As we all know, file-encrypting ransomware is currently a major problem in computer security and everyone needs to be armed with every little bit of knowledge that may help protect themselves.  Many people think that having a antivirus program is enough to protect your computer from malware, but this is simply not true. This is because malware developers are constantly changing their programs for the sole purpose of bypassing antivirus programs and the antivirus developers are always playing catchup. Therefore, it is important to not only be armed with an antivirus program, but to also be aware of some tricks that may alert you that one of these infections is running on your computer. This article will describe one such trick that will not stop file encrypting ransomware from infecting your computer, but will at possibly alert you that one may be installed and encrypting your data.

One thing that I have noticed when installing and testing ransomware, is that certain ransomware infections would cause a message to pop up from the Windows taskbar stating that I had files waiting to be burned to disc. Normally this message is displayed when a user drags a file they wish to burn onto a burnable CD drive. When you do this, these files go into Temporary Burn Folders located at C:\Users\\AppData\Local\Microsoft\Windows\Burn\Temporary Burn Folder, which store the files until you are ready to burn them to a disc.  When Windows detects that the contents of these folders have changed, it will display an alert stating that files are waiting to be burned as shown below.


Now you may be wondering what any of this has to do with ransomware? Well the temporary burn folder contains a file called desktop.ini that is present even when you are not burning files to a disc. If  a ransomware targets .ini files it will encrypt it when it scans your drive for files. Windows will then notice the change in the file, think you dragged a file in there to be burned, and issue the above alert. Another method that ransomware may trigger this alert is when the infection drops ransom notes in every folder that they scan. This too would trigger the alert because Windows will notice that the folder has been changed.

You can see an example of an encrypted desktop.ini file from the Gomasom ransomware in the image below.

Unfortunately, this tip will not protect you from ransomware and only alert you off that a ransomware may be present on your computer. In my tests some of the ransomware that have caused this alert to appear include TeslaCryptGomasom, Chimera, and the Fulba Ransomware. If a ransomware does not touch .ini files or create ransom notes everywhere, this tip will not help. 

If you are using your computer and out of nowhere the alert alert described above appears, you should immediately open the Windows Task Manager and look for suspicious processes. In Task Manager look for random named processes or legitimate Windows processes like explorer.exe and svchost.exe running in 32 bit mode as shown below. If you find these processes, terminate them so that you can prevent further encryption of your data files.

Random Process Name
Random Process Name
Injected Svchost.exe in 32-bit Mode
Injected Svchost.exe in 32-bit Mode

Now, this is not to say that any time you see this alert you should panic thinking you have ransomware.  It does, though, mean that you should immediately investigate what is running on your computer and not ignore it.

Related Articles:

HPE iLO 4 Remote Management Possibly Hit With Ransomware

TrickBot's Screenlocker Module Isn't Meant for Ransomware Ops

RansSIRIA Ransomware Takes Advantage of the Syrian Refugee Crisis

The Week in Ransomware - April 20th 2018 - Reveton Charges, GandCrab, and More

XiaoBa Ransomware Retooled as Coinminer But Manages to Ruin Your Files Anyway