What gets messed up?

So if someone get ransomeware on their PC what actually has been done to
the PC and environs ?

Is only the ?
registry
C: Folder / File table area but not files
C: files
attached storage affected
USB
NAS

Or some combination ?

Or what ?

WareEver,

So if someone get ransomeware on their PC what actually has been
done to the PC and environs ?

If you go to 10 different restaurants and ask to be served "the cooks
choice", what do you get to eat ?

Yep, its the same with ransomware (or even software in general): You never
really know what you're going to get.

C: Folder / File table area but not files

Although most will just encrypt a number of (they think) important files, a
recent piece of ransomware encrypted the FAT too (no idea why, as you cannot
actually pay from a machine which refuses to work).

C: files
attached storage affected
USB
NAS

Some only do local files (easy findable), others try to do all of the above.
And as you probably also have read, some of the ransomware programs even try
to exploit bugs and/or weaknesses in the system to access files they should
not even be able to see.

Regards,
Rudy Wieser


-- Origional message:
WareEver schreef in berichtnieuws
...

So if someone get ransomeware on their PC what actually has been done to
the PC and environs ?

Is only the ?
registry
C: Folder / File table area but not files
C: files
attached storage affected
USB
NAS

Or some combination ?

Or what ?

WareEver wrote:

So if someone get ransomeware on their PC what actually has been done to
the PC and environs ?

Is only the ?
registry
C: Folder / File table area but not files
C: files
attached storage affected
USB
NAS

Or some combination ?

Or what ?

They will encrypt the files that have value to you.

In this example, the ransomware immediately started to work on .docx
files. That means the first place they look is your home directory,
and process the docx, xlsx, pptx, doc, xls, ppt, leaving txt as a
lower priority. The idea is, Office documents implies they came
from work, and you "must" restore them.

https://www.acronis.com/en-us/blog/p...n-locky-family

The OS itself is worthless, and they need to keep it running to:

1) Finish the encryption job.
2) Display the time remaining for the Bitcoin
ransom, each time the computer is booted.
3) Communicate with the C&C system, deliver info that
the ransom has been paid, and so on.

So there's no point crushing shell32.dll. It would certainly
stop the desktop, if it was ruined, but then you couldn't
easily pay the ransom.

Someone in one of the other groups got osiris on his machine.
He told me "the file extension on a bunch of my files says
..orisis". At the time, I'd never heard of all the Locky
variants, but as soon as I Googled, it became clear what
it was. And then I had to deliver the bad news. It's taken
months for him to "tip his computer room upright again".

If it hits, you'll need a new hobby. Stamp collecting maybe :-(

For a backup strategy, you need to back up your home directory
and your email profile folders. Your bookmarks.html.
That would be a minimum.

If you have a reasonable amount of secondary (offline) storage,
you can just back up everything. Then, disconnect the USB hard
drive and put it in a safe place.

Not even a NAS is safe (because it stays connected and running
all the time, and the OS has evidence of how to mount it).

Not even Dropbox is safe (there was already one reported case,
where the contents of Dropbox got encrypted too).

I still haven't figured out a way to make blind write-once backups,
such that a storage device could be left online. And if I do
figure it out, if the info is made public, then the
security-by-obscurity advantage would be lost.

Disconnecting the storage device with the backups, is the
best defense we've got now. That means, at a minimum, you
should own two backup drives. If one backup drive is connected
to the computer and doing a backup when Locky hits, you have
your second (still disconnected) drive as your protection.
Booting the Macrium CD and restoring from backup, allows
overwriting the malware and putting your files back.

Now, the person in the other group, who had this happen,
clicked on an attachment in his email, something about
an "invoice", and that's what kicked it off. It obviously
wasn't an invoice.

Paul