Furthermore some ransomware already ask you to be allowed ( UAC pop up ) but some of them encrypt even if you click no.
Could this idea against ransomwares be possible?
- Thread starter Dirk41
- Start date
- May 14, 2016
- 1,597
A good method is to save all your working / personal data on a external HDD. When you want to run files that are not 100 % sure, just power off the HDD, before. All my important data are on complete bitlocked partition, UAC at MAX under minimum user access.
- Aug 30, 2012
- 6,598
And there is Petya family, which doesn't encrypt files but writes its own bootloader in MBR and encrypts master file table...
All that is needed is to hollow a trusted process that has unrestricted access to the file system - like explorer.exe or svchost.exe.
And there is Petya family, which doesn't encrypt files but writes its own bootloader in MBR and encrypts master file table...
For that already exist a Cisco tool
- Feb 5, 2016
- 139
No need to do even that just encrypt files without extension or folders.
- Aug 2, 2015
- 4,286
Thats it
I'm adding these to the blocked process list too, roflmao. Boom goes the dynamite
- Aug 30, 2012
- 6,598
This Testing MBRFilter against Ransomware that modify the Master Boot Record
Anyway for petya a decryptor exist if I remember well
- Aug 30, 2012
- 6,598
Thanks for the article, I didn't about know this
This will never happen, it would be far too messy for implementation. Just use a folder locker/hider to protect important documents and use backups... I don't understand why people can't just do this?
The closest you will find to doing this is software which encrypts your documents and requires a pop-up to enter a password to allow programs to access the files. In this case, it would work like most file restriction/hide software already works, just with the added encryption functionality.
Basically a feature for folder/file access restriction, but on a specific drive with the encryption functionality.
Basically a feature for folder/file access restriction, but on a specific drive with the encryption functionality.
Let's say you have some important work documents or a folder containing personal photo's from the past 10 years... Back these up on an external removable device and/or use a folder locker/hider to protect these documents.
Now let's say you become infected with ransomware... It won't be able to find these protected documents (and if it does it won't be able to access them properly to write to them for the encryption process unless it was sophisticated enough to bypass the protection mechanisms of the protection software which is rare because most ransomware (if not none) bother doing things like this it seems)... And as long as you had a backup in the first place it wouldn't even matter, as you can use the backup to get your documents back after cleaning the system!
In fact, you can make a whole system image backup: Acronis | Backup, Data Protection & Recovery Software, Best free backup software for Windows 10, Windows 8.1, Windows 8, Windows 7, etc - EaseUS Todo Backup Free
Not to mention that the backup will be useful in non-ransomware cases... for example a virus infection, where your files become infected and once executed they start executing the virus code to infect other files... Then you use the backup and same scenario as with ransomware, you get your original files back!
So this entire thread about changing extensions and doing this and that is kind of pointless... (I mean it was a good conversation), but the best things you can do is conceal evidence of the protected documents AND use a backup!
Forget the documents concealment/protection idea, just use a backup. Easy to do and more reliable.
If the ransomware process is running with standard rights it can still access some locations and encrypt the files stored there, however it won't be able to access protected directories by default (such as Program Files folder).
(and if UAC is disabled altogether then you played yourself...).
However since ransomware is quite demanding in the malware development market (or I would assume so at least), it wouldn't be a surprise to see a new ransomware variant utilising a zero-day UAC exploit (or a past one which hasn't become patched yet).
Everybody knows backups are the best defence .
But it's nice to talk about these things , they help you understand how malwares work . Even Just out of curiousity
Anyway maybe not everybody can backup every second( look at some config ,not everybody perform daily backups ) : maybe you are out of home , with your laptop and you can't backup until you come home , and so you have to find another way to protect untill evening .
And you said an interesting thing: so hide a folder ( click dx -> proprieties ? ) it's enough to prevent the ransom to find them?
Thank you
But it's nice to talk about these things , they help you understand how malwares work . Even Just out of curiousity
Anyway maybe not everybody can backup every second( look at some config ,not everybody perform daily backups ) : maybe you are out of home , with your laptop and you can't backup until you come home , and so you have to find another way to protect untill evening .
And you said an interesting thing: so hide a folder ( click dx -> proprieties ? ) it's enough to prevent the ransom to find them?
Thank you
UAC exploit : so anti exploit like emet MBAE etc could help in those cases ?
It really depends on how the Anti-Exploit software and the exploit itself works.
- May 14, 2016
- 1,597
Imagine a drive with 2 partitions C: and D:
=> Configuration Panel / Computer Management / Disk Management : remove the letter D (the one with files to protect)
=> a malware using a Loop to find drives letters and files inside will only retrieve "C:" and folders / files inside"
Last edited:
Interesting , so way I never heard this kind of suggestions ? And it's easy to have the letter back ?
Anyway maybe I read about some ransomware who encrypt also NAS and not mapped units. I don't know if it would be the same case
Anyway maybe I read about some ransomware who encrypt also NAS and not mapped units. I don't know if it would be the same case
- May 14, 2016
- 1,597
To get the letter back :
Configuration Panel / Computer Management / Disk Management and add a letter to the part concerned.
It is only a personal tip, who can help against the most part of ransomware I see.
I think evoluted/elaborated malware ( if they are granted the rights because of bad secured account / exploits, etc) could find a way to bypass it
Last edited:
Similar threads
