In the early iterations, they found a way to get the key, but I'm 99% the dev(s) have fixed that. As much as I hate to say this, he's screwed. You can try the "solutions" you find, but in the end, you're gonna end up formatting and reinstalling.

For his sake, after this is done, set him up on a limited user account and subscribe to an offsite backup service like crashplan. It's too cheap to NOT have it, especially if he has data he'd rather not lose.

Luckily he does not have a lot of important data on this computer. mainly just grand kid pictures that have been previously backed up. Im thinking just a format will be the best way to handle it as well but I knew there were some tech savvy people on here that might have had luck with something.

Thanks for the feedback

Yeah, just format it, put him on a limited account, this reduces the chance of malware being able to install itself.

Without current (and offsite) backups, you're screwed. The Windows System Restore feature won't do jack shit for you, it doesn't restore files like a real backup would.

Basically, the virus is an executable disguised as an innocuous file, such as a PDF, that is hard to distinguish from a real PDF file is the end-user is not tech-savvy. They open the "PDF" file, it runs a silent executable, and it uses the native Windows encryption engine to encrypt anything and everything it can get its grubby little hands on. This results in two encryption keys, the public key, which is stored on your computer, and the private key, which the executable uploads to the ransomers' server(s). Nothing is deleted, it's just encrypted, and you are not getting it back if you don't have both encryption keys.

I went through this a few months ago with a client. They fired their old IT guy and hired us, and during the transition we hadn't had time to get full backups, set up our antivirus/anti-malware, or put our group policy block in place. Basically their stuff got encrypted on a Thursday, they didn't realize it until Friday afternoon, and they decided they just wanted to pay the ransom and take their chances that if they paid they would get the private decryption key released to them.

So we had to scramble all weekend to help the client find some way to buy some bitcoins as fast as possible. They ended up spending about $1200 to get the ransom paid. Luckily for them, the criminals responsible for the virus actually gave them the decryption key and it worked.

Overall they probably spent close to $10,000 in Professional Services hours and another $1200 on the two bitcoins they bought to pay the ransom. Not a cheap lesson to learn.

Anyway, if there's nothing important on the computer that isn't backed up somewhere else, I would just format the computer, reinstall Windows (with a CD, not a USB drive, as the USB drive could become infected) and start from scratch. And before you plug a flash drive, external drive, thumb drive, or anything else that has a writable memory on it that was ever plugged into that computer into another computer, make sure you scan it first with a scanner that you are 100% positive will catch the malicious .exe file.

Yeah we had a client (we don't do this sort of security typically) and that was the end result too - just pay the ransom. (DB server)

Not huge companies, but not tiny either and they should know better.