I posted this in the System recovery forum and heard nothing.
Quote:
Hi Windows imaging experts.
Does the build in imaging program do a full disk restore (all the disk structure) or does it just restore the partition data.
This becomes a critical question for folks with the new Petya Ransomware?
This is indeed a security issue. So I guess first to describe Petya. It is a new strain of Ransomware first found in German companies, but no doubt if successful it will spread. So what is it. It does not encrypt files.
Currently distributed as a social gambit to see a resume, it gets the victim to download and run what is supposed to be a job application. In fact is is an executable. What it does:
1. It over writes the mbr, with it's special code.
2. It crashes the system forcing a reboot.
3. After the reboot, it presents a phony chkdsk screen. Behind that screen it encrypts the MFT's on any disks it can find.
4. Then it presents the payment demands.
At this point the user is hosed. There is only one recovery, a full disk image restore.
I know people here like Windows Disk Imaging hence my question about what is restored and can you force a full disk restore in lieu of just the partition restore.
There is a lot written about this little guy but the best write up is on the malwarebytes blog.
https://blog.malwarebytes.org/threat-an ... ansomware/One good suggestion they made there was to turn off the automatic reboot on crash. The reason for this is if the crash reboot is caught, then at that point all that is needed is an mbr repair. If the reboot isn't caught then it's bye bye MFT.
Pete