Does the ransom-ware decide by file extension or does it encrypt anything in a folder? Does it have to know the extension of a file to encrypt it? The only concern I have with ransom-ware is that it could encrypt my Macrium Reflect images (file extension *.mrimg) that I have on a another drive. I know I should have it on an external drive that is not regulary connected, but I feel that is too much hassle since I want Macrium continuously and automatically take differentisals.
Ransomware typically encrypts specific file types: *.doc, *.txt, *.jpg, etc. They're coded to encrypt specific file types. If coded to encrypt *.mrimg, then it will do so... but I haven't heard anything of the sort.
Thanks for the clarification. This gives me peace of mind. Then I have no worries about Ransom-ware until they start to target macrium reflect files. If they do I can always create a batch file that copies the files to another drive and give it an extension name that is hard to figure out for extra security and then rename the extension back to normal when I want to (cold) restore the images.
It depends on which version of ransomware you get. Some encrypt only specific filetypes while others encrypt everything on non-system partitions (regardless of filetype or file content). Copying backup images to offline drive would solve the problem. Personally I do it once a week (full image + incrementals).
Sukarof- Those that code the ransomware will determine both the "what" and the "where" of the encryption process. 1). What is encrypted- file extensions can be added during the coding of the ransomware with ease. Anything can be added and is only a function of how many extensions are contained in the BlackHat's malicious little mind. Regarding imaging solutions, tib files are popular targets (Acronis), with v2i files less so (Symantec). Although I really can't give an example of ransomware seeking out the Macrium .mrimg files it could exist. The rule of thumb here being that the chance of ransomware encrypting backups is directly proportional to the popularity of the backup solution. 2). Where to look for stuff to encrypt- Originally ransomware just played in the C:\Users directory. What I term Fortress-class ransomware will look everywhere (all partitions, network shares, and attached storage). 3). Then you have stuff like Petya which will lock up the entire computer without encrypting anything other than the MBR. In short- if you use imaging software and value the image, protect it from both hard disk failure as well as malware manipulation by using external storage and air-gapping it after the image is complete. By air-gapping I mean just connecting an external storage device to a verified clean system, doing the image then disconnecting the device and storing it in a safe place like your Microwave.
Thanks for your input cruelsister. I know what I should do, but I rather have the backup process automated so I dont have to (i just dont want to) think about it. I guess I´ll take my chances and hope my imaging software stays under the radar
