Notifications
Clear all

Ransonware

8 Posts
5 Users
0 Likes
407 Views
(@Anonymous)
Posts: 0
Guest
Topic starter
 

Hello Guys

I got a client who had his system encrypted by ransomware. His system is running in a raid setup.
I am wondering when a file is encrypted, does it take the orignal and encrypt it, thereby creating a new file, in which case it is possible to carve the orignal file or is that not possible ?

i was thinking of using FTK imager to do live capture.

Thanks and take care
Kitty.

 
Posted : 08/12/2017 9:56 am
(@tinybrain)
Posts: 354
Reputable Member
 

Not answerable in this form. What exactly ransomware was in use?

 
Posted : 08/12/2017 10:21 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I got a client who had his system encrypted by ransomware. His system is running in a raid setup.
I am wondering when a file is encrypted, does it take the orignal and encrypt it, thereby creating a new file, in which case it is possible to carve the orignal file or is that not possible ?

Surprisingly, i depends on the specific exact ransomware, including the specific exact variant.

Some ransomware was badly coded (and partial data can be recovered the way you suggested ), some other ransomware has been badly coded and decrypting keys can be calculated (thus recovering ALL the data), most is unfortunately "well" coded and there are no known ways to recover data.

jaclaz

 
Posted : 08/12/2017 10:24 am
(@Anonymous)
Posts: 0
Guest
Topic starter
 

Surprisingly, i depends on the specific exact ransomware, including the specific exact variant.

Some ransomware was badly coded (and partial data can be recovered the way you suggested ), some other ransomware has been badly coded and decrypting keys can be calculated (thus recovering ALL the data), most is unfortunately "well" coded and there are no known ways to recover data.

jaclaz

thank you for the reply, i am doing live capture now.

 
Posted : 08/12/2017 11:22 am
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

thank you for the reply, i am doing live capture now.

Do not forget to capture the memory! It may contain the encryption key! So if everything is encrypted on the disc, this key might rescue the data.

best regards,
Robin

 
Posted : 08/12/2017 11:31 am
(@Anonymous)
Posts: 0
Guest
Topic starter
 

Do not forget to capture the memory! It may contain the encryption key! So if everything is encrypted on the disc, this key might rescue the data.

best regards,
Robin

I never thought of that, thank you for that info.
Should I Volatility to analyze the memory or are there other options availble to me ?

 
Posted : 08/12/2017 11:36 am
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

Do not forget to capture the memory! It may contain the encryption key! So if everything is encrypted on the disc, this key might rescue the data.

I never thought of that, thank you for that info.
Should I Volatility to analyze the memory or are there other options availble to me ?

You are welcome. If an encryption key is really held in memory, depends on the version of ransomware. If you capture the memory and image the hard drive, you have done everything you can do NOW in this "Evidence Collection Phase". This might be enough to rescue the data…but it is still possible that all those files are lost and there is nothing unencrypted, which could help you.

Try to identify the kind of ransomware and its "specifications". Even if you cant rescue anything, you might be able to this in a few months when the FBI has arrested those criminals. So put the disc into a shelf and do not install a new Windows OS on it.

Good hunting!

 
Posted : 08/12/2017 11:49 am
 Dimi
(@dimi)
Posts: 13
Active Member
 

Try www.nomoreransom.org for possible decryption

 
Posted : 08/12/2017 9:02 pm
Share: