt the files. Since the cryptographic scheme uses asymmetric encryption,
it is impossible to decrypt encrypted files without having the private key. A benefit that ECC has over RSA is that equivalent security levels can be achieved with much smaller key sizes.

• A new generation of ransomware: Elliptic curve cryptography
• The current state of ransomware: CTB-Locker
  

Should you pay the ransom? Most security experts will advise against paying the ransom demands of the malware writers because doing so only helps to finance their criminal enterprise and keep them in business. One of the
reasons that folks get infected is because someone before them paid the bad guys to decrypt their data. The more people that pay the ransom, the more cyber-criminals are encouraged to keep creating ransomware for financial gain. Further, there is
no guarantee that paying the ransom will actually result in the restoration (decryption) of your files.

• K7 Computing: Why You Should Not Pay That Ransom Demand
• Avira: CyptoLocker-style File Encryptors – Should you pay the ransom?
• Kaspersky Lab: To pay or not to pay – the dilemma of ransomware victims
• Ask Leo: Decrypting files encrypted by ransomware...should you pay?

Some ransomware victims have reported they paid the ransom and were successful in decrypting their data. Other victims reported they paid the ransom but the cyber-criminals did not provide a decryptor or a key to decrypt the files, while others reported
the key and decryption software they received did not work or resulted in errors. Still others have reported paying the ransom only to discover the criminals wanted more money. Most cyber-criminals provide instructions in the ransom note that allow their victims
to submit one or two limited size files for free decryption as proof they can decrypt the files. However, decryption in bulk may not always work properly or work at all.

Keep all this in mind if you are considering paying the ransom since there is
no guarantee decryption will be successful or that the decrypter provided by the cyber-criminals will work as they claim and using a faulty or incorrect decryptor may damage or corrupt the files. The criminals may even send you something containing
more malware...so why should you trust anything provided by those who infected you in the first place. In some cases victims may actually be dealing with

scam ransomware where the malware writers have no intention or capability of decrypting files after the ransom is paid.

Since many victims know there is no guarantee with paying the ransom, some cyber criminals

offer customer support and
live Support Chat to help with decryption. Others may even

mimic Tech Support Scams.

With that said...We understand some folks may feel they have no other alternative but to take a chance and pay the ransom in hopes of recovering irreplaceable photos and other personal or important data. That is a choice and a decision each affected victim
will have to make for themselves. We will not make any judgments for doing so.

 

Shrug ransomware victim? How to retrieve your locked files for free

Shrug ransomware victim? Here's how to retrieve your locked files for free | ZDNet