Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Question regarding ransomeware and file extensions


  • Please log in to reply
6 replies to this topic

#1 BeckoningChasm

BeckoningChasm

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:20 AM

Posted 23 July 2017 - 10:28 AM

Does ransomeware target files based on the extension, or based on the content?

 

The reason I ask is I am wondering if changing the extension on a file would protect it from ransomeware.  I am having to do manual backups of a couple of VM servers because the backup software keeps failing to do so.  If I change the VHDX extension to something like SAVE, would ransomeware pass it by?  Then I could simply rename the extension if I needed to restore that backup.

 

Apologies if this is in the wrong forum area.

 

Thanks,

BChasm



BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:20 AM

Posted 23 July 2017 - 10:40 AM

This won't necessarily make a difference as plenty of ransomware don't have extension lists, but encrypt all files except in certain locations or certain file extensions. You're better off making the backup easier and quicker to restore as in some cases the ransomware will cause a lot of damage to repair.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,056 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:20 AM

Posted 23 July 2017 - 02:12 PM

Somes types of ransomware will use a white list of folders and extensions that it will not encrypt. By using a white list, such ransomware will encrypt almost all non-system and non-executable related files that it finds.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 BeckoningChasm

BeckoningChasm
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:20 AM

Posted 24 July 2017 - 03:41 PM

Thanks guys, I appreciate the info!



#5 Just_One_Question

Just_One_Question

  • Members
  • 1,400 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:20 PM

Posted 24 July 2017 - 03:48 PM

Somes types of ransomware will use a white list of folders and extensions that it will not encrypt. By using a white list, such ransomware will encrypt almost all non-system and non-executable related files that it finds.

Does that mean that if you change the extension to a .txt file that you have to .exe, some types of ransomware will skip encrypting it?



#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:20 AM

Posted 24 July 2017 - 03:59 PM

 

Somes types of ransomware will use a white list of folders and extensions that it will not encrypt. By using a white list, such ransomware will encrypt almost all non-system and non-executable related files that it finds.

Does that mean that if you change the extension to a .txt file that you have to .exe, some types of ransomware will skip encrypting it?

 

Some, but definitely not all. It's not really something you can rely on.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 Just_One_Question

Just_One_Question

  • Members
  • 1,400 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:20 PM

Posted 24 July 2017 - 04:06 PM

I see. Thanks.:)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users