A few times I’ve seen it suggested that encryption of valuable data before ransomware strikes will somehow protect it against ransomware. Today I came across the same assertion again on Spiceworks, apparently suggested to a Spiceworks subscriber by a lecturer. Not a lecturer in IT security, I hope…
I guess whether there’s any truth in the assertion depends on what you understand by encryption.
- If files can be modified they can be encrypted: ransomware doesn’t check to see if a file is encrypted and throw its hands up in despair if it is, it simply adds another layer of encryption.
- If the media on which the files reside can’t be accessed without a password then presumably the files themselves can’t be modified while the media are inaccessible.
- However, if the media are accessible and write-enabled because the files are in use, the chances are that ransomware will be able to encrypt the files, irrespective of whether they are already somehow encrypted by the legitimate owner or user of the aforementioned files.
Much the same considerations apply to backups, of course. If the backup media are accessible while the ransomware delivers its unpleasant payload, there’s a ‘good’ chance that the backed up files will also be encrypted.
This article – Mac OS X ransomware: How KeRanger is a shadow of malware to come – The design of KeRanger demonstrates how attackers plan to make it even harder for victims of ransomware not to pay up – includes an interesting if confusing/confused comment from Timothy Wallach of the FBI:
“The best prevention for ransomware is to have thorough backups that are off the network, as well as encrypting your own data. That way if the bad guys encrypt it with their ransomware you still have it…”
It would be interesting to know if that’s exactly what Wallach said, since I’d rather like to know what he meant by ‘encrypting your own data’.]