Ransom Ware or Stolen Notebook. Bios embedded, has CompuTrace.

EspiOne

Distinguished
May 7, 2009
17
0
18,560
I recently had an old customer contact me about a notebook that I purchased and configure for him about 4 to 5 years ago. An IMB X60 Tablet.

This is the issue, he is getting a message instead of the log in screen.

"This laptop is the property of Amedisys Home Healthcare"

Please contact.....and so forth.

The Bios does have CompuTrace, as it is stated as soon as you go into the Bios setting.

I figured it was just some RansomWare, I installed a new drive, reformatted, installed OS, Windows 7, and activated. As soon as I connected it to the internet and rebooted, I got the same message.

I did some research and found this:

http://www.bna.com/laptops-gone-homehealth-b17179923969/
and
http://www.scmagazine.com/amedisys-notifies-nearly-7000-individuals-of-potential-breach/article/405456/

Seems Amedisys lost some notebooks, with the articles dates 2015. So, has some genius pushed out a Bios embedded RansomWare based on this lost of these notebooks.


So, what is the next course of action. My customer, not be too understanding and is demanding his money back, after 5 years, $250, (charged him, $125 for the notebook and $125 for the OS Install). I tried to explain to him that I had originally only guaranteed the work and hardware for a year.

I am at a lost, as I really don't do this work anymore, as work had declined over the last few
years. so I am debating about what I should do or how to resolve it.

Any advise would be appreciated.


I found this interesting thread: http://forum.thinkpads.com/viewtopic.php?t=114641
 
Solution
I have been dealing with this exact scenario happen on a T61 TP that I purchased from an eBay seller in California in 2012 and used without issue for 4+ years. I had swapped the hard drive earlier this year to a windows 8 drive formatted with the updated automotive diagnostic software i use if for - i had used it extensively after that and then let it sit for a couple of months. I went to boot it up this week and it was locked with the screen described above

the 855 xx number on the lockout screen is the actual IT help desk at Ameryisis. I called and explained the situation gave them a serial number and they said they would open a ticket. They were sympathetic and seemed like they were willing to look into it - they kept looking for an...

BadAsAl

Distinguished
It is possible that company just now got around to issuing the lock downs on their assets they show as missing.

Regardless, it is entirely up to you if you want to work with this person or not. I think it completely unreasonable that he is demanding anything after 5 years. You cannot please everyone, part of doing business. Worst case scenario is he tells a few people you are no good, but since you don't do this anymore, it shouldn't impact you much.

And this is coming from someone who does everything he can to make everyone happy and I don't like being put in these positions either! You sold it to him in good faith and he got 5 years out of it. You are not being unreasonable by not giving his money back.
 

Mr Kagouris

Estimable
Sep 7, 2015
141
0
4,710
If you're even considering giving money back after 5 years for a laptop I can sort of tell part of the reason business declined for you lol.

Contact Amedisys first, ask them if they have a list of the serial numbers of the stolen laptops and check if any of the numbers matches the one of the laptop your client has. It is possible he's lying to you and this is indeed a different (and stolen) laptop. Most ransomware rootkits give more obvious messages (e.g. police-related or straight up telling you to pay up).

I'd find it strange for someone to use the Amedisys theft to troll a few people (from what I can tell from your post it doesn't even ask for payment).
 

EspiOne

Distinguished
May 7, 2009
17
0
18,560



Thanks for your post.

My freelance business mainly declined due to not making time to find jobs to work on, I am employed, but only started to do side jobs when I got certified in IT school (in 2010) and before I got hired at my current employment.

My co-worker, (SECURITY) basically told me the same thing, contact them, if they start to request money, then it is a scam, I will also be contact Absolute Software about the CompuTrace. I know that is the same notebook I configure for him as I taped my card on the lid, yes, he could have removed it, but I doubt it.. Either, I will try and resolve it for him, just to be a nice person. I will not be paying him any money as refund.
 

Mr Kagouris

Estimable
Sep 7, 2015
141
0
4,710
When I said contact Amedisys I didn't mean the number the laptop gives you, I meant actually get a contact number from them (they appear to be a real company) and talk to them.


Also, where did you originally get the laptop from? According to articles on the missing laptops some went missing as early as 2011 (month not mentioned), which lines up with the time at which you first gave your customer the laptop.
 

EspiOne

Distinguished
May 7, 2009
17
0
18,560


I remember picking it up on ebay, I had it for a while as a personal notebook, when he contacted me about his notebook which was a Gateway, if I remember correctly, with a Pentium 3, I offered him mine, since I was moving to a X200...
 

wtfengineering

Commendable
Aug 11, 2016
1
0
1,520
I have been dealing with this exact scenario happen on a T61 TP that I purchased from an eBay seller in California in 2012 and used without issue for 4+ years. I had swapped the hard drive earlier this year to a windows 8 drive formatted with the updated automotive diagnostic software i use if for - i had used it extensively after that and then let it sit for a couple of months. I went to boot it up this week and it was locked with the screen described above

the 855 xx number on the lockout screen is the actual IT help desk at Ameryisis. I called and explained the situation gave them a serial number and they said they would open a ticket. They were sympathetic and seemed like they were willing to look into it - they kept looking for an asset tag number and there was none on the machine. There was NO attempt to collect for ransomware - it seems to be a legitimate Amerysis screen

I also booted the machine off from a bootable USB with malware detection and did a full scan that showed no Malware or suspect files.

i moved the hard drive to a friends lenovo and it booted up with the same lock up message - so the hard drive is locked independent of motherboard and bios, etc.

i put the original hard drive i had purchased in the machine and it boots and acts normally - I did NOT connect to the internet because this configuration is still semi-useful to me.

I called back a second time to the amerisys help desk and explained that i moved the "lock up" to a different PC with the hard drive - his conclusion was that my newer hard drive was the issue and that IT was stolen and had originally come from an amerysis laptop but i don't quite think that's likely given that HDD came from Hong Kong and it would be a stretch to have that end up being sold as a loose HDD and get shipped back to a PC that was purchased in the same timeframe amerisys laptops started disappearing

I also called Absolute and they pretty much said it is Amerysis hands to provide the unlock. they confirmed it would also lock the hard drive if the switch had been flipped in bios that would confirm the issue of it still being locked when moved to another PC

My conclusion from all of this is that it looks like it is a valid "trip" of CompuTrace and not malware.

 
Solution

EspiOne

Distinguished
May 7, 2009
17
0
18,560


I contacted CompuTrace, they refered me to Amerysis. After phone calls, left messages, three times, and send emails, I got nothing from Amerysis, I have decided to sell the notebook (s) as it seems I have had two customers come to me with the same issue. They have both agreed to allow me to sell the notebooks to re coop any money on the notebooks as my personal warranty on the work and the age of the notebook has been very long.