If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
What gets messed up?
So if someone get ransomeware on their PC what actually has been done to the PC and environs ? Is only the ? registry C: Folder / File table area but not files C: files attached storage affected USB NAS Or some combination ? Or what ? |
Ads |
#2
|
|||
|
|||
What gets messed up?
WareEver,
So if someone get ransomeware on their PC what actually has been done to the PC and environs ? If you go to 10 different restaurants and ask to be served "the cooks choice", what do you get to eat ? Yep, its the same with ransomware (or even software in general): You never really know what you're going to get. C: Folder / File table area but not files Although most will just encrypt a number of (they think) important files, a recent piece of ransomware encrypted the FAT too (no idea why, as you cannot actually pay from a machine which refuses to work). C: files attached storage affected USB NAS Some only do local files (easy findable), others try to do all of the above. And as you probably also have read, some of the ransomware programs even try to exploit bugs and/or weaknesses in the system to access files they should not even be able to see. Regards, Rudy Wieser -- Origional message: WareEver schreef in berichtnieuws ... So if someone get ransomeware on their PC what actually has been done to the PC and environs ? Is only the ? registry C: Folder / File table area but not files C: files attached storage affected USB NAS Or some combination ? Or what ? |
#3
|
|||
|
|||
What gets messed up?
WareEver wrote:
So if someone get ransomeware on their PC what actually has been done to the PC and environs ? Is only the ? registry C: Folder / File table area but not files C: files attached storage affected USB NAS Or some combination ? Or what ? They will encrypt the files that have value to you. In this example, the ransomware immediately started to work on .docx files. That means the first place they look is your home directory, and process the docx, xlsx, pptx, doc, xls, ppt, leaving txt as a lower priority. The idea is, Office documents implies they came from work, and you "must" restore them. https://www.acronis.com/en-us/blog/p...n-locky-family The OS itself is worthless, and they need to keep it running to: 1) Finish the encryption job. 2) Display the time remaining for the Bitcoin ransom, each time the computer is booted. 3) Communicate with the C&C system, deliver info that the ransom has been paid, and so on. So there's no point crushing shell32.dll. It would certainly stop the desktop, if it was ruined, but then you couldn't easily pay the ransom. Someone in one of the other groups got osiris on his machine. He told me "the file extension on a bunch of my files says ..orisis". At the time, I'd never heard of all the Locky variants, but as soon as I Googled, it became clear what it was. And then I had to deliver the bad news. It's taken months for him to "tip his computer room upright again". If it hits, you'll need a new hobby. Stamp collecting maybe :-( For a backup strategy, you need to back up your home directory and your email profile folders. Your bookmarks.html. That would be a minimum. If you have a reasonable amount of secondary (offline) storage, you can just back up everything. Then, disconnect the USB hard drive and put it in a safe place. Not even a NAS is safe (because it stays connected and running all the time, and the OS has evidence of how to mount it). Not even Dropbox is safe (there was already one reported case, where the contents of Dropbox got encrypted too). I still haven't figured out a way to make blind write-once backups, such that a storage device could be left online. And if I do figure it out, if the info is made public, then the security-by-obscurity advantage would be lost. Disconnecting the storage device with the backups, is the best defense we've got now. That means, at a minimum, you should own two backup drives. If one backup drive is connected to the computer and doing a backup when Locky hits, you have your second (still disconnected) drive as your protection. Booting the Macrium CD and restoring from backup, allows overwriting the malware and putting your files back. Now, the person in the other group, who had this happen, clicked on an attachment in his email, something about an "invoice", and that's what kicked it off. It obviously wasn't an invoice. Paul |
Thread Tools | |
Display Modes | |
|
|