CryptoLocker hit during initial 8.1 setup of brand new computer

[Go-To Gordon]

Wondering if anyone has seen something like this. I just got an email and a call from someone stating that on a brand new machine during the initial 8.1 setup he was hit with CryptoLocker (may be a variant, I'm not sure).

He stated that as soon as they logged in to the Microsoft account (w/ wife's Hotmail) again during setup it was hit.

His wife was infected on her desktop a month or so ago and he said he turned it off immediately and has not turned it back on since. He bought a new computer instead. My first thought was network shares/mapped drives etc but he stated there are none on the network. There are other systems on the network that are clean.

So is it now possible that simply logging into an email account could cause the infection? All I've seen require clicking a link or downloading a file, drive by downloads etc. He reiterated that is was instantaneous as soon as she entered the Microsoft account during setup.

 

[nlinecomputers]

I call BS. It can't happen during install. But if he opened the same email that infected him before.... But if it is a brand new machine then nuke and pave. If it really got infected during the install then there isn't anything of value on it. Couldn't be during the setup.

 

[Go-To Gordon]

I call BS. It can't happen during install. But if he opened the same email that infected him before.... But if it is a brand new machine then nuke and pave. If it really got infected during the install then there isn't anything of value on it. Couldn't be during the setup.

My thoughts exactly but he insists that it was as soon as they entered the Hotmail credentials. I did offer a nuke for it and the desktop that he abandoned because of the infection. He said all data was backed up from the desktop.

This is from his email

At startup of new laptop, was instructed to sign in to MicroSoft account, which is also used as email HOTMAIL account. WHAM; CryptoLocker appears on screen. Immediately shut down unit.

Of course I asked multiple times and he stuck to this!

 

[nlinecomputers]

And he is still lying. Again if this is a brand new machine then a nuke and pave is in order and there can't be any data of importance on it. What choice does he have? Calling him on it just going to make matters worse. I hate clients like this.

 

[Go-To Gordon]

or his wife is lying

 

[FremontPC]

He stated that as soon as they logged in to the Microsoft account (w/ wife's Hotmail) again during setup it was hit.

CryptoLocker hasn't been distributed for some time, so this would more likely be a fake like PCLock. I wonder if the MS account didn't just pick up the infected machine's background bitmap and transfer those settings to the new system when they logged into the account. For instance, I have an ASUS Transformer that's logged into an MS account. When I installed Win 10 on a junker and logged in, I got the ASUS bitmap on my desktop.

 

[Rayspcsolutions]

If the client is not lying would mean the factory image would be infected right? just a thought.

Is this a name brand machine or custom build?

But I would probably somebody is lying ..

 

[Go-To Gordon]

dell laptop

 

[nlinecomputers]

CryptoLocker hasn't been distributed for some time, so this would more likely be a fake like PCLock. I wonder if the MS account didn't just pick up the infected machine's background bitmap and transfer those settings to the new system when they logged into the account. For instance, I have an ASUS Transformer that's logged into an MS account. When I installed Win 10 on a junker and logged in, I got the ASUS bitmap on my desktop.

There is still variants of it running around. But you do have a point about the wallpaper. It could very well be that it transfer it to a new computer.

 

[Markverhyden]

I agree, something does not seem right. To begin with, you do not see the Cryptolocker popup until the encryption has been completed. Assuming the malware scans the entire drive for the target files it should have taken a little while. The last customer of mine that got hit, running a W7 VM, it took 3 days from when the malware hit until the popup loaded. And they did not have that much stuff on there.

 

[nlinecomputers]

Also if they have Onedrive then encrypted files could have been synced up to onedrive and then synced down to the new computer. No infection but worthless files.

 

[FremontPC]

Yeah, the desktop background is about the only thing that would pop up immediately in a case like this. By the time you see the ransom demand on an infected system, the infection is typically gone and only the ransom note with payment instructions is left.

 

[Go-To Gordon]

Thanks y'all. That does make more sense.

 

[nlinecomputers]

That would mean he is not really infected. Just has that wallpaper. If it really is infected then he lied to you because there is NO way that simply setting up a Microsoft account would do this.

 

[Go-To Gordon]

I told him to turn off his router and other machines (just in case) and boot it up to see if it is just the wallpaper. will report back if/when I hear back.

 

[nlinecomputers]

I told him to turn off his router and other machines (just in case) and boot it up to see if it is just the wallpaper. will report back if/when I hear back.

That advise doesn't make sense. If it is just wallpaper it will still be there. If it is really infected and already changed the wallpaper (and encrypted the files) it will still be there.

 

[Go-To Gordon]

if it were infected would it not go to the ransomware screen with the countdown?

 

[nlinecomputers]

That's an executable on the system is it not?

 

[Go-To Gordon]

we still don't know the whole story. if it wasn't truly instantaneous his wife could have opened an email attachment etc.

 

[nlinecomputers]

Exactly. Neither would surprise me.