WannaCry vs Deep Freeze.

WinXPert

WinXPert

Level 25
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Jan 9, 2013
1,457
Here are my observations while testing some ransomwares specifically WannaCry2 running inside Deep Freeze 7.51.020.4170

  • First. I have two partitions C: and E: with Windows (7 Starter 32 bit) at drive C:
  • Both drives are frozen
  • WannaCry bleeds in Deep Freeze after switching to Thaw Mode and rebooting
  • Drive E: is infected while C: is not
This thing happens when you change Deep Freeze's Status and rebooting right away.

How to avoid/prevent bleeding?
  • While still in Frozen Status, turn off your PC using the power switch. Don't change status and restart while WannaCry is active or have infected your files.
  • Boot your PC again, you'll still be in Frozen Status. Observe if there are leftover encrypted files. If none, change to Thaw Mode and reboot. Your files are safe.
Always stay safe while testing :)
 
  • Like
Reactions: Parsh, Handsome Recluse, XhenEd and 7 others
JHomes

JHomes

Level 7
Verified
Well-known
Jul 7, 2016
339
Could be for any number of reasons. Deep Freeze works within the OS, so like WSR it's vulnerable to attacks. There's also the whole update debacle of the program being disabled while updating. Did you update anything while Deep Freeze was installed?

Either way, I'm not surprised program acts this way. I have clients who used to use Deep Freeze, then they had corruptions of the frozen state. Many of them went over to Deep Freeze/Reboot Restore Rx Pro, others just re-image the machines, some use Shadow Defender, etc.

Deep Freeze ain't what it used to be that's for sure lol
 
  • Like
Reactions: Sr. Normal 2.0, Parsh, Handsome Recluse and 2 others
jamescv7

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
mekelek said:
after that little incident Deep Freeze did on my PC, I'm glad i switched to Shadow Defender, has no issues so far. Could you maybe try if this happens with other rollback software like SD or Rollback's product?
Click to expand...

I guess that can be a typical issue for Deep Freeze, so far Rollback is a good alternative and no issues upon the virtualization process.

Still the best way is to have system image on hand.
 
  • Like
Reactions: Sr. Normal 2.0, Parsh, frogboy and 1 other person
Danielx64

Danielx64

Level 10
Verified
Well-known
Mar 24, 2017
481
WinXPert said:
Here are my observations while testing some ransomwares specifically WannaCry2 running inside Deep Freeze 7.51.020.4170

  • First. I have two partitions C: and E: with Windows (7 Starter 32 bit) at drive C:
  • Both drives are frozen
  • WannaCry bleeds in Deep Freeze after switching to Thaw Mode and rebooting
  • Drive E: is infected while C: is not
This thing happens when you change Deep Freeze's Status and rebooting right away.

How to avoid/prevent bleeding?
  • While still in Frozen Status, turn off your PC using the power switch. Don't change status and restart while WannaCry is active or have infected your files.
  • Boot your PC again, you'll still be in Frozen Status. Observe if there are leftover encrypted files. If none, change to Thaw Mode and reboot. Your files are safe.
Always stay safe while testing :)
Click to expand...
Question, at work we have 2 public computers with deepfreeze installed. If someone was to download this bad malware and run it will the machine still be ok after we restart it?

So it like machine infected -> go to start and click restart -> wait for computer to reboot.

Will the bleed happen in this manner?
 
  • Like
Reactions: AtlBo, Sr. Normal 2.0 and Handsome Recluse
JHomes

JHomes

Level 7
Verified
Well-known
Jul 7, 2016
339
jamescv7 said:
I guess that can be a typical issue for Deep Freeze, so far Rollback is a good alternative and no issues upon the virtualization process.

Still the best way is to have system image on hand.
Click to expand...

Agreed. Rollback added a cool new feature in recent build, you can disable the Subconsole (although the program calls it 'Disable Protection') and you can run disk imager while it's disabled. Works really well, only downside is that it wipes your snapshots but still better than having to un/reinstall.

Don't have to do this if you're running a full backup with Drive Cloner Rx.
 
  • Like
Reactions: AtlBo, Sr. Normal 2.0, WinXPert and 3 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
JHomes said:
Agreed. Rollback added a cool new feature in recent build, you can disable the Subconsole (although the program calls it 'Disable Protection') and you can run disk imager while it's disabled. Works really well, only downside is that it wipes your snapshots but still better than having to un/reinstall.
Click to expand...
When you say, "you can run disk imager while it's disabled", do you mean that you can do a system image restore?
Is this feature also in free version?
 
