Other issues in this category (23)
Hunting for backups
Wednesday, November 29, 2017
News stories about encryption ransomware often indicate the types of files that can be encrypted by a specific ransomware species. Few people examine these file-type lists even though they may contain interesting information.
Let's see what criminals are after.
- Popular office document formats (.ppt(x), .doc(x), .xls(x), .sxi, .sxw, .odt, .hwp);
- Archives (.zip, .rar, .tar, .bz2);
- Media files (.mp4, .mkv);
- Emails and email database files (.eml, .msg, .ost, .pst, .edb);
- Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd);
- Source code (.php, .java, .cpp, .pas, .asm);
- Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes);
- Images, drawings, designs… (.vsd, .odg, .raw, .nef, .svg, .psd);
- Virtual machines (.vmx, .vmdk, .vdi).
Here we can see document, image, and database formats… This list is by no means complete—it changes depending on what specific encryption ransomware strain is involved. Let's see what we can learn from this screenshot.
Tib is an extension for Acronis Backup files. Encryption ransomware will delete your data backups.
We already mentioned that encryption ransomware strives to delete Windows shadow copies, but those copies aren't the only way data is backed up. And criminals are aware of that.#Trojan #Trojan.Encoder #encryption_ransomware #backup
The Anti-virus Times recommends
Backing up your data is one of the key measures you can take to preserve your data. However, if you use backups, bear in mind that:
- If your system was infected when you started making a backup, the backup may end up containing encrypted files. Therefore, make sure that you store several sequential backups;
- If a backup file is stored on a compromised computer or is available over a network (including at the moment it was saved), encryption ransomware can delete it;
- Do not create backups under your user account. Instead, opt to use a different account.
And using an anti-virus is imperative if you want to prevent ransomware from deleting your backups.