3

Is there a known ransomware-variant (Cryptolocker, Cryptowall etc.) that before encrypting the files checks for their magic numbers?

Lets say that there's a Word file, that had its file extension removed or changed to a not-popular one. We'll call it CC details (or CC details.qwerty). This file should have 50 4B 03 04 as its magic numbers.

Is there a ransomware known that will scan the contents of the file (or even just the first few lines) to see that it's really a Word file and not something blank?

I checked Google and the most that I could find was the ransomeware kovter, which does scan the file content and obfuscates the first few lines - which leads to an invalid file (doesn't really encrypt it though). That's not really what I'm looking for (though I do think it's somewhat in the right direction).

Anders
  • 64,406
  • 24
  • 178
  • 215
Laen
  • 31
  • 1
  • Just to be clear, are you asking if files can be "hidden" from ransomware (or made unattractive for it) by changing their extension? – Potaito May 26 '16 at 09:17
  • Indirectly, yes.However, the more relevant part would be if there are any known ransomwares that scans the file contents (or just the magic numbers for the file signature), instead of the usual filetype scan. – Laen May 26 '16 at 11:05
  • 3
    Possible duplicate of [How can ransomware know file extensions?](http://security.stackexchange.com/questions/141701/how-can-ransomware-know-file-extensions) – Anders Nov 03 '16 at 13:07
  • @Anders I don't see an answer to this question under the one you marked as duplicate. The answer there uses potential form "have surely taken this into account" and does not specify any known malware. – techraf Nov 03 '16 at 13:53
  • @techraf Then perhaps that one should be a duplicate of this. Anyway, it is basically the same question. – Anders Nov 03 '16 at 13:55

1 Answers1

2

Yes (I found a sub-version of TeslaCrypt to do that a while back) , but most will only hunt for extensions. Some have different behavior like encrypting full folders with have the majority of files of known document types. Something as simple as having a .tx instead of .txt will many times keep your files safe. The problem is that the methods of eliminating any backup varies a lot, but it is important to note that most of them will disable shadow copy, restore points and end-task some related services.

Overmind
  • 8,779
  • 3
  • 19
  • 28