Answer the question
In order to leave comments, you need to log in
Will the ransomware encrypt files on a drive without a drive letter?
If a backup is made to a drive that has not been assigned a letter, will the ransomware virus encrypt the backup copies along with all other information on the computer?
PS The
question is no longer relevant, it turned out that Windows 8.1 can
wbadmin start backup
and can't
wbadmin start recovery
Answer the question
In order to leave comments, you need to log in
Unlikely.
Although there is a possibility.
The encryptor has a slightly different task - to encrypt certain types of files as quickly as possible, and ask for money.
It is unlikely that he will study all connected drives and try to mount them.
But I repeat - theoretically there is a possibility.
Some say they delete shadow copies, they recently brought me an encrypted one, the shadow copies were intact.
it turned out Windows 8.1 can
wbadmin start backup
and can't
wbadmin start recovery
If a regular user through a regular explorer has write access to files - consider the Trojan also has access to them. And yes, you don't have backups.
You were correctly answered where the logged-in user has access, all processes running with his privileges have access there. And whether it will search for all devices or not depends on the implementation.
Only backups to a remote device will save information and wallets, from where the user cannot delete or change anything. We are talking about such a backup where the user, using his environment and privileges, cannot access it.
For example, a backup to the mail. You can send, but you can't revoke a letter. Of course, access to such a backup must be stored securely and not accidentally "burn" the Trojan. The "sender" must do this without authentication or send it to another mailbox, otherwise the password may leak, and the encryptor will do its job.
Either the "backup device" should itself come to the computer and take backups without giving the opportunity to go to itself. Is that only on Fridays and only in ReadOnly mode. For example, to check backups.
For these purposes, a disk connected via USB is not suitable. Or limitedly suitable if the measures described below are performed.
But still, you need to remember about organizational measures, since the concept of a user is different from the concept of an administrator. You don't need to run as an administrator. There is a user account for this. Allocate the sandbox "My Documents" to him and let him write and read there. With well-placed rights and launch restriction policies, and most importantly, adequate user behavior, the Trojan has almost no chance to start, firstly, and secondly, even after starting, it will "tumble" within the allotted sandbox.
The backuper, while running with other higher privileges, will be isolated from the ransomware and will be able to create copies to a protected location.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question