3

Appologies if this is the wrong place to ask this question.

I have/had a computer infected with ransomware. I have just used a linux live cd and used the command dd if=/dev/zero of=/dev/sda bs=1MB to wipe the hard drive (I have backups of my work). When that command completes, it outputs:

dd: error writing '/dev/sda': No space left on device
238476+0 records in
238475+0 records out
250059350016 bytes (250 GB, 233 GiB) copied, 2193.65 s 114 MB/s

Is that enough to ensure the ransomware has been removed, or do I need to look elsewhere too to ensure all traces of it have gone?

The computer was a Windows 7 machine.

user
  • 7,700
  • 2
  • 30
  • 54
oshirowanen
  • 705
  • 3
  • 10
  • 21
  • 3
    While in theory malware could hide in BIOS/UEFI current ransomware does not do this. So the malware is probably removed from your computer - at least until you restore it together with your backup. – Steffen Ullrich Sep 15 '16 at 13:57
  • @SteffenUllrich, hopefully backups will be clean as backups are being done on the reputable rackspace cloud provider. They have been contacted and backups are clear of malware apparently. The concern was more on the local computers, which is why this particular computer was isolated from the local network and then wiped. – oshirowanen Sep 15 '16 at 14:04
  • 1
    Possible duplicate of [How do I deal with a compromised server?](http://security.stackexchange.com/questions/39231/how-do-i-deal-with-a-compromised-server) – Stephane Sep 15 '16 at 14:27
  • @Stephane I read this question as "How do I wipe my drive?" A question with the answer "wipe your drive" can not be a duplicate of that. – Anders Sep 15 '16 at 23:34
  • If you only have one disk, malware on this PC is gone. Reinstall, update OS and them restore the backups. – ThoriumBR Oct 28 '16 at 13:35

1 Answers1

1

Doing this, you wiped all the disk, turning all the data to zero (hopefully).

It does not mean it is safe enough:

  • Some kind of malware can reside in hardware (barely possible, but still a chance).
  • Some other can be placed on the MBR, so i would suggest you to wipe it too. Use: dd if=/dev/zero of=/dev/sda bs=512 count=1 (it also deletes the partition table). But you already did.
  • And stay sure every device attached to this isolated computer is clean too.

Hope this will help.

KanekiDev
  • 1,039
  • 6
  • 9
  • If OP used `dd if=/dev/zero of=/dev/sda ...`, the MBR was already overwritten. No need to do that again. – ThoriumBR Dec 02 '16 at 17:59