App Review RansomOff vs Ransomware

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,635
That final system status is something I've been gotten in some of my last malware tests with Panda Dome Free + NVT SysHardener (Suggested Tweaks), many systems files/applications were encrypted/affected but User Space Documents remained untouched...
 

JM Safe

Level 39
Verified
Top Poster
Apr 12, 2015
2,882
I sometimes wonder if encryption depends on the state of the file.
Most of system files would be busy..and therefore i think risk is low:);)
Theorically if encryption is done while a file is in use there would be an error. However keep in mind that a ransomware which targets system files specifically can use a "polling" method so it verifies if the files are in use or not. If not then it encrypt them, otherwise it waits the right moment to encrypt system files.
 

HeiDef

From HeiDef
Verified
Developer
Mar 27, 2017
94
At 5.55 in the video RO recommends a reboot and would actually been interesting to see if that would have solved the issues seen in the end.

RO recommends a reboot if it detects that a system process was injected. The only way to fully clear the infection is to kill the system process (which can be bad itself) or to reboot. It would not have fixed that issue at the end. That piece of ransomware screws with some registry settings to change default file actions for a variety of file types (shortcuts being one of them which is why they all turned blank). The latest RO update adds protection against that kind of damage and will restore some of the modified values.

Theorically if encryption is done while a file is in use there would be an error. However keep in mind that a ransomware which targets system files specifically can use a "polling" method so it verifies if the files are in use or not. If not then it encrypt them, otherwise it waits the right moment to encrypt system files.

For executables that are loaded in memory, you can't modify the file on disk. You can rename the file and recreate a new one named the exact same thing but it won't have any impact on the processes that are currently using that file. And for system files especially, due to caching probably won't have any impact to new processes that also use that file (it will just use the cached copy). Now, when the system reboots and the original file was renamed and there is a new file in its place or none at all then that will cause all sort of problems. So still plenty of ways to cause havoc without actually having to encrypt.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
That piece of ransomware screws with some registry settings to change default file actions for a variety of file types (shortcuts being one of them which is why they all turned blank). The latest RO update adds protection against that kind of damage and will restore some of the modified values.
Good to hear and thanks for the explanation. Also using a restricted account normally cover that sort of damage.
 

JM Safe

Level 39
Verified
Top Poster
Apr 12, 2015
2,882
RO recommends a reboot if it detects that a system process was injected. The only way to fully clear the infection is to kill the system process (which can be bad itself) or to reboot. It would not have fixed that issue at the end. That piece of ransomware screws with some registry settings to change default file actions for a variety of file types (shortcuts being one of them which is why they all turned blank). The latest RO update adds protection against that kind of damage and will restore some of the modified values.



For executables that are loaded in memory, you can't modify the file on disk. You can rename the file and recreate a new one named the exact same thing but it won't have any impact on the processes that are currently using that file. And for system files especially, due to caching probably won't have any impact to new processes that also use that file (it will just use the cached copy). Now, when the system reboots and the original file was renamed and there is a new file in its place or none at all then that will cause all sort of problems. So still plenty of ways to cause havoc without actually having to encrypt.
Yes, in general when system files are touched there are problems, and an unstable OS. However thanks for your input about encryption of system files by ransomware.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top