14

I wondered what to do if there is a currently ongoing ransomware execution on my computer.

Assuming that I'm "spotting" it while it is encrypting my files, should I power my computer off?

I would say no because it would cancel any memory forensics operation, and maybe some files that are not properly encrypted would be permanently loss. But it would also "save" some of my files if they are not encrypted yet.

What would be the best solution?

Improve this question
9
  • 30
    Hibernate it so that you can extract its keys from the memory dump.
    – defalt
    Commented Feb 3, 2023 at 12:40
  • 3
    How slow / fast is this encryption? Can a person act fast enough in "human time" for it to be worth it ?
    – Stewart
    Commented Feb 3, 2023 at 19:49
  • 3
    @Stewart generally, as slow as a full backup. Or slower because ransomware authors don't bother with efficiency
    – fraxinus
    Commented Feb 3, 2023 at 23:16
  • 1
    @defalt "Good" ransomware will generate a new key for each file, so doing a memory dump will not allow decryption of any files except the one currently being encrypted.
    – forest
    Commented Feb 4, 2023 at 3:19
  • 2
    There's a short answer and a long answer, and both of them say "you shouldn't care until you've a backup of your data". Make ALWAYS a backup of your data, and not only for ransomware; what will happen if the hard disk collapse? If you delete your own data? If a thief stole your PC?
    – Jepessen
    Commented Feb 4, 2023 at 10:58

1 Answer 1

Reset to default
12

If you're infected, you should power off your system immediately. Failure to do so may result in more files being encrypted, lost, additional devices on your LAN being attacked and exploited, attacker hiding his work, etc. etc. etc.

After powering it down, you should not boot from this drive. The best way moving forward is to hand this drive over to forensics.

There's an argument for hibernating instead of just powering off because it will save the contents of RAM to your disk drive which then could be used to possibly find and extract the encryption key.

Improve this answer
3
  • Is it possible that the encryption starts with MFT? Does malware not dare to mess with it in a live system?
    – Lodinn
    Commented Feb 4, 2023 at 0:51
  • 1
    I'm not sure what you mean by "starts with MFT". You cannot encrypt it, it will make the system dead. Secondly, only the NT kernel can access it. Malware cannot do anything with it. You can access/modify this "file" for an offline volume which is not mounted.
    – Artem S. Tashkinov
    Commented Feb 4, 2023 at 8:49
  • 2
    @Lodinn Artem is correct, but missing a key point. The whole goal of Ransomware is to convert your computer into a payment kiosk that promises to give you your files back if you pay. If it wants to accomplish this, the machine needs to be able to boot when it makes its ransoms demands. This means not encrypting/corrupting key files that are needed to recover data, including the bootloader. Besides... The writers know that lost data is what "sells". An OS is easy to replace.
    – Patrick M
    Commented Feb 4, 2023 at 16:49

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .