2

I have an understanding of how ransomware works to a certain extent. But, I would like some input as to what it can do if the volumes/drives that are on a workstation are not visible or are not formatted according to a Windows workstation.

In my setup I have two situations.

  1. I use TrueCrypt (old program but it works for me), in which a reserved drive letter appears as an unformatted drive unless you mount your personally secured/encrypted drive. In this case, the Ransomware would only see an unformatted drive (let's say drive X:).

  2. I have a partition that I set to hidden using a partitioning tool.

In either of these scenarios, can a ransomware attack actually take out the data or not?

Anders
  • 64,406
  • 24
  • 178
  • 215
Harry
  • 21
  • 1
  • 2
  • Ransomware does not take data out, but makes it inaccessible (in theory temporarily). What a piece of ransomware encrypts depends on a particular software, so a generalisation is impossible. If it proved economical for ransomware operators to run a tool that accessed and encrypted the data stored as you listed, they would go for it. – techraf May 17 '17 at 04:02
  • Do you have a full encrypted disk, or is it a truecrypt volume stored on one of your disk ? – M'vy May 17 '17 at 08:04
  • I imagine this would work similarly to app control and device control solutions that defeat ransomware encryption attempts. – Duncan McAlynn May 17 '17 at 04:11

4 Answers4

4

There is no practical answer to this. It all depends on how good the malware was designed.

Some are just as basic as encrypting basic documents, some go as deep as disabling any methods of back-up and restore and accessing the disk in a more advanced manner.

Currently, there is no anti-truecrypt malware (i.e. something specifically designed to take TC into account).

What danger can exist is the following: a keylogger could find the password that you type to access the encrypted files or volumes and that would give it access to them, but again, this must be specifically designed to do so. An average malware will not dig for TC volumes or container files.

Overmind
  • 8,779
  • 3
  • 19
  • 28
3

so neglect the word ransomware for a sec, and realize it is software program and it will do or attempt to do whatever the programmer wrote it to do.

truecrypt was free, I do not know at the moment if it was open source but let's assume that it was. Therefore a programmer writing ransomware would conceivably have access to all the info needed (truecrypt source) to write such a program to know everything truecrypt can do and has done on your computer... including hidden drives.

One could just write ransomware to try to encrypt any accessible volume whether formatted or not. Also wouldn't need to actually encrypt a volume then say you did and demand ransom, you could just change/reformat the partition and simply overwrite then demand ransom (not like there's a requirement for ransomware to be honest)... many ways to take out the data.

could a ransomware program simply be truecrypt (or any other free / open source encrypting software) recompiled and modified after installing to do any number of things with any kind of storage (formatted or unformatted) found connected to a system? I would say pretty much once the program gets elevated privilege, be it windows or linux.

ron
  • 177
  • 4
1

A TrueCrypt encrypted volume is stored in a file on your hard drive (or flash drive, etc.). Therefore, this container file can be encrypted by ransomware, just like any other file can be.

PS, VeraCrypt has picked up where TrueCrypt left off, plugged some security holes, and can read TrueCrypt volumes.

user226211
  • 11
  • 1
0

As of yesterday, a newly discovered ransomware variant exhibits the ability to detect and compromise partitions (including hidden partitions), a behavior not thought to have been seen before in ransomware.

See: https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions

Alk
  • 1