  • Like
Reactions: Sr. Normal 2.0
D

Deleted member 178

JHomes said:
Agreed. Rollback added a cool new feature in recent build, you can disable the Subconsole (although the program calls it 'Disable Protection') and you can run disk imager while it's disabled. Works really well, only downside is that it wipes your snapshots but still better than having to un/reinstall.
Click to expand...
oh didn't noticed that , very nice. Did you tried it?
 
Last edited by a moderator:
  • Like
Reactions: AtlBo and Sr. Normal 2.0
JHomes

JHomes

Level 7
Verified
Well-known
Jul 7, 2016
339
shmu26 said:
When you say, "you can run disk imager while it's disabled", do you mean that you can do a system image restore?
Is this feature also in free version?
Click to expand...

From what I can gather, it's primarily for running a disk imager to capture an image. For as good as Rollback is, it's always played poorly with 3rd part disk imagers so this seems like devs response to it. I use the Pro Edition so I'm not sure if it's in free version, but I'm going to guess not.

If you don't have the Pro, I think every year they do a Memorial Day sale, so you might be able to nab a license then for a bit cheaper than normal.

Umbra said:
oh didn't noticed that , very nice. Did you tried it?
Click to expand...

I did! I use Drive Cloner with Rollback so I wouldn't have to use it normally, but I also have a license for Acronis True Image, and I tested the feature with both it and Macrium Reflect. Both worked fine.

Only thing is, it deletes your snapshots when you disable the protection. I think this is why I'll continue to use Drive Cloner, but still if you don't have the option to do so it's nice to know you don't have to uninstall/reinstall. Also, I have to wonder how many times you would need to disable it.
 
  • Like
Reactions: AtlBo, Sr. Normal 2.0, Handsome Recluse and 3 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
JHomes said:
For as good as Rollback is, it's always played poorly with 3rd part disk imagers
Click to expand...
I have used Macrium Reflect with Rollback, and I never had problem making a system image. Of course, when your restore the image, it trashes Rollback.
JHomes said:
I think this is why I'll continue to use Drive Cloner
Click to expand...
How would you compare it to Macrium Reflect?
 
  • Like
Reactions: AtlBo, Sr. Normal 2.0, frogboy and 1 other person
JHomes

JHomes

Level 7
Verified
Well-known
Jul 7, 2016
339
shmu26 said:
I have used Macrium Reflect with Rollback, and I never had problem making a system image. Of course, when your restore the image, it trashes Rollback.

How would you compare it to Macrium Reflect?
Click to expand...

Yeah it trashes Rollback because the disk imager isn't reading the subconsole portion of Rollback, this is why I use Drive Cloner because obviously the devs kno they they need to be able to read it to be competitive.

It's pretty on par with Macrium features wise, I mean Macrium is free and this isn't but it's only like $40 for a license which is not bad at all. I was using Macrium for a long time before, uninstalling Rollback to take a disk image, so I figure the $40 saves me the hassle of having to do that lol.
 
  • Like
Reactions: AtlBo, Sr. Normal 2.0, Handsome Recluse and 1 other person
WinXPert

WinXPert

Level 25
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Jan 9, 2013
1,457
JHomes said:
Could be for any number of reasons. Deep Freeze works within the OS, so like WSR it's vulnerable to attacks. There's also the whole update debacle of the program being disabled while updating. Did you update anything while Deep Freeze was installed?

Either way, I'm not surprised program acts this way. I have clients who used to use Deep Freeze, then they had corruptions of the frozen state. Many of them went over to Deep Freeze/Reboot Restore Rx Pro, others just re-image the machines, some use Shadow Defender, etc.

Deep Freeze ain't what it used to be that's for sure lol
Click to expand...

No updates, I just tested WannaCry2 and nothing else.
 
  • Like
Reactions: Winter Soldier, AtlBo, Sr. Normal 2.0 and 1 other person
You must log in or register to reply here.

Similar threads

J
    • Love
    • Applause
Opera launches Opera One R2 – the best Opera Browser to date
Replies
7
Views
399
Opera
Gandalf_The_Grey
Gandalf_The_Grey
Trident
    • Like
    • +Reputation
    • Thanks
Serious Discussion Decoding the Trend Micro Components and Protection Model
Replies
24
Views
2,981
Other security for Windows, Mac, Linux
Mahesh Sudula
Mahesh Sudula
M
    • Like
Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials
Replies
0
Views
697
Microsoft Defender
Microsoft Threat Intelligence
M

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top