App Review RansomOff vs Ransomware

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
harlan4096

harlan4096

Super Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,911
That final system status is something I've been gotten in some of my last malware tests with Panda Dome Free + NVT SysHardener (Suggested Tweaks), many systems files/applications were encrypted/affected but User Space Documents remained untouched...
 
  • Like
Reactions: Handsome Recluse, stefanos, JM Safe and 6 others
J

JM Safe

Level 39
Verified
Top Poster
Apr 12, 2015
2,882
Mahesh Sudula said:
I sometimes wonder if encryption depends on the state of the file.
Most of system files would be busy..and therefore i think risk is low:);)
Click to expand...
Theorically if encryption is done while a file is in use there would be an error. However keep in mind that a ransomware which targets system files specifically can use a "polling" method so it verifies if the files are in use or not. If not then it encrypt them, otherwise it waits the right moment to encrypt system files.
 
  • Like
Reactions: upnorth, harlan4096 and tonibalas
HeiDef

HeiDef

From HeiDef
Verified
Developer
Mar 27, 2017
94
upnorth said:
At 5.55 in the video RO recommends a reboot and would actually been interesting to see if that would have solved the issues seen in the end.
Click to expand...

RO recommends a reboot if it detects that a system process was injected. The only way to fully clear the infection is to kill the system process (which can be bad itself) or to reboot. It would not have fixed that issue at the end. That piece of ransomware screws with some registry settings to change default file actions for a variety of file types (shortcuts being one of them which is why they all turned blank). The latest RO update adds protection against that kind of damage and will restore some of the modified values.

JM Security said:
Theorically if encryption is done while a file is in use there would be an error. However keep in mind that a ransomware which targets system files specifically can use a "polling" method so it verifies if the files are in use or not. If not then it encrypt them, otherwise it waits the right moment to encrypt system files.
Click to expand...

For executables that are loaded in memory, you can't modify the file on disk. You can rename the file and recreate a new one named the exact same thing but it won't have any impact on the processes that are currently using that file. And for system files especially, due to caching probably won't have any impact to new processes that also use that file (it will just use the cached copy). Now, when the system reboots and the original file was renamed and there is a new file in its place or none at all then that will cause all sort of problems. So still plenty of ways to cause havoc without actually having to encrypt.
 
  • Like
Reactions: tonibalas, Handsome Recluse, Cortex and 5 others
upnorth

upnorth

Level 68
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
HeiDef said:
That piece of ransomware screws with some registry settings to change default file actions for a variety of file types (shortcuts being one of them which is why they all turned blank). The latest RO update adds protection against that kind of damage and will restore some of the modified values.
Click to expand...
Good to hear and thanks for the explanation. Also using a restricted account normally cover that sort of damage.
 
  • Like
Reactions: tonibalas, JM Safe, harlan4096 and 1 other person
J

JM Safe

Level 39
Verified
Top Poster
Apr 12, 2015
2,882
HeiDef said:
RO recommends a reboot if it detects that a system process was injected. The only way to fully clear the infection is to kill the system process (which can be bad itself) or to reboot. It would not have fixed that issue at the end. That piece of ransomware screws with some registry settings to change default file actions for a variety of file types (shortcuts being one of them which is why they all turned blank). The latest RO update adds protection against that kind of damage and will restore some of the modified values.



For executables that are loaded in memory, you can't modify the file on disk. You can rename the file and recreate a new one named the exact same thing but it won't have any impact on the processes that are currently using that file. And for system files especially, due to caching probably won't have any impact to new processes that also use that file (it will just use the cached copy). Now, when the system reboots and the original file was renamed and there is a new file in its place or none at all then that will cause all sort of problems. So still plenty of ways to cause havoc without actually having to encrypt.
Click to expand...
Yes, in general when system files are touched there are problems, and an unstable OS. However thanks for your input about encryption of system files by ransomware.
 
  • Like
Reactions: tonibalas, upnorth and harlan4096

Similar threads

NB InfoTech
    • Like
App Review Want to try? | Comodo Antivirus Test & Review | Comodo Internet Security vs Ransomware | 2024
Replies
4
Views
407
Video Reviews - Security and Privacy
bazang
bazang
L
    • Like
App Review Windows Defender Controlled Folders bypassed by ransomware
Replies
1
Views
366
Video Reviews - Security and Privacy
oldschool
oldschool
NB InfoTech
    • Like
App Review Trend Micro Maximum Security Antivirus Review | Trend Micro vs Ransomware Test | [TESTED]
Replies
1
Views
735
Video Reviews - Security and Privacy
Bot
Bot

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top