- Sep 17, 2013
- 1,492
i know that ransomware's encrypts file in the hard disk.
Is the ransomware capable of encrypting whole hard disk?
Is the ransomware capable of encrypting whole hard disk?
Is Ransomware capable of encrypting the whole hard disk?
- Thread starter viktik
- Start date
Yes and No
Yes, it's encrypting every file on hard disk and No because it's only encrypting specific extensions.
Yes, it's encrypting every file on hard disk and No because it's only encrypting specific extensions.
- Jul 28, 2014
- 1,990
Also it would be counter productive for malware to encrypt the entire disk because how would the user get online to pay the hacker? Some malware out in the wild now do destroy files or disrupt a machine's boot up like Petya and JIGSAW but these are more rare just because of what an inconvenience it might be for the user if they actually want to pay for the decryption key
If the ransomware encrypts the entire disk - even System32 and SysWOW64 - then you have a non-bootable, "black screen" system = not very effective for the malc0der in extracting $ from the system owner. If the malc0der is just plain mean, then such encryption would be one of the most malicious -- but why do that ? They can just wipe your entire drive -- which is a lot easier to code. A comparatively simple script can wipe a drive...
Besides, System Space = c:\program files, c:\program files (x86), c:\windows, etc, are protected resources by default in Windows and there is no way it should happen. It would definitely involve some form of EOP - which needs to be done silently\hidden or via trickery\social engineering. Think about it... just copying a file from a USB to System Space Windows will prompt for Admin privileges.
If anyone finds a way to do it without alerting the user, then they're gonna make money off of it -- either by reporting it to Microsoft and collecting a bug bounty or selling the vulnerability...
Surprisingly, I don't think its value would be very high. The ability to just outright smash someone's system completely isn't valuable.
Besides, System Space = c:\program files, c:\program files (x86), c:\windows, etc, are protected resources by default in Windows and there is no way it should happen. It would definitely involve some form of EOP - which needs to be done silently\hidden or via trickery\social engineering. Think about it... just copying a file from a USB to System Space Windows will prompt for Admin privileges.
If anyone finds a way to do it without alerting the user, then they're gonna make money off of it -- either by reporting it to Microsoft and collecting a bug bounty or selling the vulnerability...
Surprisingly, I don't think its value would be very high. The ability to just outright smash someone's system completely isn't valuable.
Last edited by a moderator:
It's possible.. So you could edit things like boot sector and make the target provide the right decryption key at boot and pay the ransom to get the key from another system. So it encrypts the entire drive but leaving that boot sector so it can load itself to get the decryption key but you must pay ransom for the key from another system as the current one cant be booted in as the OS itself is encrypted.. maybe you will see what I mean
Petya ransomware did things like edit the MBR and on boot made a fake checkup appear and encrypted files.. Something like that really
It can be done but it is not the most easiest thing for someone to do if they are not very XP.
Petya ransomware did things like edit the MBR and on boot made a fake checkup appear and encrypted files.. Something like that really
It's possible.. So you could edit things like boot sector and make the target provide the right decryption key at boot and pay the ransom to get the key from another system. So it encrypts the entire drive but leaving that boot sector so it can load itself to get the decryption key but you must pay ransom for the key from another system as the current one cant be booted in as the OS itself is encrypted.. maybe you will see what I mean
It can be done but it is not the most easiest thing for someone to do if they are not very XP.
Petya ransomware did things like edit the MBR and on boot made a fake checkup appear and encrypted files.. Something like that really
I get that, but the way I interpreted the way the OP phrased the question was "Could ransomware encrypt the entire drive in-place -- without the whole MBR rigmarole." On the face of it, I think not -- at least not to keep a functional system - so as to pay the ransom.
Besides, Windows protects System Space from modification, but of course, I'm sure there are ways around that.
I searched, but could find no reported ransomware that encrypts the entire drive (complete file system - including all Windows "protected" resources).
What sense does it make to encrypt all *.exes and *.dlls on the system ? - that will remove any user access to browsers which = primary means to pay ransom.
It just makes no sense to keep boot load ability, but create an encrypted system with no ability to log-on, no networking and no functional browser.
It's probably possible, but not practical. It would be an act of sheer meanness - just for the sake of being mean and smashing a system completely.
malc0ders want $, and encrypting complete drives isn't going to be a financially successful tactic.
It makes no financial sense to encrypt a user's sole system...
