• Trainguyrom@reddthat.com
    link
    fedilink
    English
    arrow-up
    10
    ·
    1 year ago

    The advice I’ve always heard is disconnect network but leave powered for forensics/recovery. Some ransomware store the decryption key soley in memory, so it is lost upon power loss

    • Haui@discuss.tchncs.de
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      That actually makes sense. We had a ransomware attack once. We also disconnected the device but I cant remember if we powered it off. At the time it stopped encrypting due to that since our network drives were not reachable anymore.

      Is there actually a way to spread the encryption process to a server?

      • Trainguyrom@reddthat.com
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Best I understand the encryption key is needed to encrypt and decrypt, so if the malware isn’t written well enough it may well continue to store the encryption key in memory.

        There’s some old malware on archive.org that just pulls the FAT off the filesystem into memory and offers a dice roll to restore it