anthony.swabb Posted May 2, 2017 Share Posted May 2, 2017 Question that's maybe been answered before: I noticed a few months ago my internet browser initiating with a weird russian website, all in russian, cannot read obviously . It comes up when I turn the computer on. I googled it and is possibly connected to ransomware. If it was ransomware, would it have already tried to lock my files and carry-on with extortion? Nothing is locked or encrypted. I close the browser and it's gone. Maybe the anti-virus stopped it before it "started" (i havr sophos)? I'm trying not to freak out because it seems like nothing has happened. But its also a work lap top so I obviously don't want to infect an entire organization. I told an IT guy about it. He was concerned but didn't think anything major had occurred. He took the laptop and is going to replace it with a re-imaged hard drive. Any thoughts? Link to comment Share on other sites More sharing options...
sc302 Veteran Posted May 2, 2017 Veteran Share Posted May 2, 2017 Browser hijack or root kit. Might be ransomware linked, but that isn't what you have here. Best solution is to wipe, but it could be cleaned enough to where it doesn't do that any more. There is no 100% guarantee that it didn't load something else on your machine. anthony.swabb 1 Share Link to comment Share on other sites More sharing options...
anthony.swabb Posted May 2, 2017 Author Share Posted May 2, 2017 Thank you for the response. ok I see. Replacing the hard drive might not 100% solve problem? Link to comment Share on other sites More sharing options...
sc302 Veteran Posted May 2, 2017 Veteran Share Posted May 2, 2017 What I mean by no 100% would be leaving the os as is and cleaning the issue up. Pulling drive you good, formatting drive you good. it is rare to have a firmware virus, even more if you have a bios virus. anthony.swabb 1 Share Link to comment Share on other sites More sharing options...
goretsky Supervisor Posted May 3, 2017 Supervisor Share Posted May 3, 2017 Hello, Hijacked browser as @sc302 suggested, or even the DNS settings on the computer or router. If it only occurred in one web browser, than likely an issue with a malicious plug-in. If occurring in multiple web browsers, compromised computer settings. If occurring on all computers on the same network connection, then compromised router. The web site that was appearing was probably a domain or network block used for a wide variety of criminal activity, including (but not limited to) ransomware. Regards, Aryeh Goretsky Link to comment Share on other sites More sharing options...
anthony.swabb Posted May 3, 2017 Author Share Posted May 3, 2017 Hello, Hijacked browser as [mention=118098]sc302[/mention] suggested, or even the DNS settings on the computer or router. If it only occurred in one web browser, than likely an issue with a malicious plug-in. If occurring in multiple web browsers, compromised computer settings. If occurring on all computers on the same network connection, then compromised router. The web site that was appearing was probably a domain or network block used for a wide variety of criminal activity, including (but not limited to) ransomware. Regards, Aryeh Goretsky is it possible it was spora ransomware, and I just coincidentally did not open or use files it targeted?? Link to comment Share on other sites More sharing options...
sc302 Veteran Posted May 3, 2017 Veteran Share Posted May 3, 2017 is it possible it was spora ransomware, and I just coincidentally did not open or use files it targeted?? Aryeh would be best suited to answer, but anything is possible. Link to comment Share on other sites More sharing options...
anthony.swabb Posted May 3, 2017 Author Share Posted May 3, 2017 I suppose it's a mute point at this point since its work lap top for remote site use and the hard drive will be re-placed but for my own piece of mind I'm interested. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted May 3, 2017 Veteran Share Posted May 3, 2017 Understand, at this point it is all speculation. Don't know where, how, or what got you infected. We can play a lot of different what if or could be scenarios. Link to comment Share on other sites More sharing options...
anthony.swabb Posted May 3, 2017 Author Share Posted May 3, 2017 I'll ask the IT guys. though I'm not sure how entirely competent they are. of note, I didn't notice it till after researching bitcoin online. Link to comment Share on other sites More sharing options...
exotoxic Posted May 3, 2017 Share Posted May 3, 2017 Why not translate the page?? Link to comment Share on other sites More sharing options...
sc302 Veteran Posted May 3, 2017 Veteran Share Posted May 3, 2017 Okie dokie Link to comment Share on other sites More sharing options...
goretsky Supervisor Posted May 4, 2017 Supervisor Share Posted May 4, 2017 Hello, It's possible, but seems unlikely. Regards, Aryeh Goretsky Link to comment Share on other sites More sharing options...
anthony.swabb Posted May 5, 2017 Author Share Posted May 5, 2017 Why not translate the page?? where's the fun in that? it looked like that Link to comment Share on other sites More sharing options...
sc302 Veteran Posted May 5, 2017 Veteran Share Posted May 5, 2017 For all you know, without translating or being able to read or understand it, it could say clicking here gives them access to your machine and will mine any data available including saved bank account info and passwords. We will be draining your account and posting photoshopped pictures of you in embarrassing situations to blackmail you. We now own you. Seriously, if you don't know don't even visit the page. goretsky and Jim K 2 Share Link to comment Share on other sites More sharing options...
Recommended Posts