harlan4096

Moderator
Staff member
Malware Hunter
Verified
That final system status is something I've been gotten in some of my last malware tests with Panda Dome Free + NVT SysHardener (Suggested Tweaks), many systems files/applications were encrypted/affected but User Space Documents remained untouched...
 

JM Safe

From Zemana
Verified
I sometimes wonder if encryption depends on the state of the file.
Most of system files would be busy..and therefore i think risk is low:);)
Theorically if encryption is done while a file is in use there would be an error. However keep in mind that a ransomware which targets system files specifically can use a "polling" method so it verifies if the files are in use or not. If not then it encrypt them, otherwise it waits the right moment to encrypt system files.
 

HeiDef

From HeiDef
Developer
Verified
At 5.55 in the video RO recommends a reboot and would actually been interesting to see if that would have solved the issues seen in the end.
RO recommends a reboot if it detects that a system process was injected. The only way to fully clear the infection is to kill the system process (which can be bad itself) or to reboot. It would not have fixed that issue at the end. That piece of ransomware screws with some registry settings to change default file actions for a variety of file types (shortcuts being one of them which is why they all turned blank). The latest RO update adds protection against that kind of damage and will restore some of the modified values.

Theorically if encryption is done while a file is in use there would be an error. However keep in mind that a ransomware which targets system files specifically can use a "polling" method so it verifies if the files are in use or not. If not then it encrypt them, otherwise it waits the right moment to encrypt system files.
For executables that are loaded in memory, you can't modify the file on disk. You can rename the file and recreate a new one named the exact same thing but it won't have any impact on the processes that are currently using that file. And for system files especially, due to caching probably won't have any impact to new processes that also use that file (it will just use the cached copy). Now, when the system reboots and the original file was renamed and there is a new file in its place or none at all then that will cause all sort of problems. So still plenty of ways to cause havoc without actually having to encrypt.
 

upnorth

Level 28
Content Creator
Trusted
Verified
That piece of ransomware screws with some registry settings to change default file actions for a variety of file types (shortcuts being one of them which is why they all turned blank). The latest RO update adds protection against that kind of damage and will restore some of the modified values.
Good to hear and thanks for the explanation. Also using a restricted account normally cover that sort of damage.
 

JM Safe

From Zemana
Verified
RO recommends a reboot if it detects that a system process was injected. The only way to fully clear the infection is to kill the system process (which can be bad itself) or to reboot. It would not have fixed that issue at the end. That piece of ransomware screws with some registry settings to change default file actions for a variety of file types (shortcuts being one of them which is why they all turned blank). The latest RO update adds protection against that kind of damage and will restore some of the modified values.



For executables that are loaded in memory, you can't modify the file on disk. You can rename the file and recreate a new one named the exact same thing but it won't have any impact on the processes that are currently using that file. And for system files especially, due to caching probably won't have any impact to new processes that also use that file (it will just use the cached copy). Now, when the system reboots and the original file was renamed and there is a new file in its place or none at all then that will cause all sort of problems. So still plenty of ways to cause havoc without actually having to encrypt.
Yes, in general when system files are touched there are problems, and an unstable OS. However thanks for your input about encryption of system files by ransomware.
 

Similar Threads

Similar Threads