Syskey ransomware making comeback


#1

In spite of being warned by me personally at least 10x over the last few years, my idiot neighbour answered the phone for “Microsoft Support”, did what they said to ‘get a $139 refund on Windows’. Of course he can’t remember what he did or what they asked him to do, he didn’t do anything…
Now he has syskey on his laptop and they seem to have got even trickier about it.

  1. No restore points work. All fail.
  2. He has a new Toshiba laptop with Windows 10. Boots UEFI only. Can’t boot from anything else.
  • I have several USB sticks, CDs etc. chpwd and even commercial iSunshare. You can’t boot from them on his machine.
  • If you set bios to safeboot off-CSM legacy they boot but can’t even see the HD, as I mentioned can’t boot from them at all in UEFI
    Looks like they might’ve set fast boot in Windows, so can’t turn it off unless you get into Windows.

Gonna try removing the HD, powering on and setting to boot USB then reinstall the drive. Wotta PITA


#2

Try making a windows boot disk from ISO with Rufus. It allows Legacy, or UEFI, or even hybrid booting.

http://rufus.akeo.ie

My rescue USB drive was made with YUMI, and I think there’s a way to make that boot on UEFI as well.


#3

Already tried that one too. Doing a reset-save files see if that works.
Made specific Rufus EUFI cd & usb, they don’t boot from EUFI or see the HD either.


#4

Hmm - so they set fastboot, moved the user profile to a hidden folder somewhere else, added a couple partitions and one of them probably has the old registry hidden and renamed.
Wotta PITA
Pulled the HD and looked at it as a USB external. Got some of his pics and disgusting music back, but he kept phoning every 2 hours "is it done yet?"
WIPE ! Sorry you lost everything.
Just couldn’t wait so he pulled out his old Vista laptop last night and FUBAR’d it within minutes too. Oooohhhh he’s gettin a bill…


#5

Another round of syskey. This time fake web pages (for those who can’t even tell they’re looking at a web page) or a little warning note left on the user’s desktop with a number to call.
On Win10 machines, the Repair’s Advanced EUFI settings is gone, that’s how they prevent boot from USB or CD/DVD.
Handy to have a USB/SATA connector, pull the drive plug it in another unit. cd to windows/system32/config and see if there’s a regback dir in there. Check it to see if there’s anything there - if not they wiped that too.
If [default, sam, security, software & system] are there, make a TEMP dir in config and backup those files from system32/config to it just in case, then delete them from config.
Copy the files from config/regback back into /config. Put the drive back in and reboot.
You’ll probably need to reinstall a few apps like Edge and Weather.

If the files aren’t in regback, just copy their user docs,pix &music folder onto your other computer. Go into the USB and remove all partitions, don’t format. You’ll need to put the drive back in the original machine and do a fresh WIn10 install, it will now boot from USB. Copy their docs. pix, music it’s about the best anyone can do.

  • don’t say I never told ya nuthin…