Could this idea against ransomwares be possible?

[Wave]

Hi guys , I am here with another curiousity:
on bleepingcomputer , they suggest to make (into an externals HD ) an image of the HD encrypted by a ransomware ( because of the possibility to be able to decrypt the files in the future, if someone make up a decryptor.. And to decrypt other things like registry keys or ransom notes could be useful ) ,
so I wonder : since ,in the image ,files are compressed, can the ransomware be active and encrypt other files i put later ( or already are) in the same external HD

Thank you

If you backup the encrypted files it will be fine. Unless the hardware used to store the encrypted files has been exploited (e.g. BadUSB with a USB to spread across over systems silently in the background) then the ransomware won't be able to spread across systems... And regardless, unless an exploit like that was being used, you'd need the ransomware launcher to be executed on the system for it to encrypt the files of that host as well, and the encrypted files are encrypted and unusable, not infected like a virus... And the loader is often removed by the launcher after the encryption process.

If you move encrypted files to an external HDD and then you move normal files to this external HDD they won't become encrypted, since there will be no active ransomware to encrypt the newly added files... It doesn't work like magic, it can't just magically re-appear and execute the encryption code! (and the encrypted files aren't infected and thus there is no executable ransomware code to spread the encryption should the user try to run the encrypted files - assuming this is the case, you never know, malware is evolving all the time!).

 

[Dirk41]

Thank you for information you provided.
I know encrypted files are not infected .
Regarding encrypting external usb HD connected , I am referring to the ability ( sometimes read in some articles ) to encrypt mapped units.

Anyway I meant : while you create an image of the HD infected on external HD , you copy and transfer also the ransomware . But since it is an image files are compressed, even the ransomware , so it cannot works right ?

 

[Wave]

Thank you for information you provided.
I know encrypted files are not infected .
Regarding encrypting external usb HD connected , I am referring to the ability ( sometimes read in some articles ) to encrypt mapped units.

Anyway I meant : while you create an image of the HD infected on external HD , you copy and transfer also the ransomware . But since it is an image files are compressed, even the ransomware , so it cannot works right ?

Unless the actual ransomware (malware) sample is transferred from the backup and then executed manually on the new host by the user, then no.

 

[Dirk41]

Perfect . And just to clarify : you always say ( if I understood well )that the ransomware should have exploit ability to Move to other HD ( you said that right ? ) , but I don't think it needs necessary to move to encrypt , I read ,pretty recently , about ransomwares who encrypt everything that is mapped . So while you connect the external HD , it could encrypt files that are already there , I think .

 

[Wave]

Perfect . And just to clarify : you always say ( if I understood well )that the ransomware should have exploit ability to Move to other HD ( you said that right ? ) , but I don't think it needs necessary to move to encrypt , I read ,pretty recently , about ransomwares who encrypt everything that is mapped . So while you connect the external HD , it could encrypt files that are already there , I think .

If you connect an external HDD to the system whilst the ransomware is active then it has the potential to encrypt the files on the newly connected external HDD... You should never do this. You should only connect external removable devices to your system for transferring across encrypted files AFTER you have cleaned the system from the actual ransomware.