Booting Linux on a PC with Ransomware

Chat about just about anything else
Post Reply
Spoingus
Level 1
Level 1
Posts: 3
Joined: Fri Jan 14, 2022 8:01 pm
Location: Rio de Janeiro, Brazil

Booting Linux on a PC with Ransomware

Post by Spoingus »

So recently my Windows 10 computer got infected with STOP Djvu ransomware and pretty much all my important files got encrypted with the .shgv extension. I didn't had a backup of all my
important stuff so yes, i screwed up and learned my lesson. Now, the question that i wanted to ask is: i have a bootable USB stick with the latest version of Linux Mint. Is it safe to plug in and boot from the USB drive or there's still a chance of the malware to run in the background? And, is it safe to conect an external HD to the infected computer while Linux is running? The reason for that is because i wanted to save my encrypted files with the hopes that a working file decryptor will be available in the future, or that in the future maybe i manage to save enough money to afford a data recovery service on my files (cheapest alternative i found here in Brazil costs a whoopin $1210 [BRL 6710]).
Any help is really appreciated, thanks!
(Sorry for possible broken english)
User avatar
all41
Level 17
Level 17
Posts: 7520
Joined: Tue Dec 31, 2013 9:12 am
Location: Computer, Car, Cage

Re: Booting Linux on a PC with Ransomware

Post by all41 »

i have a bootable USB stick with the latest version of Linux Mint. Is it safe to plug in and boot from the USB drive
Sure--this loads entirely to ram--doesn't know/care if a hdd/ssd is present at all.
And, is it safe to conect an external HD to the infected computer while Linux is running?
Any malware copied from an infected drive could possibly replicate on the destination as well--no matter which os you are using.
Best scenario here--replace this drive for now and temporarily remove any others. Putting this drive safely aside now provides
the best chance for future file recovery.
Spoingus
Level 1
Level 1
Posts: 3
Joined: Fri Jan 14, 2022 8:01 pm
Location: Rio de Janeiro, Brazil

Re: Booting Linux on a PC with Ransomware

Post by Spoingus »

Thank you very much for the reply! There's still some things i wanted to make sure though.
Is is really the best way to save my encrypted files to put the entire HD aside? If so, i'm gonna need to buy a new drive to run the computer. (the external HD i mentioned earlier is for backups only. I already have some important backups on it so thats why i was scared to plug it into my computer).
also, to clarify some things, these are the first steps i took after the infection: I opened up Panda Dome to run a scan an deleted a few files that were flagged as trojans. I them opened Process Explorer and used the Virus Total functionality to search for suspicious processes, but i didn't find anything with it. Them i donwloaded Emisoft Djvu's Decryptor and when i tried to run the program a message popped up saying "The malware is still on" and the decryptor offered to stop the malware. After i confirmed it i rebooted my PC and then tried to run again the decryptor. This time the message alerting that the malware was still on wasn't showing up anymore, so i believe the ransomware was destroyed. I am not sure though if there are any other malware that were installed on my computer (i believe it was infected with Azorult trojan too). I wanted to copy only important encrypted files (about ~~150gb) to the external HD, not everything thats on the computer's drive. After that my plan was to format and completely reinstall Windows 10 on the PC's drive and then continue to use it normally.
I dont have any idea on how to deal with malware infections so any help is appreciated! I already changed all of my passwords in case i was actually infected whit azorult.
i am really not tech savvy (most of what i did was through help from friends) and also i'm not that good at correctly spelling english, so sorry for any inconveniences.
User avatar
all41
Level 17
Level 17
Posts: 7520
Joined: Tue Dec 31, 2013 9:12 am
Location: Computer, Car, Cage

Re: Booting Linux on a PC with Ransomware

Post by all41 »

I wanted to copy only important encrypted files (about ~~150gb) to the external HD
Are those files not encrypted by ransomware? sure offload them externally.
If those files are irreplaceable I would want to limit writes to this drive immediately--
User avatar
phd21
Level 20
Level 20
Posts: 10031
Joined: Thu Jan 09, 2014 9:42 pm
Location: Florida

Re: Booting Linux on a PC with Ransomware

Post by phd21 »

Hi Spoingus,

Welcome to the wonderful world of Linux Mint and its excellent forum!

I just read your post and the good replies to it. Here are my thoughts on this as well.

We're sorry to hear that you and anyone else were victims of the ransomware criminals. Your English is good so far.

How are you able to make your post in this forum, if your computer is infected? Are you using another computer?

As has already been stated, it is safe to boot into Linux Mint's test drive installation system from a USB stick or a DVD disc as these are read only systems and will allow safe access your external backup drive as well. I would not copy any files from the infected drive to your external backup drive until they have been scanned and cleared of infections by at least two antivirus and anti-ransomware apps.

With most ransomware and or an extensive virus attack, your best bet is to reinstall the operating system. But, if there are important files that you want to try and recover, then you have other considerations. I agree with others that you should get another drive that you can install a clean version of MS Windows with various anti-virus and ransomware removal and recovery (decryption) software packages on which also preserves the other drive with your data. I personally would not trust booting into that infected drive at all regardless whether you think the ransomware and viruses have been removed. If you are lucky enough to recover (successfully decrypting) any of your important files, copy them to another drive and re-run a couple antivirus software packages to make sure they are safe to use again. Once you have recovered as much of your files and data as you can, you can the format the infected drive and re-use it.

It would help to know more about your infected system's setup. From the bootable Linux Mint system, If you run "inxi -Fxzd" and "lsusb" from the console terminal prompt, highlight the results, copy and paste them back here, that should provide enough information.

FYI: If you were running Linux Mint, you probably would not have been affected by this ransomware or other virus and malware.

