Do all ransomware files require an active Internet connection in order to encrypt your files?

[brod56]

Last week I have been messing around with Windows Firewall Control, and have enabled Medium Filtering.
This denies all apps from accessing the internet, unless I allow them manually, one by one.
Is this boring process going to increase my ransomware protection (refer to title)?

PS. Please don't hijack this thread with recommendations of anti-ransomware protection like CF, I already know them. Thanks in advance.

 

[Ink]

I am under the assumption that Ransomware encrypts files upon execution.

Wait for an expert to reply.

 

[509322]

Last week I have been messing around with Windows Firewall Control, and have enabled Medium Filtering.
This denies all apps from accessing the internet, unless I allow them manually, one by one.
Is this boring process going to increase my ransomware protection (refer to title)?

PS. Please don't hijack this thread with recommendations of anti-ransomware protection like CF, I already know them. Thanks in advance.

Some files, like scripts, will download ransomware executables from the internet. In that case you will see outbound connection alert for powershell, cscript, wscript, cmd, etc.

Or you might have an exe that is a first stage downloader that will attempt to grab the ransomware from the net. Same thing - will see outbound alert for exe.

WFC is worthwhile add-on for Windows Firewall. I would use learning mode on a clean system and then set it to manual or just create the rules manually as you go (eventually there will be no alerts).

 

[brod56]

Some files, like scripts, will download ransomware executables from the internet. In that case you will see outbound connection alert for powershell, cscript, wscript, cmd, etc.

Or you might have an exe that is a first stage downloader that will attempt to grab the ransomware from the net. Same thing - will see outbound alert for exe.

WFC is worthwhile add-on for Windows Firewall. I would use learning mode on a clean system and then set it to manual or just create the rules manually as you go (eventually there will be no alerts).

Thank you. Im planning to refresh my Windows 10 installation soon so I will do that for sure.

 

[kamla5abi]

as others said, it depends on the attack vector pretty much, and the ransomware file too. Wannacry for example stopped with the killswitch domain remember (so if it was not allowed to connect out to the killswitch domain by you, that would actually make the ransomware work and encrypt your files lol exactly the opposite of what you would expect to happen)

If you somehow got the ransomware on your computer already, and it executes (either by you or other process) then it will likely start to encrypt files automatically even if you are offline. At some point it will try to connect outbound to C&C server i think for whatever reason (send out encryption key, get new instructions from C&C, etc), but the encryption process could already be done by then. This case it doesn't matter what you do with the firewall.

If you downloaded some script somehow (email attachment of weaponized .doc file, malicious JS, etc) then it will try to connect out in order to download the ransomware file. Then you will get notification for that. So if you block that, then the payload never gets downloaded, so no encryption I think. If its some exploit that is delivering the payload, thru an allowed process (SMB v1 wannacry example) then i don't know.

 

[RoboMan]

Most ransomware will generate a random RSA public and a private key, and then upload the private key to their server. As well OS version, IP, etc.

Once this basic process has complete, it will proceed the encryption process. Most probably if it never connects to the internet, and the server never holds the key, then you won't be able to decrypt your files, so it's nonsense.

 

[509322]

I am under the assumption that Ransomware encrypts files upon execution.

Wait for an expert to reply.

There are different types of ransomware. Most here will picture in their minds that their files will be encrypted with a ransom note as the desktop wallpaper. However, there is ransomware, for example, that will archive your files, create a password, and delete the original files. So it's, more or less, a files held hostage in an archive and the user has to pay-up to get the password. Files not thoroughly deleted can be recovered. Another type is screenlock ransomware that basically locks the user out of the desktop with a ransom note on the lock screen. The best of them prevent disablement via Safe Mode or advanced recovery options.

There are more. Research it.

 

[Fabian Wosar]

No. More importantly, some of the biggest ransomware families active right now and in the past didn't require Internet connectivity at all.