I just read about the lockbit ransomware, which is widely used. What really surprised me is that the ransomware only encrypts the first 4kb of each file (for better speed, considering it will encrypt like 100k files in total).
But isn't it ineffective to only encrypt the first 4kb? Imagine you have a huge database file which is about 10GB large. Shouldn't it be somehow restorable if only the first 4KB are encrypted?
Of course it is possible to restore the rest of the file. But the trouble is this:
Nothing in security, or ransomware, is a silver bullet meant to be 100% effective. Things only need to be effective enough.
The question becomes, "why only encrypt part of the file?" And that's the more interesting question. Not only is it faster, but it is harder to detect and requires less disk and memory space.
Many ransomware programs do that. They encrypt since quickly encrypting many files is more important than fully encrypting them.
It's a compromise they are doing.
But isn't it ineffective to only encrypt the first 4kb?
For the average user, just changing the extension would mean their files are inaccessible.
Imagine you have a huge database file which is about 10GB large. Shouldn't it be somehow restorable if only the first 4KB are encrypted?
Yes. Some people could recover most files that got encrypted from backup files that were only partially encrypted. Still, it requires a certain level of expertise to do that.