FYI-2: If you had a good anti-virus system actively running on your MS Windows, in addition to MS Defender, then that would help, but not necessarily eliminate malware threats. Always have good backups of important data and files.

Do you have any idea what you were doing that downloaded and activated the ransomware, like using torrents perhaps, opening an email(s), or visiting a certain website? If so, letting others know what you were doing may help others from the same problems. Always antivirus scan any downloads from anyone or anywhere especially torrents before accessing them or using them.

From what I have read recently, this ransomware recovery is at least a 4 step process: See links below. Don't pay the ransomware people. If you have a willing friend or acquaintance with more computer skill than you that might help, contact them as well.

These are my suggestions and recommendations.

1.) Need to install a clean copy of MS Windows on another drive and install at least one or more of the anti-virus software and ransomware removal and decryption apps that claim to handle this ransomware. I have links below. I don't know if there are bootable versions of the anti-virus and anti ransomware applications that you can use for this ransomware, but there might be.

2.) Run the anti-virus and this ransomware's removal applications on the infected drive. I would try at least two applications. This should remove the ransomware, any viruses, and other malware. Scan your external drives as well.

3.) Run the various decryption apps on the infected drive's files to see if any of them can recover your files.

4.) copy all the recovered data and files you want to save off of the infected drive and re-run the anti-virus and ransomware scan apps on those files to make sure they are safe to use before trying to use them.

5.) Format the infected drive or leave it as is until you make sure you have recovered what you hoped to recover.


If I were in your position, I would read over all these articles and make your own plan. The Emsisoft STOP DJVU Decryptor software is recommended in these articles as well.

SHGV VIRUS (.shgv FILE) RANSOMWARE — FIX & DECRYPT DATA
https://howtofix.guide/shgv-virus-file/

Remove SHGV Ransomware Virus (+DECRYPT .shgv Files) - Virus Removal Guide
https://virus-removal-guide.net/72654-shgv-ransomware/

How to remove Shgv Ransomware and decrypt .shgv files - BugsFighter
https://www.bugsfighter.com/remove-shgv ... hgv-files/

Decrypt Files Locked by STOP/DJVU Ransomware (Updated 2022 Guide) | Geek's Advice
https://geeksadvice.com/decrypt-files-l ... are-virus/

Remove SHGV Ransomware Virus (DECRYPT .shgv FILES) | Geek's Advice
https://geeksadvice.com/remove-shgv-ransomware-virus/

.shgv?? - Ransomware Help & Tech Support
https://www.bleepingcomputer.com/forums/t/765409/shgv/

Djvu Ransomware - Decryption, removal, and lost files recovery (updated)
https://www.pcrisk.com/removal-guides/1 ... ransomware

Good luck

Hope this helps ...
Phd21: Mint 20 Cinnamon & xKDE (Mint Xfce + Kubuntu KDE) & KDE Neon 64-bit (new based on Ubuntu 20.04) Awesome OS's, Dell Inspiron I5 7000 (7573) 2 in 1 touch screen, Dell OptiPlex 780 Core2Duo E8400 3GHz,4gb Ram, Intel 4 Graphics.
Petermint
Level 7
Level 7
Posts: 1844
Joined: Tue Feb 16, 2016 3:12 am

Re: Booting Linux on a PC with Ransomware

Post by Petermint »

For anyone contemplating backup protection, the virus can delete all the backups from the Windows shadow volume backup. You need an independent backup to an external device. Several independent backup devices will cover the situation where the virus attacks while you are backing up.

I suggest booting a Linux based backup stick for a weekly backup. The virus cannot attach while you are booted into Linux.

Could be a Clonezilla style image. Could be a Backintime style home directory backup. The best option is is regular home directory backups and monthly images.
Spoingus
Level 1
Level 1
Posts: 3
Joined: Fri Jan 14, 2022 8:01 pm
Location: Rio de Janeiro, Brazil

Re: Booting Linux on a PC with Ransomware

Post by Spoingus »

Thanks everyone for the replies! Sorry for taking so long to answer, i've been pretty occupied recently.
Here are the answers to the questions you asked, phd21 (i dont know how to quote lol, sorry):
I have posted this through my phone, as i haven't connected my computer to the internet since the infection. The only times i have booted on the computer was with my bootable USB stick (to run Linux) to check how many files have been encrypted (pretty much all of them except system files and files whitout extensions, the virus did an enormous damage on the computer and nearly no personal files have been left intact) to my surprise, large files like movies and soundtracks (more than 3gb) didn't get encrypted at all. I do have another computer i can use in case of emergency though.
My infected system is a Samsung Essentials Model NP300E5M Notebook that came with MS Windows 10 from the store. I have run the commands you have told me to, but since there's no way to copy the results to my phone without connecting the infected system to the internet or without having to connect a media stick to the system, i have taken photos of it.
The secondary computer i have is a damaged Notebook (cannot connect to the network at all) that has an 500gb internal HD without any sensitive or valuable information, so it can be used to verify potentially infected drives and media sticks without the risk of losing precious files if infected.
I was infected with the ransomware after downloading and running an infected installation file from https://pcsoftstore.com. THIS SITE CONTAINS RANSOMWARE, TROJANS AND OTHER FORMS OF MALICIOUS SOFTWARE, DO NOT ACCESS IT AT ANY COSTS. I have already reported to Google this domain for being malicious, although the site seems to be still active. I didn't report it to the FBI since i don't have an US address that's required for the report, so please, if someone lives in the US, report the site i mentioned. Emisoft Decryptor pointed out the STOP Djvu variant that infected my PC is new, so there's no current method of file decryption available.
Attachments
img1.jpg
img2.jpg
Post Reply