Yesterday a machine was brought back from one of our clients sites badly infected with ransomware, we cleaned it off and started looking at this machine which came out of a lab we had set up last summer. It has been used for the last 6 months by teenagers to play a limited set of pc games, do homework, etc. None of the software packages we had installed were there, non of the accounts which were configured to control access and windows steady state was compeltely gone. We scratched our heads over what had happened and assumed someone had managed to get into the pc when the admin was in the can and reset the CMOS password and reinstalled windows from HP recovery media. . . not so much it turns out. . .
always remember the simplest answer is likely what happened.
When I got onsite I checked the other machine. 7/8 machines had lost all the info 4 had been restored back to factory defaults by the recovery partitions and three were hung up in the process of reloading the factory defaults. Only 1 was still the way it had been setup.
All the machines still had bios password and recovery functions from the boot screen disabled. My guess is 6 months of having the admin password typed in to run programs off of CD resulted in enough glimpses of the password to put it together. Which allowed some enterprising young adult to log into the administrator account and initialize the recovery partition. All to install some stupid online game they wanted to play. . . and they cost everyone else computer access as the Lab is now out of order for the foreseeable future until this non-profit can come up with the funds to have the machines re-installed and re-imaged, *NOT* a cheap proposition. Considering last time it was over 14 hours of work.