RE: M.I.G. what if ransomware damages drive?


Author
Message
JoeZ
JoeZ
Junior Member
Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)
Group: Forum Members
Posts: 26, Visits: 58
I understand that M.I.G. locks Reflect images so a ransomware can't alter it. But if the ransomware altered essential disk system files (where the image is stored)- is it possible that booting up with a rescue media won't be able to get access to the other drive that the image is on?
Joe

Nick
Nick
Macrium Representative
Macrium Representative (2.8K reputation)Macrium Representative (2.8K reputation)Macrium Representative (2.8K reputation)Macrium Representative (2.8K reputation)Macrium Representative (2.8K reputation)Macrium Representative (2.8K reputation)Macrium Representative (2.8K reputation)Macrium Representative (2.8K reputation)Macrium Representative (2.8K reputation)
Group: Administrators
Posts: 1.6K, Visits: 8.8K
JoeZ - 14 December 2017 12:59 PM
I understand that M.I.G. locks Reflect images so a ransomware can't alter it. But if the ransomware altered essential disk system files (where the image is stored)- is it possible that booting up with a rescue media won't be able to get access to the other drive that the image is on?
Joe

Hi Joe

Thanks for posting.

There are no system files that prevent a file being read unless you are referring to the NTFS Master File Table (MFT). The MFT effectively *is* the file system, it's created when the volume is formatted and provides directory navigation, individual file and folder properties and data pointers.

MIG protects against file encryption by preventing processes from writing to a Macrium backup files. This is the attack vector used by the vast majority of Ransomware. Encrypting the MFT is a completely different attack vector and is effectively whole disk or volume encryption. Volume encryption is a whole different beast and Windows 8/10, with UEFI secure boot, has safe guards to prevent this kind of attack. Older Windows installations and PCs are still vulnerable but file encryption is by far the most common Ransomware target.

Kind Regards

Nick - Macrium Support

JoeZ
JoeZ
Junior Member
Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)
Group: Forum Members
Posts: 26, Visits: 58
Nick - 14 December 2017 1:31 PM
JoeZ - 14 December 2017 12:59 PM
I understand that M.I.G. locks Reflect images so a ransomware can't alter it. But if the ransomware altered essential disk system files (where the image is stored)- is it possible that booting up with a rescue media won't be able to get access to the other drive that the image is on?
Joe

Hi Joe

Thanks for posting.

There are no system files that prevent a file being read unless you are referring to the NTFS Master File Table (MFT). The MFT effectively *is* the file system, it's created when the volume is formatted and provides directory navigation, individual file and folder properties and data pointers.

MIG protects against file encryption by preventing processes from writing to a Macrium backup files. This is the attack vector used by the vast majority of Ransomware. Encrypting the MFT is a completely different attack vector and is effectively whole disk or volume encryption. Volume encryption is a whole different beast and Windows 8/10, with UEFI secure boot, has safe guards to prevent this kind of attack. Older Windows installations and PCs are still vulnerable but file encryption is by far the most common Ransomware target.

Nick, thanks for the almost instant reply! I was just curious about this. I must say, not only am I very impressed with Reflect (installation, creation of boot media, ease of use, etc.) - but I've been posting to countless support forums for many years and this forum is by far the most responsive with good replies and also the fastest replies.
Joe
Nick
Nick
Macrium Representative
Macrium Representative (2.8K reputation)Macrium Representative (2.8K reputation)Macrium Representative (2.8K reputation)Macrium Representative (2.8K reputation)Macrium Representative (2.8K reputation)Macrium Representative (2.8K reputation)Macrium Representative (2.8K reputation)Macrium Representative (2.8K reputation)Macrium Representative (2.8K reputation)
Group: Administrators
Posts: 1.6K, Visits: 8.8K
Thanks Joe

Kind Regards

Nick - Macrium Support

GO

Merge Selected

Merge into selected topic...



Merge into merge target...



Merge into a specific topic ID...




Similar Topics

Reading This Topic

Login

Explore
Messages
Mentions
Search