I agree with you!
But if it was perfectly targeted to a noob audience they won't even know the system can't just be fixed after the key being entered then they'd probably still make money. But still I agree with you. I have just been thinking of random possibilities..
I agree with you!
But if it was perfectly targeted to a noob audience they won't even know the system can't just be fixed after the key being entered then they'd probably still make money. But still I agree with you. I have just been thinking of random possibilities..
Full disk encryption -- and by that I mean every single file on the system and not just the MBR - crafted with the ability for the user to still easily pay the ransom using the system - is probably already under malc0de development.
The concept certainly isn't novel... it's has to have been carefully considered by this point in time. The issue is finding a workable way to do it...
Last edited by a moderator:
Some articles claim Petya encrypts the entire drive. I think this is incorrect. G Data researchers state otherwise; Petya only blocks access to the files.
"However, G DATA security researchers suggest that the user files are not encrypted at all, but that the malware only blocks file access. On the other hand, the ransom note displayed on the infected system claims that the computer has been encrypted using a “military grade encryption algorithm.”"
Petya Ransomware Encrypts Entire Hard Drives | SecurityWeek.Com
Kaspersky:
"And now there is Petya ransomware which in a certain sense encrypts the whole hard drive all at once instead of encrypting files one by one."
NOTE the "in a certain sense" part.
Petya ransomware encrypts hard drives
If anyone can get a straight answer from Fabian Wosar on this topic - then you can rest assured you will get a straight, correct answer...
"However, G DATA security researchers suggest that the user files are not encrypted at all, but that the malware only blocks file access. On the other hand, the ransom note displayed on the infected system claims that the computer has been encrypted using a “military grade encryption algorithm.”"
Petya Ransomware Encrypts Entire Hard Drives | SecurityWeek.Com
Kaspersky:
"And now there is Petya ransomware which in a certain sense encrypts the whole hard drive all at once instead of encrypting files one by one."
NOTE the "in a certain sense" part.
Petya ransomware encrypts hard drives
If anyone can get a straight answer from Fabian Wosar on this topic - then you can rest assured you will get a straight, correct answer...
- Sep 17, 2013
- 1,492
i have few documents that very very important.
i was thinking to keep those documents in a separate partition. Then I will hide that partition using partition manager. Whenever i will need it, I will unhide the partition.
Malwares will not be able to see it. so they won't be able to steal or modify it.
i think this will greatly reduce the risk of losing my important files.
i was thinking to keep those documents in a separate partition. Then I will hide that partition using partition manager. Whenever i will need it, I will unhide the partition.
Malwares will not be able to see it. so they won't be able to steal or modify it.
i think this will greatly reduce the risk of losing my important files.
Yes that should work well.. Against at least most ransomware. Another idea to strengthen your idea is to change the extensions of the really important documents to something random like *.viktik and remember the original extension to revert back when you need it
You can also change folder permissions to reduce risk of unauthorised access to specific folders containing documents. Or use a folder locking tool and so on. Maybe even putting a custom folder in System32 and using a mix to hide that folder/change it's access permissions would work good!
- Nov 25, 2014
- 402
That wiped hard drive can easily be recovered almost without losing anything.
Deleted files can be recovered, but a digitally sanitized\wiped drive where all data is over-written with 0s and 1s cannot be recovered - at least not easily - and what can be recovered - is almost certainly worthless to the typical user.
Also, on SSDs deleted files are unrecoverable once the TRIM command is sent.
There's online research papers that discuss all this...
- Nov 25, 2014
- 402
Thanks, would love to know more from research paper, would you please refer to any specific link for that?
Just do Google search "Wipe Drive PDF." Also, "Recover files on SSD PDF." It will bring up a bunch of research reports over multiple search result pages.
If you mean encrypting completely the HD byte-by-byte, my answer is 'no'.
Usually, the ransomware uses RSA, and it is based on the high computational complexity of the factorization in prime numbers and break down a number into its divisors first, is very, very slow and requires a significant commitment in terms of hardware resources, if we consider the thousands of files on a HD, it would be an impossible task.
Mainly the reason is that to encrypt a file, the ransomware must get permission to access and manipulate it and, of course, many system files and others are blocked.
There are undocumented functions that take advantage of the API: ZwQuerySystemInformation to get all the open handles and ZwQueryInformationFile to obtain the name of the file according to the handle. Then checking if the name of the file corresponds to the monitored file, the ransomware algorithm has found the handle to the file and the ID of the process that holds it open.
