New type of ransomware?

[Bizman]

This might be a wrong forum to ask, or then again not:

A retired lady just called, that she had upgraded to Win10 without a hitch. Then suddenly her desktop images started to vanish one by one. Also her pictures disappeared, but through Explorer she managed to find Picasa which could locate all of them. Also she got a message about a file in C:\ either being corrupt or moved. So she shut the computer down, hoping it would fix the problems. It didn't. At next boot the desktop was totally black with only the volume slider and Recycle bin on it, and the Start button in the corner. When she tried to open Explorer, a chat window with a woman's image popped up, asking for ransom money in Russian language. Oh, and the anti-virus program says all is fine...

This is all I know about it at this moment, I've not seen the computer yet.

Aside of asking for further information about how to fix this issue, I want to spread the information about this threat. It appears that Windows 10 isn't immune for this kind of threats, or could it be that Win10 has a brand new security hole allowing this?

So if you find your desktop icons disappear, at least disconnect it immediately off the Internet. I don't know whether the missing files have been hidden and moved inside the computer's hard disk as was the case in a virus a few years ago, or have they been uploaded to an unknown server. In the latter case there's not much to do to save the lost files, even paying the ransom won't likely help.

[Bino]

"A retired lady just called, that she had upgraded to Win10 without a hitch."

What did she *actually* install? Sounds like a bad "phishing" scam that only looks like the Win10 upgrade. Wow.

[Bizman]

"A retired lady just called, that she had upgraded to Win10 without a hitch."

What did she *actually* install? Sounds like a bad "phishing" scam that only looks like the Win10 upgrade. Wow.

Thought of that, too.

[Bizman]

Update: I now have got the computer under surveillance. To my glad surprise it booted normally, all of the files being intact. My biggest concern was, that they had been uploaded away to some unknown place. Might have been because I had not connected it to the Internet. Or maybe the symptoms disappeared because sufficient time had passed, like I've heard having happened with some of the Police viruses. Hard to tell.

After telling my customer the good news I then rolled back to Win7, again without any problems. Seeing that everything looked fine, I now am running the F-secure Rescue CD scan.

[Bizman]

Another update: F-secure rescue CD scan was clean. The next step was to run a Malwarebytes' Anti Malware scan in Safe Mode (installed from a memory stick to avoid any downloading issues), which found some PUP's, none of which seem to be really dangerous: RadioHoops, MultiPlug and Conduit. I'll continue with Eset's Online Scan, again in Safe Mode.

This starts to look like this case will come up roses. Any signs of a ransom virus must have gone away with the rollback so this might well have been a Win10 vulnerability issue. I have no doubt that the owner really saw the Desktop and Explorer items disappear and a chat window pop up, asking for €100 to return them back. Actually she seems to have a pretty good basic knowledge in computing, so this wasn't a false alarm. Stay alert out there!

[Bizman]

Conclusion:

After several scans for different types of malware it appears that there has been a bunch of adware in the computer in question for some time. I also found traces of at least AdwCleaner which indicates the owner has tried to get rid of adware by herself.  None of the findings were rated "critical" by the scanners. Mostly PUP's, a couple of Trojans.

I also found traces of at least three previous anti-virus installations. During the last few weeks I've noticed such remains cause issues with the currently active anti-virus program, especially with F-Secure which is quite popular here.

My guess is that some elements in this cocktail might have opened a bigger wormhole in the upgrade process.

Warning: For those who plan to take the leap: Before starting the upgrade process, make sure that your computer is in pristine condition. The upgrade doesn't fix what has been compromised either deliberately or accidentally.


Case closed.

[icepac]

"presentationhost" is a bad one.

Not sure if it attacks windows 10.

[Meatwad]

I have seen them on tablets a few times now