Return to Level1Techs.com

Ransom Ware Drive

#1

Hey yall, I was talking to a buddy of mine and he got ransom ware owned. Including his back-up because it was connected to the network… Don’t get me started. double face palm, Yada.

Anyways he wiped his whole network of computers but left the drive locked up with 20+ years of his art. He figures he was a first run hit, so 3-4 yrs maybe.

Does anyone know if this shit is recoverable yet? Can anyone put me in the right direction?

Im a linux user, with an isolated burner laptop, in a Faraday cage.

0 Likes

#2

I think a lot depends on what the ransomware was. Some of them turned out to have not been at all well written (surprise) and to have flaws which can be exploited to unencrypt the drives/files. Unfortunatley if he was hit by one of the variants that was well put together then his files are junk.

Did this one just encrypt the files or the whole drive? If just the files at least you can take copies of them to test on.

3 Likes

#3

Thanks @BGL!! He did say it was just the individual files and not a full disk encryption. He also said that he was hit in the very first round of the ransomeware attachs.

Is there a way to determine which ransomware version he has been attached with?

Thanks for the Artical @BGL, Im going to look for the linux tools to do the same tasks.

1 Like

#4

Hmmm… Working out what did it might be tricky unless he has a screen grab or photo of posted messages telling him who to pay etc. Some of the attacks also deposited txt files with details that again could help work out what was used.

0 Likes

#5

You’ll have to look at the files on the drive.
Sometimes the encrypted files are renamed with a new extension, which might indicate what sort of malware it was.

If you’re really lucky Windows “previous versions” can even recover the original copies.

1 Like

#6

I agree with @MarcT

The file extension that the files were encrypted to will be a pretty easy way to usually work out what variant your buddy got hit with. A quick google would usually tell you.

If it is indeed an early variant then previous versions will be a good bet. Later versions dump previous versions so it will depend entirely on the variant.

Was the drive in a machine that got infected? Or just where the files were stored and shared out across the network from? If it was from a possibly infected machine and is bootable and Windows then boot in Safe Mode off the network to prevent further damage and then look into previous versions, etc. Also may be worth running Malwarebytes/ESET scans when in Safe Mode to see if you can ID the variant that way?

0 Likes

#7

As others have said, if the bad actors were doing this to make money, they would generally leave instructions on how to pay for the decryption, which should help identify, probably placed in :\users\victim\desktop\ReadMeOrWhatever.txt.

If the bad actors were just causing destruction, they would probably just encrypt without any instructions.

0 Likes

#8

I thought that someone had solved one of the early ransomware hacks or is my memory wrong?

0 Likes

#9

Looks like there may be a few here:
https://www.avast.com/ransomware-decryption-tools

If not, may be able to help identify the actual ransom ware used.
Not sure if it includes free bloatware/begware though… it does seem to be from Avast, who are particularly naggy with their free AV suite

0 Likes