But this would be an experimental process, very complex
Petya inserts itself into the MBR and edit the boot loader present in it, replacing it with its and after, the MFT blocking access to the file because all the information related to the name of the file to the folder, permissions, modification dates, dimensions and their location on the disk (list of blocks or clusters that contain the files) are encrypted.
It doesn't encrypt the whole HD.
Usually, the ransomware uses RSA, and it is based on the high computational complexity of the factorization in prime numbers and break down a number into its divisors first, is very, very slow and requires a significant commitment in terms of hardware resources, if we consider the thousands of files on a HD, it would be an impossible task.
Mainly the reason is that to encrypt a file, the ransomware must get permission to access and manipulate it and, of course, many system files and others are blocked.
There are undocumented functions that take advantage of the API: ZwQuerySystemInformation to get all the open handles and ZwQueryInformationFile to obtain the name of the file according to the handle. Then checking if the name of the file corresponds to the monitored file, the ransomware algorithm has found the handle to the file and the ID of the process that holds it open.
But this would be an experimental process, very complex
Petya inserts itself into the MBR and edit the boot loader present in it, replacing it with its and after, the MFT blocking access to the file because all the information related to the name of the file to the folder, permissions, modification dates, dimensions and their location on the disk (list of blocks or clusters that contain the files) are encrypted.
It doesn't encrypt the whole HD.
Last edited by a moderator:
Technically and practically it makes no sense to encrypt an entire drive -- meaning every single file on a system.
Same thing applies to a maliciously sanitizing the entire drive.
Same thing applies to a maliciously sanitizing the entire drive.
Nice mention!
Two common methods would be the Gutmann (35 passes but that is an "extreme killer", you can do it much less and still be secure..) and DoD method. Gutmann is about overwriting with 0s and 1s (and then removing..)whereas the DoD method is about overwriting bytes with the same byte... So changing every byte in the file to the same new byte and repeating a few times and then removing.
Unluckily for us RSA encryption is not breakable as of now.. without knowing that key there's no decryption that file
. Although sometimes we are lucky as for some malware devs don't know a lot and make mistakes when working with things like the CryptoAPI which leaves a hole to be abused by us ourselves and get some revenge by recovering the file without needing the key from them directly.. ha to their faces! Glad someone mentioned the NTAPI as now I can magically make an addition to the file removal stuff above.. There's another API: ZwDeleteFile. This API can be used to remove a file even whilst it's being used by another process. Just a lower-level way of the normal removal.. Magic! Poof! - "Mum get the camera! where'd the file go off my documents? my program had it open! quick call the BBC news to come report this. someone just broke the Windows laws
"..lol Well said
Yeah it doesn't encrypt the actual files. I think this is what confused a lot of people who heard of Petya. It just does things like scramble the Master File Table (for the system drive) to prevent you from being able to boot into the Windows OS. Luckily people affected by Petya can use the freely available decryption tools to generate their keys! Ransomware in general?
Just keep regular clean backups safely stored off your main system for recovery for if you get affected by Ransomware.. even if you suspect you won't be a victim... If you can't do this even with free backup/recovery software then you can at least make a new drive and place some important documents in it and then hide the drive!
Also keep software updated to patch the latest vulnerabilities, disable macro's, and browse wisely (applies for when using e-mail and other messaging networks, etc)...
and you'll stay closer to the waves which try and protect you from the bad guys!!It seems that some new versions of Cryptolocker, while changing the mode of encryption and therefore making it much more difficult to the possible extraction of the keystream, seem to be vulnerable to cryptoanalysis attackUnluckily for us RSA encryption is not breakable as of now.. without knowing that key there's no decryption that file
Hahaha! It's great when we catch them out and ruin their day when they find out they messed up and someone found their mistake and used it to make a decryption tool! And it makes the victims day better to know they were saved by a heroIt seems that some new versions of Cryptolocker, while changing the mode of encryption and therefore making it much more difficult to the possible extraction of the keystream, seem to be vulnerable to cryptoanalysis attack
edit: not so great at the same time as then they can patch the problem and release an update but you know what I mean.. it's funny if there is a secret decryptor on forums people are using and the dev's never knew.. Like what Fabian from Emsisoft tried to do once... until Norton snaked it out for money on their blog!
Similar threads
