0

I just read about the lockbit ransomware, which is widely used. What really surprised me is that the ransomware only encrypts the first 4kb of each file (for better speed, considering it will encrypt like 100k files in total).

But isn't it ineffective to only encrypt the first 4kb? Imagine you have a huge database file which is about 10GB large. Shouldn't it be somehow restorable if only the first 4KB are encrypted?

2 Answers 2

2

Of course it is possible to restore the rest of the file. But the trouble is this:

  • you need tools and expertise to do so
  • not everyone has this capability
  • the cost to recover most of 100k files could be more than the ransom
  • recovery like this takes time
  • there is still data loss

Nothing in security, or ransomware, is a silver bullet meant to be 100% effective. Things only need to be effective enough.

The question becomes, "why only encrypt part of the file?" And that's the more interesting question. Not only is it faster, but it is harder to detect and requires less disk and memory space.

3
  • Fun comment! Let's change each file format with a 4kb random header. Commented Nov 15, 2022 at 19:08
  • But then they will start encrypting a different part ... Commented Nov 15, 2022 at 20:32
  • 1
    Yes, that was a covert part of the fun :) Commented Nov 15, 2022 at 20:54
0

Many ransomware programs do that. They encrypt since quickly encrypting many files is more important than fully encrypting them.

It's a compromise they are doing.

But isn't it ineffective to only encrypt the first 4kb?

For the average user, just changing the extension would mean their files are inaccessible.

Imagine you have a huge database file which is about 10GB large. Shouldn't it be somehow restorable if only the first 4KB are encrypted?

Yes. Some people could recover most files that got encrypted from backup files that were only partially encrypted. Still, it requires a certain level of expertise to do that.

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.