Ransomware able to apply laptop HDD password?

Am cleaning up a nephew's laptop (a regular task) after he has managed (yet again) to get it full of malware despite my efforts to lock it down last time.

 

On this occasion there appear to be at least 2 issues - perhaps related, perhaps not.

 

First of all, he reports an infection with something very similar to PCEU Ransomware described here (http://trojan-killer.net/police-central-e-crime-unit-pceu-ransomware-removal/)

However, in trying to access his machine, it prompts for a HDD/SSD password, which he assures me has never been set.

 

On entering the BIOS (which is not password protected), I can see the setting for the HDD password, but am unable to change it without knowing the one that has already been set. I have tried changing the order of boot devices to boot from CD, which I was able to set, but which will not work, as the machine still demands a password before attempting to spin up the CD-ROM.

 

Given that this is a Toshiba laptop (Satellite L450), I have discovered that there have been numerous issues with failed drives / corrupt MBRs that have required HDD replacements. However, it seems a little too coincidental that this has happened whilst malware is in place.

 

Several hours of searching have turned up very little that is of any use as every solution so far requires either booting into safe mode or booting from CD, neither of which are possible. I have seen some suggestions of running malwarebytes on the drive after removing it and attaching to an uninfected machine, which is not an option as I dont have the relevant hardware with me.

My question is, therefore, is this a known malware issue and, if so, is there a known solution?

 

Many thanks in advance for any assistance.

Comments

  • [Deleted User]
    [Deleted User] Posts: 0 Former F-Secure Employee

    Hello OnAnyMouse,

    You mention that the laptop reports an infection similar to some Ransomware? Could you precise what was the exact detection name and the symptoms of the infection?
    Which Anti-virus products are you using on that machine?

    Have you tried booting from the USB using rescue-cd?

    The rescue-cd can in fact be used to recover from eventual MBR corruption.

     

    Thank you.

  • OnAnyMouse
    OnAnyMouse Posts: 4

    Hi Ben and thanks for the reply.

     

    I have not been able to get past the HDD lock, but my hephew reports that prior to that happening, he was getting a ransomware demand that looked very like this one - http://trojan-killer.net/police-central-e-crime-unit-pceu-ransomware-removal/)

     

    I am not aware of the specific infection being identified.

     

    The last team I cleaned up his machine, I put on Zone alarm free firewall, spybot S&D and one of the free antivirus programs, probably antivir. They were all set to scan regularly and to update on a regular basis.

     

    I have burned a rescue CD and also an antivirus bootCD, but even though I can set the CD drive as the boot device, the HDD password still interrupts the process. (ths disc does spin-up, but does not boot).

     

    I have not yet tried to boot from USB, though I could do so. Frankly I am doubtful that this would be any different than booting from CD, but I am willing to give it a go.

     

    Thanks again for your help - any suggestions gratefully received

    Brian

     

     

  • [Deleted User]
    [Deleted User] Posts: 0 Former F-Secure Employee

    Hello OnAnyMouse,

     

    Here are the instructions directly from our lab to deal with ransomware.

    http://www.f-secure.com/en/web/labs_global/removal/removing-ransomware

     

    Unfortunately they require booting on safe-mode which I assume isn't possible to you.

     

    If you cannot launch the rescue-cd (through CD-drive or USB) on the boot of the machine or apply the labs instructions, reinstalling should be an option to consider.

     

    Thank you.

  • OnAnyMouse
    OnAnyMouse Posts: 4

    Thanks again Ben

     

    Reinstalling on a hew HDD may be the only option, but, given that the current one is locked in BIOS and I can't boot from CD, even this may not be an option, as I seem to be locked out of the system, even at BIOS level.

     

    You are correct that I can't boot into safe mode (or even get near a boot menu), so my options are fairly limited - before i can deal with the ransomware, I need to get past the HDD lock - at this stage I am still trying to figure out if I am dealing with one problem or two, hence my original question - is there any known ransomware displaying the characteristics that I mentioned that also installs an HDD lock?

     

    I know I did not apply one before, and my nephew wouldn't know how to get into BIOS if it came up and bit him, so I am pretty sure he didn't.!

     

    My last option is to make a call to Toshiba as there is a known fault with their HDDs that causes a random HDD lock to be applied. It may be that actions of the ransomeware caused irregular HDD activity leading to an HDD failure that applied the "lock" . . . just guessing!

     

    Thanks again for your help . . . will try booting from a USB key, if I can

  • [Deleted User]
    [Deleted User] Posts: 0 Former F-Secure Employee

    Hi OnAnyMouse!

     

    Did booting from USB work for you?  Or have you received any answers from Toshiba?  Please update us if your issue moves forward, so that we know when your problem has been resolved, and so that others might also be able to benefit from your experience Cat Wink

     

    // Chrissy

    F-Secure Community Manager

  • OnAnyMouse
    OnAnyMouse Posts: 4

    Alas I had to leave before I could get this resolved, but no, booting from USB wasn't possible, so didn't help :-(

     

    Am still trying to help remotely, so will keep the forum involved of any progress

This discussion has been closed.
Pricing & Product Info