Could this idea against ransomwares be possible?

[Dirk41]

Attention! What I am about to say could sound stupid , but I am curious


As ( as I got at least, if I am wrong please tell me ) ransomwares ( or at least some/most of them ) target extensions ( .pdf .doc etc ), could someone make a sw that eliminate files extensions and if you need to use a file it re enables it ( only for the files you need)?
The situation could be not much user friendly .

Thank you for reading

 

[Wave]

This could work depending on the situation however there is more to doing this than just changing the extension at the end of the filename. You see, depending on the format, there will be bytes within the file itself which signify the extension. For example, all PE (Portable Executable) files (*.exe) will have the MZ header as the first bytes in the file.

You can try to use a folder restriction/locking software to hide/lock a folder containing important documents. If the program works properly then ransomware won't be able to access the files within the "locked" folder for encryption, unless it is very advanced. Usually the top products which have this functionality will work with a file system driver to restrict access (via use of callbacks).

Stay safe,
Wave.

 

[Dirk41]

Thank you for replies
Anyway another thing comes to my mind : I read days ago on bleepingcomputer about a malware that delete all extensions , give you 24h to pay and then delete everything . So it is possible to have a sw that delete extensions

 

[BoraMurdar]

Basically you would just need to change the formatting or the filesystem. Like Linux does. But it would not solve the problem, as malware creators could easily create ransomware that checks first bytes in order to detect a "file type" (now not existing one) and chose what to encrypt, instead of Windows method. It could bring more problems that it would solve. Simple solution, don't give a file a root or admin privileges.

For example all Bitmap image files (usually with name extension .bmp) must start with the letters BM in their first two bytes. Scripts in most scripting languages like Bash, Python, Perl, AWK, etc. (basically everything that treats lines starting with # as comment) may contain a shebang like #!/bin/bash as first line. This special comment tells the system with which application to open the file.

So normally the operating system relies on the file content and not its name to determine the file type, but stating that file extensions are never needed on Linux is only half of the truth.

 

[DardiM]

Thank you for replies
Anyway another thing comes to my mind : I read days ago on bleepingcomputer about a malware that delete all extensions , give you 24h to pay and then delete everything . So it is possible to have a sw that delete extensions

"Deleting" extensions is really easy (depending of the files, rights, etc) : A Loop on each Drive / each files that have .[some chars] at the end, renaming the files with old name "minus" the extension part => just a rename.
To put the extensions back, the sw that "deleted "files extensions just has to use a "data base" with the new names and old names (that he makes when modifying the first time) : the quick way.
When the user wants to run / use one of this files (and the progs that are linked to the "not existing" extension concerned), its possible to this sw to make the file run (different methods, example : the "data base" file name without extension => old extension => windows info => run the good prog).

A personal program (Not known from a lot of person) could makes the job :
=> but a well known program doing this : ransomware will be changed like @BoraMurdar said, or even makers will target the sw (to get access to the database, hack it, etc)

Some people are trying to make sw to protect the user, but some other people are just after trying do defeat the methods used by the first ones

 

[Dirk41]

"Deleting" extensions is really easy (depending of the files, rights, etc) : A Loop on each Drive / each files that have .[some chars] at the end, renaming the files with old name "minus" the extension part => just a rename.
To put the extensions back, the sw that "deleted "files extensions just has to use a "data base" with the new names and old names (that he makes when modifying the first time) : the quick way.
When the user wants to run / use one of this files (and the progs that are linked to the "not existing" extension concerned), its possible to a sw to make the file run (different methods).

A personal program (Not known from a lot of person) could makes the job :
=> but a well known program doing this : ransomware will be changed like @BoraMurdar said, or even makers will target the sw (to get access to the database, hack it, etc)

Some people are trying to make sw to protect the user, but some other people are just after trying do defeat the methods used by the first ones

Yes it's a nice war thank you

 

[Dirk41]

Basically you would just need to change the formatting or the filesystem. Like Linux does. But it would not solve the problem, as malware creators could easily create ransomware that checks first bytes in order to detect a "file type" (now not existing one) and chose what to encrypt, instead of Windows method. It could bring more problems that it would solve. Simple solution, don't give a file a root or admin privileges.

Thank you. Anyway since they not exist yet, we( just few people, they won't change their ransomwares just for us ) could start manually ( without a sw) to protect only some files in this way , or not

 

[_CyberGhosT_]

This could work depending on the situation however there is more to doing this than just changing the extension at the end of the filename. You see, depending on the format, there will be bytes within the file itself which signify the extension. For example, all PE (Portable Executable) files (*.exe) will have the MZ header as the first bytes in the file.

