DreamyAbaddon

Senior Member
Joined
May 20, 2016
Messages
14
I'm trying to understand the nature of virus/malware/ransomware to better apply my backup strategies. So here are some questions I have:

Question Scenario #1 -
Lets say I have 2 internal hard drives connected to my PC. One with Windows10 installed and the other one with Linux installed. I use these 2 hard drives to dual boot to different operating system. Also when on Windows, I did not specify a drive letter for my Linux drive so that Windows doesn't read or access any date from my Linux drive. Let's say my Windows10 hard drive gets infected by a deadly ransomware that encrypts my files and shit... Does this infection spread to my other hard drive that has Linux installed even though Windows does not have a specify drive letter for it? And vice-versa?

Question Scenario #2 -
Lets say I have 2 internal hard drives connected to my PC. One with Windows10 installed and the other one just to store important data such as project files, musics, videos, games and such. And lets say I have 1 External hard drive which I used to install Macrium Reflect images for these 2 drives... Then 1 year later, I get hit by a deadly ransomware that locks my system and files. If I boot up my PC with my external hard drive with Macrium Reflect installed, and use the Macrium Reflect software to restore my 2 drives from previous image from last year, will it also remove the ransomeware on both drives too since last year when I made those images I was not infected to begin with?

My Strategy Plan -
If in Scenario #1 the infection I got from my Windows Drive does not spread to my LinuxOS drive, and if Scenario #2 solves the issue, then I plan to manually create image files using Macrium Reflect to my External drive once a month after full scans too keep my data safe in case something in the future does hit and I plan to keep my External drive disconnected and ONLY connected when I'm either ready to backup and archive or Restore my drives in case I get hit by something.

Please let me know what you think of my strategy plan after answering my 2 scenario questions. I really want to understand the nature of this so I can improve my back up strategy. Thank you!
 


Solution
Malware that affects firmware (BIOS or hard drive) are extremely rare. In fact, the only ones I'm aware of were believed to be created by the equation group who are believed to be linked to a nation state. These types of malware require reverse engineering the firmware. There is virtually no way to detect these types of threats.

There is no way to remove these types of malware besides replacing the hardware unless you can figure out how to reprogram the BIOS or hard drive controllers and I don't mean flashing them.
A#1 Depends on the capabilities of the malware, if it can just say write random data then it could write over the linux data without being able to read it

A#2 Macrium Reflect takes snapshots of your system at a given point in time, so yes the ransomware would be gone

I haven't personally seen any malware that overrides data at the disk level and it wouldn't be very profitable to simply destroy data to criminals. The best strategy is as you stated to keep a copy of backups disconnected from the network.
 


A#1 Depends on the capabilities of the malware, if it can just say write random data then it could write over the linux data without being able to read it

So it is possible a malware that gets infected on my WindowsOS hard drive can possibly be transferred to my LinuxOS hard drive?
If this is the case then I should also make an image for my Linux Drive to an external drive so if I get hit by a ransomware I can just restore all data back from booting up on my external drive. Do you know if I can use Macrium Reflect on Linux? If not I can always use my Cloning Dock station... that I bought for $60... =)
 


It won't affect the Linux OS itself per say nor the data but it's possible it could override the whole disk.
 


It won't affect the Linux OS itself per say nor the data but it's possible it could override the whole disk.

What does it mean to override? If it doesn't effect my data such as pictures, videos and project files on my Linux OS drive then why should I care if it overrides my Linux drive in this scenario?
 


Windows doesn't understand the Linux file systems without a driver, but Windows can access the disk and format it or override it with data in a Windows file system there by wiping out any data on the disk.

I wouldn't be overly concerned about Windows ransomware affecting a Linux file system. Ransomware is primarily meant to encrypt your data at the file level in order to hold your data for ransom.
 


Okay I have another scenario question

Question #3 -
Let's say I have 2 Internal hard drives and 2 external Hard drives.

1st Internal Hard Drive is where Windows and all my programs are installed.
I create a system image using Macrium Reflect of this drive on my 1st External Hard Drive for backup and I make this External hard drive run a rescue bootable environment in case my Internal Drive (C) gets infected and I can't boot from it.

My 2nd Internal hard Drive is where I store all my project files, photos, videos, musics and docs.
I simply drag-and-drop these files to my 2nd External hard drive to back them up.

I keep these 2 external hard drives disconnected from my computer. I only reconnect my 2nd External Hard drive too drag-and-drop files I want to back up manually.

Let's say I get a ransomware, or malware or some kind of Virus; If I boot up from my 1st external drive to restore my Windows, then reformat my 2nd Internal Drive and Drag-and-drop the files from my 2nd External drive back into my 2nd Internal Drive; will that remove the infection and restore all my data? Is that a good back-up strategy? Or should I make an image of my 2nd drive instead?

Also let's say I get a Bios Virus, Will this virus also infect my hard drives or will it just stay on the Bios chip?
What is a good backup strategy against a Bios Virus with this setup / scenario in mind? Also how do you remove a Bios Virus once infected?
 


Malware that affects firmware (BIOS or hard drive) are extremely rare. In fact, the only ones I'm aware of were believed to be created by the equation group who are believed to be linked to a nation state. These types of malware require reverse engineering the firmware. There is virtually no way to detect these types of threats.

There is no way to remove these types of malware besides replacing the hardware unless you can figure out how to reprogram the BIOS or hard drive controllers and I don't mean flashing them.
 


Solution
Back
Top