Exactly how does Ransom-ware decide what to encrypt?

Discussion in 'malware problems & news' started by sukarof, Jun 19, 2016.

  1. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    Does the ransom-ware decide by file extension or does it encrypt anything in a folder? Does it have to know the extension of a file to encrypt it?

    The only concern I have with ransom-ware is that it could encrypt my Macrium Reflect images (file extension *.mrimg) that I have on a another drive. I know I should have it on an external drive that is not regulary connected, but I feel that is too much hassle since I want Macrium continuously and automatically take differentisals.
     
  2. hjlbx

    hjlbx Guest

    Ransomware typically encrypts specific file types: *.doc, *.txt, *.jpg, etc. They're coded to encrypt specific file types. If coded to encrypt *.mrimg, then it will do so... but I haven't heard anything of the sort.
     
  3. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    Thanks for the clarification. This gives me peace of mind. Then I have no worries about Ransom-ware until they start to target macrium reflect files. If they do I can always create a batch file that copies the files to another drive and give it an extension name that is hard to figure out for extra security and then rename the extension back to normal when I want to (cold) restore the images.

     
  4. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    2,880
    Location:
    Australia
    You're happy to go to that hassle? o_O

    Much easier to disconnect the backup drive.
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,078
    It depends on which version of ransomware you get. Some encrypt only specific filetypes while others encrypt everything on non-system partitions (regardless of filetype or file content).
    Copying backup images to offline drive would solve the problem. Personally I do it once a week (full image + incrementals).
     
  6. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    977
    Location:
    Paris
    Sukarof- Those that code the ransomware will determine both the "what" and the "where" of the encryption process.

    1). What is encrypted- file extensions can be added during the coding of the ransomware with ease. Anything can be added and is only a function of how many extensions are contained in the BlackHat's malicious little mind. Regarding imaging solutions, tib files are popular targets (Acronis), with v2i files less so (Symantec). Although I really can't give an example of ransomware seeking out the Macrium .mrimg files it could exist. The rule of thumb here being that the chance of ransomware encrypting backups is directly proportional to the popularity of the backup solution.

    2). Where to look for stuff to encrypt- Originally ransomware just played in the C:\Users directory. What I term Fortress-class ransomware will look everywhere (all partitions, network shares, and attached storage).

    3). Then you have stuff like Petya which will lock up the entire computer without encrypting anything other than the MBR.

    In short- if you use imaging software and value the image, protect it from both hard disk failure as well as malware manipulation by using external storage and air-gapping it after the image is complete. By air-gapping I mean just connecting an external storage device to a verified clean system, doing the image then disconnecting the device and storing it in a safe place like your Microwave.
     
  7. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    Thanks for your input cruelsister. I know what I should do, but I rather have the backup process automated so I dont have to (i just dont want to) think about it. I guess I´ll take my chances and hope my imaging software stays under the radar :)
     
Loading...