Thank you all for clarifications .
May I ask another curiousity ? What if , while a ransomware starts encrypting , you unplug your PC from the electricity ? Does the ransom starts again to encrypt when you start again the PC ?
And what if you take that drive infected and connect it to another PC ? The ransomware encrypt the new PC ?
If I had the hardware , i Would try al these things
It depends on the ransomware / how the ransomware works. Each sam
When you run the ransomware sample, if it uses a method to make itself re-execute at system start-up, then the answer to your first question would be yes. However not all ransomware samples will do this, but it is very common for malware to add itself to start-up (generally speaking).
There are many ways for malware to re-execute at start-up... I will list a few methods:
- Standard approach via registry: "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", "\\REGISTRY\\USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" and "\\REGISTRY\\USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce"
- Usage of a Start-Up folder built-into Windows: e.g. C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp - however this is a protected directory (administrator privileges will be required).
- Utilisation of the Windows Task Scheduler to create an event to start the target PE at boot (well actually it happens after the user has signed into their account - however with this method the malware can have it's executable auto-elevated, bypassing the UAC alert).
- Hijacking of external programs (e.g. patch up another program which is going to start-up automatically but is vulnerable to modification, so when it runs it will silently execute the newly added malicious code to start-up the malicious PE into memory... Another example of this would be hijacking a DLL which is used by vulnerable software (therefore loaded) so the malicious code becomes executed).
However without that being said, \\MACHINE\\ locations on the registry are protected areas and utilisation of the Windows Task Scheduler to create an event to auto-start a program (bypassing the UAC alert) both require admin privileges. Therefore, if UAC is enabled and you do not go around aimlessly allowing programs to run with administrator privileges then you'll be much safer.
Locations such as Program Files are also protected directories and will require administrator privileges to modify the contents, protecting programs from being patched if they are present in their own sub-directories in those protected areas... As long as the malware doesn't have admin privileges.
Without that being said, some ransomware will abuse their current privileges to make it trickier to identify suspicious processes running on the system throughout the encryption process. Therefore, they may conceal evidence of the malicious ransomware processes being ran via rootkit techniques (so if you opened up Process Manager you wouldn't be able to find the ransomware process, leaving you unaware of the presence) or just inject code into other processes (/work with methods like Dynamic Forking) for the encryption code execution.
On Windows 8/8.1 and Windows 10, system processes are not as vulnerable as they used to be back on older OS versions like Windows Vista and Windows 7. Therefore, malware can no longer just open a handle to csrss.exe (or other system processes) and use this handle for DLL/Code injection.
And what if you take that drive infected and connect it to another PC ? The ransomware encrypt the new PC ?
Not unless there is some sort of exploit being used to auto-execute code once the drive becomes connected to the system (e.g. USB devices with AutoRun usage). However if some of the files were injected with malicious code to re-start the encryption process (as opposed to being completely encrypted and useless as expected) then running the infected document can result in re-infection on the new system... Of course you wouldn't expect a scenario like this and you may have never heard of such scenario occuring but it is very possible and at the end of the day if they are developing malware then don't trust anything.
Make sure you always have an updated system backup image/your personal documents backed up and in the case of any infection you can revert via the backups instead of dealing with the infected mess (well most of the time). Once your system becomes infected, unless you had the samples to perform full analysis and understand the entire internals of the sample, you can never be sure if your system is fully clean after performing cleaning methods (even if all scanners claim the system is clean) - which is why a lot of people tend to just re-format their HDDs, reinstall the OS and use backups of their personal documents which they had previously taken and securely stored.