Anonymous Coward, I assume you are replying to my initial post.
Yes, I do know that payloads can and are able to infect more than one operating system. However, the presence of a payload does not mean it is operational. Note that my initial post also said that you could actually use another version of your work system that was guaranteed not to be infected by just mounting a data drive on the guaranteed uninfected system.
At some point a file read has to fail or no one would pay a ransom. Why not use that requirement to detect ransomware encrypted files? All you need is a disk read that is completely independent of your working system. As I said earlier, you could even have the code running under an infected operating system; it just cannot use the any of the usual, possibly infected, disk read/write mechanism. Indeed, any computer that had its own, unique disk read/write method would make it difficult for ransomware to encrypt files in the first place, although it could be done by encrypting/de-encrypting at the application level.
Biting the hand that feeds IT
