Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Can Ransomware Encrypt a Windows Encrypted Folder

  • Please log in to reply
3 replies to this topic

#1 towncobbler


  • Members
  • 3 posts
  • Gender:Male
  • Location:Canada
  • Local time:02:56 PM

Posted 18 April 2016 - 11:20 AM

If I create a Windows User account (I'll call the Account 'Bob' for this example) as Administrator, and then login to that Account, could I do the following...

  • Remove 'Bob' from the Administrator's group.
  • Create a folder on an attached drive (example E:\Vault)
  • Change ownership of E:\Vault to Bob's account, and give Bob Full Control
  • Remove all but Bob's account from the Security Permission entries
  • Encrypt the E:\Vault folder using Bob's account.
  • Log off from 'Bob's' account.
  • Log back into my everyday account.
  • Could Ransomware Encrypt Bob's Encrypted folder E:\Vault?


If I log into Bob's account, run my backups to save to E:\Vault, and then log out from Bob's account are the contents in E:\Vault safe from Ransomware?

I'd only use Bob's account when I run my backup script.

Edited by towncobbler, 18 April 2016 - 11:39 AM.

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,749 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:56 PM

Posted 18 April 2016 - 05:20 PM

Crypto malware (ransomware) typically will run on non-admin accounts under the same privileges as the infected user and encrypt any files that are accessible to that user. Ransomware needs write-access to files it encrypts so it will not be able to encrypt files owned by another account without write-access while running as a non-admin account.

Crypto malware will encrypt any device and directory it can read/write to. In simplistic terms, encryption essentially converts (scrambles) readable information (plain text) into unreaderable information (cipher text) so encrypting your files before an infection will not help...the malware does not care about the contents of the data and will just encrypt them again.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 towncobbler

  • Topic Starter

  • Members
  • 3 posts
  • Gender:Male
  • Location:Canada
  • Local time:02:56 PM

Posted 21 April 2016 - 11:30 AM

Thanks for your answer. What a jumble of bits in an encrypted encrypted file.

#4 SleepyDude


  • Malware Response Team
  • 3,083 posts
  • Gender:Male
  • Location:Portugal
  • Local time:09:56 PM

Posted 21 April 2016 - 12:11 PM

In the configuration you describe only bob can access the encrypt E:\Vault folder, it will be safe *if* the malware is running in your everyday account only and not installed system wide, because if its system wide when you log on with the bob account the malware will be active and can access the protected folder like the user bob.


If your everyday account is member of the Administrator group the malware infection can install itself to run for all users, removing the Administrator privileges will not help if the malware is installed by some exploit that gain full access to the system.


Your plan is not bad, but it may not be enough...

• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

Proud graduate of GeekU and member of UNITE


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users