Hi everyone,
I just received a phone call from one of my top customers who commutes between our resort town and LA where he uses his W10 laptop for business regularly. He claims he got a message on his laptop screen that threw up multiple windows and reputed to be Microsoft and had a phone number to call. He did so, not being tekky, and got on with a reputed Microsoft Agent, whereby they took control of his laptop remotely with his permission and told him he had a nasty virus.
They then said they could remove it and put a new stronger Security System in place on his laptop to avoid being hit by Ransomware again, if he wouldn't mind paying them $300, $500, or $700 depending on how hard the "virus-removal" and 'anti-virus' process was. (most of you know never to do this, or have found this out the hard way if you've ever been attacked by Ransomware, infections of which on now on the rapid increase).
My Customer got angry, said "No Way", and hung up the phone and called me.
After speaking with him he told further that the woman purported to be from Microsoft, but that she was in their New Jersey office (questionable). I then informed him that he got hit by Ransomware and they had locked access to his laptop until he paid their Ransom or brought it me and I will fix it.
He had to cancel all his remaining appointments this week and drive back here to get the laptop to me tomorrow. Of course, at this point I don't know if they just locked his access out of his W10 account, or they also have encrypted all his files.
I have a Macrium backup image of his laptop from several months back, so I can wipe the drive clean and Restore him from the backup image. His Quickbook backup files are on the flash drive that was plugged in to his USB port when he got hit, so we are hoping they didn't encrypt his files as well.
The reason I'm writing this is I'm wondering if anyone else out there or any Techs with Customers getting hit by Ransomware this month has gotten hacked like this over a public Wi-Fi network as he did? I had pretty strong AV and antispyware tools on their from Avast, MBAM, and TrendMicro and they still got past all my good defenses. It appears to be a case of "War-Driving". Customer claims he wasn't visiting any websites and it happened while he was doing E-mail and using his QuickBooks. He generally doesn't visit any bad websites (for the most part).
Letting folks know this happened, and also asking if anyone else got hit by similar Ransomware in a public Wi-Fi environment such as an Internet Cafe, Starbucks, Airport, etc. Once I get his machine, I will go through it and attempt to unlock it for him; then I'll report back here regarding the severity of the infection and my removal/cleaning solution.
Thanks for listening,
<<<<BIGBEARJEDI>>>>
I just received a phone call from one of my top customers who commutes between our resort town and LA where he uses his W10 laptop for business regularly. He claims he got a message on his laptop screen that threw up multiple windows and reputed to be Microsoft and had a phone number to call. He did so, not being tekky, and got on with a reputed Microsoft Agent, whereby they took control of his laptop remotely with his permission and told him he had a nasty virus.
They then said they could remove it and put a new stronger Security System in place on his laptop to avoid being hit by Ransomware again, if he wouldn't mind paying them $300, $500, or $700 depending on how hard the "virus-removal" and 'anti-virus' process was. (most of you know never to do this, or have found this out the hard way if you've ever been attacked by Ransomware, infections of which on now on the rapid increase). My Customer got angry, said "No Way", and hung up the phone and called me.
After speaking with him he told further that the woman purported to be from Microsoft, but that she was in their New Jersey office (questionable). I then informed him that he got hit by Ransomware and they had locked access to his laptop until he paid their Ransom or brought it me and I will fix it. He had to cancel all his remaining appointments this week and drive back here to get the laptop to me tomorrow. Of course, at this point I don't know if they just locked his access out of his W10 account, or they also have encrypted all his files. I have a Macrium backup image of his laptop from several months back, so I can wipe the drive clean and Restore him from the backup image. His Quickbook backup files are on the flash drive that was plugged in to his USB port when he got hit, so we are hoping they didn't encrypt his files as well.
The reason I'm writing this is I'm wondering if anyone else out there or any Techs with Customers getting hit by Ransomware this month has gotten hacked like this over a public Wi-Fi network as he did? I had pretty strong AV and antispyware tools on their from Avast, MBAM, and TrendMicro and they still got past all my good defenses. It appears to be a case of "War-Driving". Customer claims he wasn't visiting any websites and it happened while he was doing E-mail and using his QuickBooks. He generally doesn't visit any bad websites (for the most part).
Letting folks know this happened, and also asking if anyone else got hit by similar Ransomware in a public Wi-Fi environment such as an Internet Cafe, Starbucks, Airport, etc. Once I get his machine, I will go through it and attempt to unlock it for him; then I'll report back here regarding the severity of the infection and my removal/cleaning solution.
Thanks for listening,
<<<<BIGBEARJEDI>>>>
I was talking with RichM and a couple of other tekkies on conference call last night about it, and they thought it was highly unlikely he got hacked through his Wi-Fi hotspot connection also. Especially since I have WPA/2 Personal AES and all, and it's a 1 year old Dell Inspiron 15 3000 series laptop with a new N-Wi-Fi WLAN card. Customer got delayed in bringing it back here for me to pickup; maybe by the end of today when I can get it on my bench and take a look. I'm starting to suspect he went to a bad website and clicked on something he shouldn't of (which I have warned him 
But, the most likely cause is that he got a spoofing E-mail with a spyware virus in Rootkit that hit him through opening an E-mail attachment directly. This last was the infection vector that hit my Customer with the fake E-mail from UPS and locked up his PC and external drive with NEMUCOD. Thanks for the input!!
I'll keep everyone informed on what I find, and hopefully a solution too!
