Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is there any ransomware which encrypts files on unmapped drive


  • Please log in to reply
3 replies to this topic

#1 DukeBob

DukeBob

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 18 March 2016 - 01:07 PM

As the title says. I have been hit with a ransomware 3 months ago (Teslacrypt). Fortunately, it hit my gaming computer, so there was no actual damage. But there is something I would like to know and I hope some expert from the community can provide me the information. All ransomware I have seen described on the site encrypt files on mapped drives. If one removes the letter of a partition or HDD (let's say from Disk Management panel), is there any ransomware which can get access to the respective drives and encrypt its content?

I've recently seen news about a ransomware called Locky which encrypts the data on unmapped network shares (I'm not sure what that means, as I don't use shared networks, so I don't know what "unmapped network shares" are supposed to be).

As I asked before, can any ransomware do that on unmapped drives?

 

I would appreciate it very much if someone could tell me if such a thing is possible as the information would be helpful to me.



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:37 AM

Posted 18 March 2016 - 01:12 PM

Yes. Many of the newest ransomwares do this. By hitting "unmapped shares", this is exactly the scenario you are describing, where you simply remove the drive letter. As long as it is shared from the server/source, and a user has permissions to it (even if you have to manually do "\\Computer\Share" to access it), a ransomware can get it by using the Windows API to ping the network for any available shares over the SMB protocol.

I'm unclear on hidden shares though ("\\Computer\$Share").

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:37 AM

Posted 18 March 2016 - 01:14 PM

After re-reading your question, are you meaning to make a defence by manually removing the drive letter (e.g. C and D drive) from Disk Management, then manually adding drive letters when you want to access data? That might theoretically work, but would break any legitimate software (kill C and Windows might not boot even), and it would be a usability nightmare. Might as well do full drive encryption or something if you were already going to that extreme.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 DukeBob

DukeBob
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 18 March 2016 - 01:56 PM

After re-reading your question, are you meaning to make a defence by manually removing the drive letter (e.g. C and D drive) from Disk Management, then manually adding drive letters when you want to access data? That might theoretically work, but would break any legitimate software (kill C and Windows might not boot even), and it would be a usability nightmare. Might as well do full drive encryption or something if you were already going to that extreme.

Yes. Your first reply was not what I asked about. I merely mentioned that I saw that Locky encrypts "unmapped network shares". As I don't use networks, I don't really know what that means, but the word "unmapped" gave me the idea to ask about what happens with unmapped partitions.

 

 

 are you meaning to make a defence by manually removing the drive letter (e.g. C and D drive) from Disk Management, then manually adding drive letters when you want to access data?

 

Well, regardless of what I do, first and foremost I want to familiarize myself with all aspects of what a ransomware can and cannot do, because, as I've realized myself, user ignorance is actually the biggest threat to one's computer. I think you would agree.

 

And the answer to your question is yes. What I mean is removing manually the Drive Letter of a partition from Disk Management (or from any other partition management software). I wanted to know what happens in that case and whether a ransomware can still do its thing on the data from that respective partition.

As for the rest of your reply, yes, I know that removing the letter of a partition would make any software stored on that partition inoperable and, therefore, it is unpractical for partitions one uses on a regular basis.

But (if it truly shuts down ransomware's access to that partition) it is a viable solution in case one uses that partition for archiving purposes only, for files which he no longer needs on a regular basis. For instance, if one has a 500 GB HDD (or whatever) and he needs to archive 50 GB of data (let's say a digital library of documents or whatever). In that case, one can create a 100 GB partition, copy the 50 GB of data on that partition and then remove its letter. If there is no other software on that partition and the respective person needs to access that archive only once per month and therefore has to manually add the letter again that seldom, then there isn't any inconvenience.


Edited by DukeBob, 18 March 2016 - 01:58 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users