Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Encrypting ransomeware prevention using randomized file extensions??


  • Please log in to reply
1 reply to this topic

#1 Cranetic

Cranetic

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 27 September 2015 - 09:23 PM

Just a quick question for curiousity sake. Some encrypting ransomeware variants focus on files with well known extensions (i.e. xlsx, doc, txt, png, vhd). What would be the chances of using some encrytion method (pick one) and using it to change all the extensions within a backup to prevent encryption? If the file type is not on the list of items to encrypt it should (theoretically) be ignored.



BC AdBot (Login to Remove)

 


#2 adamforum

adamforum

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 28 September 2015 - 12:02 AM

Just a quick question for curiousity sake. Some encrypting ransomeware variants focus on files with well known extensions (i.e. xlsx, doc, txt, png, vhd). What would be the chances of using some encrytion method (pick one) and using it to change all the extensions within a backup to prevent encryption? If the file type is not on the list of items to encrypt it should (theoretically) be ignored.

 

It's very much a cat and mouse game.  The ransomware wants to find and encrypt your "valuable" (irreplacable, victim-generated content) files as quickly as possible.  Today, the file extension filter will work "good enough" against most victims.  If you change the file extensions on your valuable file(s) to unknown extensions, you'll likely "fly under the radar" until the ransomware is updated to check for file signatures.  Checking for file signatures will slow the ransomware down considerably (opening files is expensive).  If you encrypt your valuable files and change the extensions, the ransomware will not be able to discern any file signature and hence will have no idea what type of file it is.  Another version of the ransomware may opt to encrypt ALL unknown files (super inefficient and slow for the ransomware) -- not to mention, an increased risk of breaking Windows so victims cannot even start their computer to see they have a ransom note/payment instructions.  Of course, those challenges are not insurmountable, but the criminals want to steal the easiest way possible.

 

Bottom line, you'll probably find it best to maintain a tight leash on who/what has write access to your backup media and you may want to keep the backup physically detached/secured from the network when not in use.

 

AF


Edited by adamforum, 28 September 2015 - 12:04 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users