Ransomware & Existing Encryption: Can It Happen?

TL;DR

Yes, ransomware can encrypt files that are already encrypted, but it doesn’t work the same way as encrypting unencrypted data. The result is usually a larger file size and potential corruption, but not necessarily complete loss of access if you have the original decryption keys.

Understanding the Problem

Ransomware aims to lock your files so you pay a ransom to get them back. It does this by using encryption algorithms. If a file is already encrypted, ransomware doesn’t create new encryption; it tries to re-encrypt or corrupt the existing encryption.

How Ransomware Handles Encrypted Files

1. Re-Encryption Attempts: Some ransomware will attempt to encrypt the already encrypted file again. This often fails cleanly, but can sometimes result in a larger file size and an unusable file.
2. Corruption of Encryption Headers: More commonly, ransomware targets the encryption headers or metadata associated with the files. This makes the existing encryption inaccessible even if the data itself isn’t changed significantly.
3. Partial Overwrite: Ransomware might overwrite parts of the encrypted file with random data, rendering it unrecoverable without backups.

Step-by-Step Guide to Dealing With Encrypted Files & Ransomware

1. Isolation is Key: Immediately disconnect the infected computer from the network (Wi-Fi and Ethernet). This prevents the ransomware from spreading to other devices.
2. Identify the Ransomware: Knowing which type of ransomware you’re dealing with can help determine if a decryption tool exists. Websites like ID Ransomware can help identify it based on sample files or ransom notes.
3. Check Your Backups: This is the most important step! If you have recent, verified backups of your encrypted files (stored offline!), restore them after ensuring the ransomware is completely removed from your system. Do not connect backup drives until you’re certain the threat is gone.
4. Attempt Decryption (If Possible): Some ransomware families have publicly available decryption tools. Search online for a tool specific to the identified ransomware variant. No More Ransom is an excellent resource.
5. Do Not Pay the Ransom: Paying the ransom does not guarantee file recovery and encourages further criminal activity. There’s no assurance the attackers will provide a working decryption key, even after payment.
6. Remove the Ransomware: Use a reputable anti-malware program to scan and remove the ransomware from your system. Consider using a bootable rescue disk for a more thorough clean (see Step 6).
7. Use a Bootable Rescue Disk: Download a bootable rescue disk from a trusted source (e.g., Kaspersky, Bitdefender) onto a USB drive. Boot your computer from the USB drive and perform a full system scan. This can remove ransomware that is difficult to detect when running within Windows.

   Example command for creating a bootable USB with Rufus: rufus -d kaspersky_rescue_disk.iso -p usb:
   

8. Re-evaluate Your cyber security Measures: Once the system is clean, review your cyber security practices to prevent future infections (see ‘Prevention Tips’ below).

Prevention Tips

• Regular Backups: Implement a robust backup strategy with offline storage.
• Keep Software Updated: Regularly update your operating system, antivirus software, and other applications to patch security vulnerabilities.
• Be Careful With Emails & Links: Avoid opening suspicious emails or clicking on unknown links.
• Use Strong Passwords: Employ strong, unique passwords for all accounts. Consider using a password manager.
• Enable Multi-Factor Authentication (MFA): Add an extra layer of security to your important accounts.
• Antivirus/Anti-Malware Software: Install and maintain reputable antivirus and anti-malware software.