Endpoint Protection

 View Only

  • 1.  Microsoft ransomware for IE

    Posted Feb 24, 2016 11:01 AM

    Hello

    We are experiencing a rising problem with a web page that acts like a homepage when opened. It says its from Microsoft and says that "You were being hacked, Microsoft has prevented the attempt but your personal data may still be at risk." and then it proceeds to give you a phone number to call or click a link leading to a "remote technical assistant." We have ran every anti virus, anti malware and even our symantec. It seems as this is hidden deep somewhere in windows and we cannot even find it in the registry. The page even has a legitimate looking Microsoft logo and colors but Microsoft does not do anything like this.

    The only possible solution to get rid of it is to wipe the drive and reload. My main concern is that it is getting past any kind of security no matter what it is. It is really persistant and has attacked 3-4 computers in a week period. My question is has anyone experienced this and if you have what kind of fix do you have?

     

    Thank you

    Jared



  • 2.  RE: Microsoft ransomware for IE

    Posted Feb 29, 2016 03:21 PM

    What controls do you have in place? Are you running an IPS and firewall? Is SEP 12.1 installed and what level policy do you have applied?



  • 3.  RE: Microsoft ransomware for IE

    Posted Feb 29, 2016 11:54 PM

    Wiping is not a good solution at all, 

    Is the problem only on IE? what about in FireFox, Chrome?

    Hope you have check the hijacked home page.

    In our case we have tried most of the tools, finally ended up to check the IE properties - culprit added a script to the target file (right click IE then, properties). after removing those texts everything back to normal.

     

    Rgds,

    APK

     



  • 4.  RE: Microsoft ransomware for IE

    Posted Mar 01, 2016 07:04 AM

    Re-imaging ensures it is fully removed. In fact it is the best and guaranteed option.



  • 5.  RE: Microsoft ransomware for IE

    Posted Mar 01, 2016 09:44 AM

    Hi jerb,

    That definitely does sound like a scam.

    When tech support scams meet Ransomlock
    https://www-secure.symantec.com/connect/blogs/when-tech-support-scams-meet-ransomlock

    Have you tried using the SymDiag tool to look for any file-related cause for the browser hijack?

    Using Today's SymDiag to Combat Today's Threats
    https://www-secure.symantec.com/connect/articles/using-todays-SymDiag-combat-todays-threats

    Please keep this thread up-to-date with your progress!

    With thanks and best regards,

    Mick