Switch to full style
Anything related to computer forensics (new section!)
Post a reply

can you identify this software used to attack a client?

January 16th, 2016, 20:51

Recovered files for client. Looking to see what tools were used on this attack. attached is an image from what appears to be an older piece of software used to separate my client from his data. Does anyone recognize the program?
Attachments
whatsoftware.JPG

Re: can you identify this software used to attack a client?

January 16th, 2016, 21:30

The scammer used a Microsoft tool called SysKey.

How to use the SysKey utility to secure the Windows Security Accounts Manager database:
https://support.microsoft.com/en-us/kb/310105

http://computernetworkingnotes.com/xp-t ... sword.html

In this tutorial we will remove Syskey start up password and reset the administrator password. Syskey is the additional layer of security. An average user barely implement it. Scammers take advantage of this tool to scam. Scammers usually contact computer owner identifying himself as a member of Microsoft support team. They will informs you that your PC have number of critical problems, those need to be fix immediately or your system will fail to work properly. They will convince you to allow them to connect system remotely and fix the issues. If you do make the mistake of letting them connect, they will ask you to pay $$$ for fix. If you refuse to pay, they will enacted SysKey encryption on the SAM registry hive.

http://www.passcape.com/reset_syskey
http://www.oxid.it/ca_um/topics/syskey_decoder.htm
https://fixedit.itxpress.biz/2015/01/16 ... hone-scam/

Re: can you identify this software used to attack a client?

January 17th, 2016, 15:41

I had one of these yesterday. There were no system restore points available but I managed to restore the registry manually from the backup located in the windows\system32\config folder to the date/time before the scammers got into the system. I have read some of those lowlifes even delete the backup in some cases. I presume in these particular cases the user data remains unencrypted as the Syskey utility is only used to lock the user out of the system?

Re: can you identify this software used to attack a client?

January 18th, 2016, 0:59

yes- only registry gets encrypted so data is fine. not so lucky on repair- backup registry method did not restore a working system. going to try and find deleted system restore points but given the evidence of a wipe program added to this system i suspect the worse. easier to reinstall.

Re: can you identify this software used to attack a client?

January 18th, 2016, 10:03

System repaired- user error on my part: should only have selected backup reg files by latest mod date- they were intact. 100% recovery data (it was not encrypted) and computer un-hijacked.
Post a reply