A client of mine was hit with a variant of the Citadel Ransomware yesterday. He was just surfing the web and looking for a movie to watch, when he was hit by the drive-by download. It placed a big old warning message with Your Computer Has Been Blocked on the left and The United States Department OF Justice warning on the right, and a picture of a naked girl in a sexual position near the bottom, while asking for a moneypak payment to unlock the computer.
Upon receiving the computer, I rebooted and used a Kaspersky Rescue CD to boot and scan the harddrive. It found the following files… 4 files labeled as “Trojan.Downloader.WMA.FakeDRM.bj” and 10 files labeled as “Win32.Katusha.n”. The exact filenames don’t matter because they are just a bunch of random letters and numbers. After I deleted these 14 items with Kaspersky, I took out the cd and rebooted.
Upon reboot, the computer came on and about a minute after being on, the warning screen came back on, which I was happy about because I wanted to get a closer look and a picture. Upon looking at the bottom of the screen I noticed there was a small black square that was blurry but changing and I moved aroung and noticed a picture of me there, as the web cam was recording and putting my picture right in the page next to the naked girl porno warning. I covered up the webcam with some tape and started to begin experimenting with the computer to see what I could do. After taking a picture of the screen for documentation purposes, I tried to do a few things and was surprised that it actually let me open up some windows and folders, I immediately noticed that it had created another false partition and a bootsect.bak. I rebooted into safemode and deleted all the recent temporary files and then used RogueKiller to run a quick scan and removal of about 8 registry keys and a batch file. I was still not out of the woods, but I was in total control of this bad boy at this point.
I downloaded MalwareBytes and let that scan and it found 15 items, mostly in the ProgramData folder. Check out the pictures for more detailed info. After deleting everything MalwareBytes found I uninstalled Microsoft Security Essentials and installed BitDefender. This is not the first time I have seen Microsoft Security Essentials fail to protect against older known malware. After removing everything to this point and rebooting, the computer seems back to normal, I am still searching through the registry and all folders for any remaining traces. Bitdefender and MalwareBytes are both returning completely clean and it really wasnt that difficult to remove this so I am still wary that there may be traces left behind.