ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > Living Room

Be prepared against ransomware viruses..

<< < (5/15) > >>

Hey, you need to keep in mind that encrypting a file is a valid process. All you're doing is changing a file's contents. You could pull up a jpeg in an image editor and change it from a blue cast to a green cast, or edit your copy of the works of e e cummings and change it to ALL UPPER CASE or something. That's all that's happening. Heck, I encrypt files regularly -- the only difference is that I know the encryption key.

The more recent Cryptowall variants that I have seen are sneakier now - they don't always select every eligible file to encrypt. They also set the last-changed time stamp back to the file's original time stamp, so you can't tell from that what files were affected. Maybe that could be a clue to a/v software that something is amiss.

@mouser: Are you able to answer this? It would be interesting to know what defences the virus had got through.
@mouser: What virus and/or malware protection did your relative have on his/her PC?
-IainB (June 27, 2015, 07:05 AM)
--- End quote ---

In the DOS OS, I recall using an excellent file manager/explorer called Lotus Magellan. From memory, one of the functions it had which I tried out but rarely used was to calculate and record the CRC (Cyclic Redundancy Check) value for important files that you wanted to preserve. You could then periodically run a check to see whether the CRC value had changed (i.e., if the file contents had been changed).

In a modern OS, in the case of a virus that encrypts a file but leaves the file name/extension unchanged, you could have a report that tells you when specified data filenames/types have the CRC (or other checksum) changed.
In the case of a virus that encrypts a file and changes the filename/extension, you could have a report that tells you when the old file name/extension is changed or if it "disappears" (i.e., is renamed in some way or deleted).

Some kind of monitor/logging/warning like that seems like it might be useful for data file security. I don't know whether that is a common practice though. For example, the OS can object strongly if specific system file types are touched in any way, so it might be happening at a system-file level.

That too is something like what I was pondering Iain. Elsewhere it was a good point that AV programs are supposed to catch certain things, but your theme is an example of that "backchannel backup" because the malware shouldn't know to look for that file and fool the report etc.

As regards to "encrypting is a valid process", what if you took a whitelisted approach? Variations on things like "the only valid files able to be worked with right now are in this X folder, and are copies. No change of any kind is allowed to any other document files".

Then you summarize the contents of all other documents in a second folder, so then the comp can just do something like a 5 step check ultra fast all the time, maybe once a second? The second (literally!) it finds problems, then it goes into lockdown mode.


Silly coda:
Other than "corp programs have to be boring, programmers can't have fun anymore", there's no reason you can't just invent a whole new kind of document file! bit-merge it onto the back of a picture of Baby Cody riding in Mouser's car and call it a BCC file!

My mother-in-law got one of these.  Fortunately, I found the hijacked files shuffled away in an archive somewhere with the file extensions removed.  A little sleuthing and I got all that restored.  It was a little harder to restore the "My Documents" folder, Start Menu items, default icons, etc.  Whatever it was really went to town...
The clincher is, when I explained to her what probably happened, she suddenly knew, in startling detail how ransomware works and how the ransomware people con you.  :-\

My MIL is kinda funny sometimes...


[0] Message Index

[#] Next page

[*] Previous page

Go to full version