9

Viruses that encrypt your files, like the recently very common 'Locky', seem to perform a lot of work before they are 'done'.

I wonder, when do these programs run? They must take quite some time, because they obviously have to read/write a lot of files. Also, they might want to delay showing their presence to the user, so they can encrypt more files before being discovered.

Are they just running in the background, before they decide that it's time to reveal themselves? Doesn't the user see the damage before being told about it?

edit: I would not consider this to be a duplicate, since I was asking when this takes place, not so much how.

AyCe
  • 201
  • 1
  • 5
  • I think this is the first time I have seen malware described as "very popular". Did you mean "common"? – user Mar 21 '16 at 10:32
  • 1
    Why would they encrypt your drive at all? Much easier to just overwrite files with random, there's no way for you of telling a difference until you've paid the ransom. Which is why you shouldn't ever pay... – Damon Mar 21 '16 at 13:14

2 Answers2

2

From my experience ONLY.

Are they just running in the background, before they decide that it's time to reveal themselves?

Yes, they run in background and they make encrypted and hidden copies of all the files.

Doesn't the user see the damage before being told about it?

Not so much! Maybe they can experience some performance decrease when the encryption takes place.

Why the user doesn't expect a thing?

They make a hidden partition in which they make copies of encrypted files and then the format the main partition copy all the encrypted files and delete the hidden partitions.

How did I recover my files? In my case they used Bitlocker (no TPM) as an encryption tool and I applied the old technique of mounting the HDD (Elcomsoft Forensic Disk Decryptor).

Short answer of how they work:

Infect

Encrypt and hidden copy

Replace original with copy

Restart

Display message

sethmlarson
  • 1,479
  • 10
  • 17
Lucian Nitescu
  • 1,802
  • 1
  • 13
  • 27
0

The use an encrypted file system (just like Bitlocker or FileVault) which can also do a live-encryption of the file system. They literally change your file system or partition table and the OS doesn't know what's going on. They also have other software monitor its progress and, when complete, notify the user.

user
  • 7,670
  • 2
  • 30
  • 54
iAdjunct
  • 1,710
  • 10
  • 15
  • Change the file system? But Locky for example creates .locky files, so it seems to me that it just takes the files and processes them. – AyCe Mar 21 '16 at 01:58
  • @AyCe the virus could choose to present unencrypted versions of files using normal file handles and shadow volumes to avoid tipping off the user until it's too late. Once done, it can stop masquerading, because the damage is done. – phyrfox Mar 21 '16 at 07:34
  • 1
    Hi iAdjunct. I'm quite certain that you meant to write *partition table* instead of *petition map*, and have proposed an edit to this effect. If I was wrong in that assumption, please feel free to reject the edit or roll back, but in that case I'd encourage you to clarify what you meant by petition map in this context. – user Mar 21 '16 at 10:34