Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is it possible stop ransomware encryption process from restart computer?


  • Please log in to reply
6 replies to this topic

#1 megakotaro

megakotaro

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cyberspace
  • Local time:07:12 AM

Posted 22 March 2017 - 09:39 PM

I have discussed with my IT advisor. He said if someone was infected by ransomware, just restarted the computer and the encryption process would be stopped. Is it true or it's not true?



BC AdBot (Login to Remove)

 


#2 Steven_M

Steven_M

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Hermit Kingdom
  • Local time:12:12 AM

Posted 23 March 2017 - 05:48 AM

Yes, it runs off a .exe so if that exe is stopped either in services or by computer restart then the encryption process will stop.

 

Unless they've somehow set it so the process starts upon boot.

 

I'm sure if I'm wrong someone will correct me. But that's my understanding of it.


Edited by Steven_M, 23 March 2017 - 05:49 AM.


#3 Angoid

Angoid

  • Security Colleague
  • 299 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:East Midlands UK
  • Local time:12:12 AM

Posted 23 March 2017 - 08:03 AM

The Windows registry (as well as other places) contains "autostart" locations.  If you write an appropriate entry to the appropriate area, you can get a program to start up with Windows.

So yes ... it is entirely possible to write a Registry key away to make sure the malware restarts after the next reboot.


Helping a loved one through a mental health issue?  Remember ALGEE...

Assess the risk | Listen nonjudgementally | Give reassurance and info | Encourage professional help | Encourage self-help and support network

#4 Angoid

Angoid

  • Security Colleague
  • 299 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:East Midlands UK
  • Local time:12:12 AM

Posted 23 March 2017 - 08:04 AM

The Windows registry (as well as other places) contains "autostart" locations.  If you write an appropriate entry to the appropriate area, you can get a program to start up with Windows.

So yes ... it is entirely possible to write a Registry key away to make sure the malware restarts after the next reboot.


Helping a loved one through a mental health issue?  Remember ALGEE...

Assess the risk | Listen nonjudgementally | Give reassurance and info | Encourage professional help | Encourage self-help and support network

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:12 PM

Posted 23 March 2017 - 06:04 PM

There are some ransomware variants which will add an entry to Run and RunOnce Registry Keys so the malicious executable or ransom screen always displays itself on each restart of the computer. In such cases, victims should look for a related entry under the Startup tab in Windows System Configuration Utility (msconfig) or use a tool such as Autoruns to search for and remove any malicious entries.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 megakotaro

megakotaro
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cyberspace
  • Local time:07:12 AM

Posted 07 April 2017 - 10:21 PM

Thanks all of you. I'll talk to my IT advisor and teach my clients these things.



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:12 PM

Posted 08 April 2017 - 06:32 AM

You're welcome on behalf of the Bleeping Computer community. :thumbup2:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users