posted, this, the, system, recovery, forum, and, heard, nothing, quote, windows, imaging, experts, does, build, program, full, disk, restore, all, structure, just, partition, data, becomes, critical, question, for, folks, with, new, petya, ransomware, indeed, security, issue, guess, first, describe, strain, found, german, companies, but, doubt, successful, will, spread, what, not, encrypt, files, currently, distributed, social, gambit, see, resume, gets, victim, download, run, supposed, job, application, fact, executable, over, writes, mbr, its, special, code, crashes, forcing, reboot, after, presents, phony, chkdsk, screen, behind, that, encrypts, mfts, any, disks, can, find, then, payment, demands, point, user, hosed, there, only, one, image, know, people, here, like, hence, about, restored, you, force, lieu, lot, written, little, guy, best, write, malwarebytes, blog, https, org, threat-an, ansomware, good, suggestion, they, made, was, turn, off, automatic, crash, reason, caught, needed, repair, isnt, bye, mft, pete,     i posted this in the system recovery forum and heard nothing quote hi windows imaging experts does the build in imaging program do a full disk restore all the disk structure or does it just restore the partition data this becomes a critical question for folks with the new petya

Register    Login    Search    FAQ     Articles & downloads     Donate

Board index » Technical Forums » Security




Post new topic Reply to topic  [ 3 posts ] 
Author Message
 Post subject: Trying Again
 Post Posted: Sat Apr 02, 2016 3:36 pm 
Offline
welcoming committee

Joined: Sun Apr 15, 2012 5:52 pm
Posts: 970
I posted this in the System recovery forum and heard nothing.

Quote:
Hi Windows imaging experts.

Does the build in imaging program do a full disk restore (all the disk structure) or does it just restore the partition data.

This becomes a critical question for folks with the new Petya Ransomware?


This is indeed a security issue. So I guess first to describe Petya. It is a new strain of Ransomware first found in German companies, but no doubt if successful it will spread. So what is it. It does not encrypt files.

Currently distributed as a social gambit to see a resume, it gets the victim to download and run what is supposed to be a job application. In fact is is an executable. What it does:

1. It over writes the mbr, with it's special code.
2. It crashes the system forcing a reboot.
3. After the reboot, it presents a phony chkdsk screen. Behind that screen it encrypts the MFT's on any disks it can find.
4. Then it presents the payment demands.

At this point the user is hosed. There is only one recovery, a full disk image restore.

I know people here like Windows Disk Imaging hence my question about what is restored and can you force a full disk restore in lieu of just the partition restore.

There is a lot written about this little guy but the best write up is on the malwarebytes blog.

https://blog.malwarebytes.org/threat-an ... ansomware/

One good suggestion they made there was to turn off the automatic reboot on crash. The reason for this is if the crash reboot is caught, then at that point all that is needed is an mbr repair. If the reboot isn't caught then it's bye bye MFT.

Pete


Top 
 Profile  
Reply with quote  
 Post subject: Re: Trying Again
 Post Posted: Sat Apr 02, 2016 3:43 pm 
Offline
Resident Geekazoid Administrator
User avatar

Joined: Wed Mar 21, 2012 5:09 am
Posts: 6557
Location: The state of confusion; I just use Wyoming for mail.
Sorry Pete but I really don't exactly know how Windows Image Restore works. If it helps in any way I can make an image of several partitions and restore to a blank hard drive with everything as it should be.

I DID see your previous post and didn't respond due to the fact that I don't really have an answer.

_________________
Image
Jaylach's Free Sites
I NEVER forget... I just remember late.

ImageImage


Top 
 Profile  
Reply with quote  
 Post subject: Re: Trying Again
 Post Posted: Sat Apr 02, 2016 5:04 pm 
Offline
welcoming committee

Joined: Sun Apr 15, 2012 5:52 pm
Posts: 970
Hi Jay

It becomes critical when dealing with some of the new ransomware. So testing is a good idea.

Pete


Top 
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
 
Post new topic Reply to topic  [ 3 posts ] 

Board index » Technical Forums » Security


Who is online

Registered users: No registered users

 
 

 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  

cron