You can try to use a folder restriction/locking software to hide/lock a folder containing important documents. If the program works properly then ransomware won't be able to access the files within the "locked" folder for encryption, unless it is very advanced. Usually the top products which have this functionality will work with a file system driver to restrict access (via use of callbacks).

Stay safe,
Wave.

Right, and someone could incorporate a way of hiding them from the ransomware, like Linux builds hide file or folders "./"
It could be done system wide in a manner that hides them from external sources but is incorporated in a manner that leaves
them accessable to the system ?
Hummmm it could be added to the beginning or end as long as it has the desired effect, it would mean a file system restructure
though and MicroSoft is too lazy for that I think.
Great post Dirk41

 

[Wave]

Right, and someone could incorporate a way of hiding them from the ransomware, like Linux builds hide file or folders "./"
It could be done system wide in a manner that hides them from external sources but is incorporated in a manner that leaves
them accessable to the system ?
Hummmm it could be added to the beginning or end as long as it has the desired effect, it would mean a file system restructure
though and MicroSoft is too lazy for that I think.
Great post Dirk41

Exactly.

Just find a tool which uses rootkit techniques for security benefit as opposed for malicious intent... E.g. hide files/folders, restrict access to them, etc. If access to them is restricted then the ransomware won't be able to write to them for the encryption (unless it is sophisticated to bypass the active protection mechanisms) and if it cannot find the files/folder with the protected files inside of them then it cannot attempt the encryption!

Even modifying security descriptor of a folder can help benefit you with additional protection since depending on the security descriptor (DACL/ACL) settings, the ransomware may not be able to access the folder contents without specific privileges.

Most security products which hide/lock folders probably work like this (API hooking, device driver, security descriptor, etc - most likely one of those methods as opposed to all 3 of them though).

 

[hjlbx]

Attention! What I am about to say could sound stupid , but I am curious


As ( as I got at least, if I am wrong please tell me ) ransomwares ( or at least some/most of them ) target extensions ( .pdf .doc etc ), could someone make a sw that eliminate files extensions and if you need to use a file it re enables it ( only for the files you need)?
The situation could be not much user friendly .

Thank you for reading

File extensions are for OpenWith file associations.

Deleting file extensions would create an unworkable usability problem; every time you needed to open a file, then Windows would generate an OpenWith prompt. That would = a lot of prompts.

Nice thinking though...

In Windows you can already delete all file type extensions and disassociate all file type extensions.

 

[_CyberGhosT_]

File extensions are for OpenWith file associations.

Deleting file extensions would create an unworkable usability problem; every time you needed to open a file, then Windows would generate an OpenWith prompt. That would = a lot of prompts.

Nice thinking though...

In Windows you can already delete all file type extensions and disassociate all file type extensions.

Ok, but developing a way to do that, that would only delete them from external sources and not windows would be the goal,
not so much as disassociation. Hide them like you hide an ip, what file system extension cant Ransomware touch ? what does it see and skip ? You mask
what Ransomeware targets, have MS report the file via masking as an ignored or invalid extension, the ransomware cruises right by ignoring the files ?
I think we are on to something here lol
EDIT:
Maybe have MS report or mask them all as .bak no ransomware will touch that right

 

[DardiM]

About extensions :

- One example : easy way : .jpg => .x_gpj => associate it with the good prog => done !
I inverted the extension here, because of the use of "basic" regular expression, and to allow the user to remember easily the real extension.
More complicated "false" extensions can be used.
(it can be automated to change all .jpg to an "unknown" extension)

But : not to hard to find extensions used for a malware aware of this example

 

[hjlbx]

You guys can patent the idea and get rich... Bill Gates will come visit you.

Think about it some more...

 

[DardiM]

You guys can patent the idea and get rich... Bill Gates will come visit you.

Think about it some more...

About my example :

About extensions :

- One example : easy way : .jpg => .x_gpj => associate it with the good prog => done !
I inverted the extension, because of use of "basic" regular expression, and to allow the user to remember easily the real extension. More complicated "false" extensions can be used.
(it can be automated to change all .jpg to an "unknown" extension)

But : not to hard to find extensions used for a malware aware of this example

Once a method is known and used a lot => not a long time before malware change their methods.
It was just an idea that can make people find themselves other tips (that they will keep for them)

A lot of personal tips are very useful, when not shared

​

And remember : some malware don't target extensions.

