6 Replies Latest reply on Jul 17, 2013 8:08 AM by exbrit

    Mandiant USA Cyber Security Ransomware

      My son got this on his PC last night with active and updated McAfee.  I see no mention of this ransomware anywhere in these forums or on the McAfee site.  I'm curious as to how this is been overlooked. 

        • 1. Re: Mandiant USA Cyber Security Ransomware

          There are literally 100's of variants on the ransomware theme and new ones appear almost daily.   They aren't detectable by most antivirus applications because they aren't really a virus but require human interraction to take hold.


          The best defence is NOT to touch anything, mouse or keyboard and immediately power off.  OK you'll lose whatever you haven't saved but better that than the alternative.


          Then power back on into Safe Mode by tapping F8 repeatedly while booting up and initiate System Restore to before it all started (hopefully).


          If successful temporarily disable System Restore to delete the infection.


          If that is now not possible there is an excellent removal guide here that we recommend:  http://www.bleepingcomputer.com/virus-removal/remove-mandiant-usa-cyber-security -ransomware


          Good luck ;-)

          • 2. Re: Mandiant USA Cyber Security Ransomware

            Mandiant? Same old same old. It's Reveton wearing a new mask. Unless they've introduced some novel feature, the usual removal process should work for this one too. Go with the BleepingComputer article and advice.


            http://www.crn.com/news/security/240158233/malware-using-mandiant-name-in-scarew are-scam-company-says.htm

            • 3. Re: Mandiant USA Cyber Security Ransomware

              Not familar with same old same old, but this is pretty nasty.  Safeboot, it shuts down the PC before you can do anything so not sure you have seen this before.  Already removed using the bleeping computer HitmanPro.  That is some good stuff. 


              PS.  I am a senior IT guy of over 25 years.  Nothing is a mystery.  I still think McAfee should have a signature and caught it.  Moving on to something else.

              • 4. Re: Mandiant USA Cyber Security Ransomware

                Some of the older ransomware pests are now caught I believe, but none of the A/V's are good at these judging from what I've read elsewhere online.  Most of them have extra tools which catch some, as does McAfee in the form of Stinger and RootkitRemover, linked in that last link of my signature or HERE.


                I agree it would be nice if McAfee would catch all of these things.   It would certainly reduce a lot of anxious moments for customers and headaches for everyone concerned.


                Anyway, glad things are OK now.

                • 5. Re: Mandiant USA Cyber Security Ransomware

                  Whatever's on the blocking screen is irrelevant except as a means of identifying which version of the basic ransomware program you're dealing with. It's whatever is going on behind the scenes that's important. and if the code changes so does the signature that McAfee uses to identify the malware  strain. It is, though, basically the same program that's been doing the rounds for a couple of years now (with modifications).


                  If this is disabling Safe Mode booting that's an interesting development, and one which the mods were discussing privately a few weeks ago ("Disabling Safe Mode", Peter - go check). The NoSafeMode program modifies the MBR to disable F8. It's usually relatively easily undone (although that statement is a hostage to fortune).

                  • 6. Re: Mandiant USA Cyber Security Ransomware

                    Yes indeed, I do recall.