sebazzo

New Member
Hi there,

my laptop recently got infected by a ransomware. I was able to recoup everything bar a few recent files, so all good.

The lead-up to my question: I noticed the infection straight away, shut the laptop down and rebooted in safe mode. There I could see that I caught the ransomware red-handed, the data on D: was only partly encrypted yet.

Now, in order to install malwarebytes, I needed to exit safe mode and boot normally. I knew this would re-enable the ransomware for a few minutes, and perhaps encrypt the entire d-drive. I wasn't bothered by that, because I was gonna need to restore the backup anyway. So that's what I did, and yes, those few minutes were sufficient to corrupt all files on D.

So my question: In safe mode, is there any way to safely disable an internal drive without having to remove it?

Of course in between shutting down from safe mode and rebooting in normal mode I could have opened the laptop and removed the NVMe physically. But I'd like to know whether or not there is a solution on the software side of things.

Cheers,

Seb

Thinkpad P53, i9 RTX4000, Intel NVMe boot drive, Samsung 970 Evo Plus NVMe storage drive, Windows 10 Pro
 

sepik

Level 7
Hello,
If possible, can you make bootable USB stick/cd/DVD with, for example Kaspersky anti-virus?
I have a bootable USB stick with many antiviruses within. It's great for removing rootkits etc.
Regards,
-sepik
 

Cortex

Level 21
Verified
Usually users (almost always) end up with encrypted files without noticing - IMO & the system I use is to store images of C:/ & all data on at least two external drives or cloud backup, I prefer external due to large amount of data - No malware or Ransomware can encrypt files on drives not plugged in. I don't backup all drives on the same week either. I appreciate the expense but it does depend on the value you put on your data?
 

plat1098

Level 20
Verified
There are portable SSDs so one doesn't have to open up any cases. Of course it doesn't cost anything if you can safely disable a pre-existing drive. But the convenience and better security due to that convenience might be worth it. This link is for info only. Crucial also makes these and they may be much less expensive than Samsung. It seems there are portable HDDs also, which are cheaper still. Just an idea.....

Link

Edit: I've never tried this so it's more thinking out loud. If you go into Device Manager (in desktop mode, regular mode), expand on Disk drives and look for your storage device, are you able to right-click on that and select "Disable device" from the context menu? Is that more like what you're looking for? Again, not sure about this one. :unsure:
 
Last edited:

redsworn

Level 4
Verified
Thanks for your replies guys. Allow me to repeat my question:
Let me clarify. So you want the drive remains disabled/removed even when you boot into normal mode, right?
Someone already mentioned by disabling then interface via BIOS. That's your best bet and the most reliable way beside physically removing it.
But I know all too well that most laptop BIOS settings are very limited. And if this is the case you can alternatively try to disable it via device manager or disk management.
 

plat1098

Level 20
Verified
It would seem the BIOS route is the most direct one as it doesn't involve a compromised Windows. (y) If not, you can probably access Device Manager via Control Panel in Safe Mode also and try to disable the storage drive there.
 

sebazzo

New Member
I think you should run a scan with some rescue disks. Starting the PC again would risk continuing the ransomware work by continuing to encrypt other data.
Thanks mate, but the ransomware issue is already solved completely. I am asking this for future reference.

Let me clarify. So you want the drive remains disabled/removed even when you boot into normal mode, right?
Someone already mentioned by disabling then interface via BIOS. That's your best bet and the most reliable way beside physically removing it.
But I know all too well that most laptop BIOS settings are very limited. And if this is the case you can alternatively try to disable it via device manager or disk management.
Yes, that's exactly what I'm looking for. Thanks (y)

It would seem the BIOS route is the most direct one as it doesn't involve a compromised Windows. (y) If not, you can probably access Device Manager via Control Panel in Safe Mode also and try to disable the storage drive there.
Thanks for this. So the two options will be BIOS and Device Manager.

I guess nobody here has tried this yet? so I'll make sure to have all my backups as fresh as possible, and then give it a try myself and let ya know.
 

sebazzo

New Member
FYI, I think I found a solution:

  • Go to Disk Management (called "Create and format hard disk partitions" in the Windows 10 Startup menu)
  • Scroll down to the part of the window, where it shows the allocation of partitions
  • Right-click the left-most box, the ones which read Disk 0, Disk 1 and so on.
  • Choose 'offline'

See attached screen-shot for reference.

(PS BIOS option was not available and disabling the drive via device manager was not attempted)

View attachment Screenshot 2020-05-22 12.02.50.png
 

redsworn

Level 4
Verified
FYI, I think I found a solution:

  • Go to Disk Management (called "Create and format hard disk partitions" in the Windows 10 Startup menu)
  • Scroll down to the part of the window, where it shows the allocation of partitions
  • Right-click the left-most box, the ones which read Disk 0, Disk 1 and so on.
  • Choose 'offline'

See attached screen-shot for reference.

(PS BIOS option was not available and disabling the drive via device manager was not attempted)

View attachment 240722
Yeah, that's one of the possible ways to do it. Sorry I didn't go into more details in my previous comment. Well done for figuring it out by yourself and even took the time to share the step by step instruction. (y)
 
Top