1
can ransomware encryption overwrite TrueCrypt encryption? what will happen then
mario
Posted 2016-02-24T13:00:28.297
Reputation: 5
What happen if windows infected with ransomware malware and the windows already fully encrypted with TrueCrypt?
Answers
5
Because Truecrypt is transparent On-The-Fly encryption, in an FDE scenario, the attacker would be encrypting the plaintext-data within the container, which Truecrypt would then convert to ciphertext-data, so yes, it can affect you, but no it is not "overwriting" the truecrypt encryption. The OS can't see the Truecrypt layer, just the plaintext that Truecrypt exposes when the encrypted disk is mounted.
So you would in effect be storing encrypted data that someone else (the ransomware) had already encrypted once. Alternately, Ransomware might encrypt a truecrypt volume (non-FDE) upon your filesystem by encrypting the container file. Once you decrypted the files the ransomware messed with, your Truecrypt volume would revert to being exactly as it was before the attack.
The only way to protect your data from Ransomware at a disk level is to prevent your user from writing to that data. If the user can write, then the attacker can encrypt your files and delete the originals.
Frank Thomas
Posted 2016-02-24T13:00:28.297
Reputation: 29 039
Which unfortunately means that ransomware doesn't even need admin rights (though I think most variants still do, to install itself to startup programs). Thus I suspect ransomware to be one of the most dangerous threats at the moment. – TJJ – 2016-02-24T14:11:33.350
@TJJ - The only reason they would need Administrator permissions is if a network drive was read-only for a User. They also would need it to disable or corrupt the operating system's shadow volume, which controls your ability to, restore previous versions of a file in Windows. Since malware variants that encrypt files, are targeted towards specific file extensions associated with personal files( Word, Excel, .mp3, .mp4, .ect), it can only encrypt the files the user has the permission to modify. – Ramhound – 2016-02-24T17:35:48.313
@Ramhound: Yes. I think by today everyone has figured out, that a broken device is not the big concern anymore, but the loss of personal data. So, of course Word, Excel, JPEG, mp3, etc. are at risk here. And this makes ransomware so costly. Yes, of course, there's also downtime in companies, but what would you do if suddenly all your data would become inaccessible (and assume you don't have a backup!)? – TJJ – 2016-02-24T18:29:32.193
I don't put important documents at risk to malware – Ramhound – 2016-02-24T19:48:40.823
Your files on a system which is mounting a volume using FDE would then have the files on the volume encrypted by the malware. – Ramhound – 2016-02-24T13:48:15.147