 

[Dirk41]

Thank you for the replies
Well I suppose you all agree ransomwares recognise and target files from extensions( and that was the first point , otherwise this thread is useless)

( @Wave just to be sure I got what you said : when you say lock you don 't mean encrypt right ? Because I know that it's useless to encrypt your files with bitlocker for example , because the ransomware would encrypt it again and make it inaccessible . )

Second : I did not said it would have been a " user friendly " solution . But to make it easier , it could be used as an emergency tool: you stay with normal extensions and if you suddenly realise you opened a fake pdf or you think you are about to get in some dangerous situation , with a just a click you delete all extensions .or something like that .
Because you can do backups , even daily , but you can't click on " save file" every word you type

Of course it would be for home users . I can't imagine it for enterprises

 

[Wave]

( @Wave just to be sure I got what you said : when you say lock you don 't mean encrypt right ? Because I know that it's useless to encrypt your files with bitlocker for example , because the ransomware would encrypt it again and make it inaccessible . )

I didn't mean encrypt, I literally meant use rootkit techniques to conceal evidence of your protected documents ever existing on the system. If the ransomware cannot find evidence of the documents you wish to protect then it can't touch them! (so you can either conceal evidence via hiding the folder containing the files or the files individually, or just not bother concealing evidence of their existence but restrict access to alter the files, preventing the ransomware encryption being successfully carried out).

However if you encrypt the documents you wish to protect, if the ransomware decides to steal files (e.g. upload them to himself and use that as another tactic to push you into paying the ransom - e.g. "Pay for the decryption and if not your files will be shared publicly"), then your personal information contained within the stolen documents (e.g. pictures) would be safe unless they had access to the private encryption key (as long as you worked with SHA-256/RSA-2048 encryption). Without that being said, if the document is encrypted and the filename has been replaced (including the extension at the end of the filename) then the ransomware may not even be able to identify the file type of the target document and thus may not attempt to re-encrypt it. Therefore, not always will ransomware attempt to re-encrypt documents which are already encrypted - it depends on the ransomware sample and the situation, since not all ransomware will work the same.

 

[Dirk41]

For example SBIE does ( maybe ,if I am not wrong ) something like that : it has an option to restrict the access to some folders even in the sandbox

 

[Wave]

For example SBIE do ( maybe ,if I am not wrong ) something like that : it has an options restrict the access to some folders even in the sandbox

Yes. However in my example situation you would hide evidence as opposed to just restrict. Concealment is probably better anyway... Because if nothing can be found, then nothing can be worked on to bypass the restriction... Since no one else knows of the existence!

Sandboxie actually injects a DLL into the target processes and it hooks a bunch of APIs (if I can remember correctly it literally hooks as many API functions as you can imagine), most likely involving NTAPI functions used for file I/O operations to restrict access to specific locations. However, it also has a device driver and therefore it may also use this for the restriction. It also runs the target program under a different isolated user account.

Without manual analysis I cannot be sure, this is just guessing off the top of my head - however I do know for a fact that it has a DLL it injects into the process which hooks APIs and it also utilises a device driver.

 

[RoboMan]

Until they create new SSD that encrypts itself and every software that tries to write on it or use a file on it, must explicit ask to the user to accept decryption. This decryption should be really fast, that's why i point out "a new SSD". Of course, this decryption should have no passwords. I know it sounds really complicated and seems like the Windows Administration Alerts, but i know somebody could figure out this and invent some kind of encryption that gives us this security and it's easy to use as well. Like an alert that describes what the file is trying to do on the disk and asks for permission, if accepted a quick decryption is made. Do i make myself clear?

 

[DardiM]

Until they create new SSD that encrypts itself and every software that tries to write on it or use a file on it, must explicit ask to the user to accept decryption. This decryption should be really fast, that's why i point out "a new SSD". Of course, this decryption should have no passwords. I know it sounds really complicated and seems like the Windows Administration Alerts, but i know somebody could figure out this and invent some kind of encryption that gives us this security and it's easy to use as well. Like an alert that describes what the file is trying to do on the disk and asks for permission, if accepted a quick decryption is made. Do i make myself clear?

A real problem with this method : the OS and software, and how they access to the SSD => Exploits, bypass, bad software (malware), etc