Can you hide partitions from ransomware?

shmu26

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
I am wondering whether Rollback Rx might actually be a convenient way to backup the C drive for recovery from a ransomware attack (and other attacks). This software stores snapshots of the C drive in a hidden partition, and even the free edition makes a new snapshot every day, when you boot. Besides that, it protects MBR from modifications.

Theoretically, ransomware could be programmed to see and encrypt all windows-compatible partitions, even hidden ones. The question is whether known types of ransomware actually do this. If they don't, then rollback seems to be a valid solution.

Please comment.
 
  • Like
Reactions: Venustus, frogboy, aragornnnn and 6 others
BoraMurdar

BoraMurdar

Super Moderator
Verified
Staff Member
Well-known
Aug 30, 2012
6,598
I think you can, in disk partition manager you can deny write access to partition you select, also you can hide it. Although when you want to store backups on that partition you would need to re-enable writing.

attributes disk set readonly
 
  • Like
Reactions: Venustus, Andytay70, frogboy and 9 others
W

Wave

Yeah, follow the advice from @BoraMurdar.

That being said, it won't work for all ransomware, it depends on how it searches for the disks (enumeration), but most just use the normal Win32 APIs and don't do much to identify the hidden ones anyway.

It's a good idea though, you can also change the security descriptor on specific folders to prevent non-administrative processes from touching it (DACL protection); or use a file locker. In fact, you can encrypt files and then most ransomware will leave it alone!

Stay safe and good luck,
Wave. ;)
 
  • Like
Reactions: Venustus, Anker_by, aragornnnn and 8 others
W

Wave

AtlBo said:
If the drive is ejected using the "Remove safely" right click is this a guarantee?
Click to expand...
Probably not, since the device is still connected to the system, so even if it wasn't accessible by default than an exploit would do the job. It's better to just unplug your USB if it's not really in-use.

However you can alter the write protection for the removable device; this will prevent ransomware processes from encrypting the files on the drive. ;)
 
  • Like
Reactions: Venustus, frogboy, aragornnnn and 3 others
AtlBo

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,716
Thanks. I'll look into options. Maybe a script would help to turn on/off the protection when backup program runs. Not the safest, but must back up sometime. I guess I would have to log into Admin acct to run backup with an associated script.
 
  • Like
Reactions: Venustus, aragornnnn, SHvFl and 2 others
SHvFl

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,350
Wave said:
Probably not, since the device is still connected to the system, so even if it wasn't accessible by default than an exploit would do the job. It's better to just unplug your USB if it's not really in-use.

However you can alter the write protection for the removable device; this will prevent ransomware processes from encrypting the files on the drive. ;)
Click to expand...
Until the malware gets admin access i guess. Maybe, probably, i don't know, i am guessing.
 
  • Like
Reactions: Venustus, frogboy, Deleted member 2913 and 3 others
W

Wave

SHvFl said:
Can't the malware change the setting though if it has admin rights assuming a few security software decide this method of protecting drives is the best and it makes sense to code a workaround?
Click to expand...
Somehow it can do this, even myself I am not sure what method it would use... Maybe the feature uses the registry or something - could be monitored and then that analysis could be used to make a circumvention for sure.
 
  • Like
Reactions: Venustus, Deleted member 2913, aragornnnn and 1 other person
Av Gurus

Av Gurus

Level 29
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 22, 2014
1,767
You can use Secure Folder to set Deny Write (Read Only), Lock or Hide.

Clipboard01.jpg
 
Last edited:
  • Like
Reactions: jamescv7, Anker_by, BoraMurdar and 6 others
5

509322

shmu26 said:
I am wondering whether Rollback Rx might actually be a convenient way to backup the C drive for recovery from a ransomware attack (and other attacks). This software stores snapshots of the C drive in a hidden partition, and even the free edition makes a new snapshot every day, when you boot. Besides that, it protects MBR from modifications.

Theoretically, ransomware could be programmed to see and encrypt all windows-compatible partitions, even hidden ones. The question is whether known types of ransomware actually do this. If they don't, then rollback seems to be a valid solution.

Please comment.
Click to expand...

RBRx already does this by allowing access to only the current active snapshot. RBRx is a recovery software via rollback.

If you want the technical infos, then post over at the HDS forum. Sam will explain.
 
  • Like
Reactions: Andytay70, frogboy, SHvFl and 4 others
shmu26

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Jeff_T - Testing Group said:
RBRx already does this by allowing access to only the current active snapshot.
Click to expand...
sounds good, I wonder why more people don't know about this? It's not a total solution, but it's good for a user who does his new work on C drive, and only stores static data on the other drives. He can make an occasional offline backup for those drives.
 
  • Like
Reactions: frogboy, AtlBo, Deleted member 2913 and 2 others
SHvFl

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,350
Anker_by said:
Thats great app, i will take a look on it,!!

Edit: You know the official website, or softonic is trusted ?
Click to expand...
The product is dead for a while now and official site also died. About softonic i have no clue but some member from here can probably link the original link i guess if you are still interested.

EDIT: They already linked you
 
  • Like
Reactions: Venustus, Anker_by, AtlBo and 2 others
5

509322

shmu26 said:
sounds good, I wonder why more people don't know about this? It's not a total solution, but it's good for a user who does his new work on C drive, and only stores static data on the other drives. He can make an occasional offline backup for those drives.
Click to expand...

There is another product called Drive Vaccine by HDS. If I recall correctly, the user can protect non-system partitions. Maybe not, I haven't looked recently.
 
Last edited by a moderator:
  • Like
Reactions: Venustus, SHvFl, AtlBo and 2 others
You must log in or register to reply here.

Similar threads

nicolaasjan
    • Hundred Points
    • Applause
    • Like
Block Windows 11 from encrypting drives during installation
Replies
3
Views
593
Windows 11
nicolaasjan
nicolaasjan
H
    • +Reputation
Norton AntiVirus Plus - Ransomware protection
Replies
0
Views
1,238
Norton
HarborFront
H
Brownie2019
    • Like
Unlimited Giveaway First Aid Kit - for free
Replies
0
Views
1,058
Giveaways, Promotions and Contests
Brownie2019
Brownie2019

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top