Hi everyone
I'm looking into a case where a sensitive document is encrypted (we're speaking about Ransomware here) on Windows XP. This file is not to be found on the directory, so it's basically made unavailable ("deleted"). I was wondering if there is any way how I could recover the file or at least the contents of it, by using a tool on Linux as an example or anything else. I've worked with Foremost but apparently this tool did not recover this file.
First i would see if i could identify the type and version of ransomware. Subsequently you could see if there is a general decryptor available in the public domain. There are several websites that can analyze the encrypted file for you and provide a reasonably accurate identification. Just google.
I don't get it.
If the file is deleted and you cannot recover it, how do you know it is encrypted?
A ransomware does not delete files, it encrypts them, usually renaming them, so that - once the ransom is paid - they can be decrypted with the provided key.
Of course if the ransomware author keeps up to his/her word and does send a valid decrypting key.
jaclaz
Let me clear one thing up, by "deleted" I didn't mean to say that it was actually deleted, but just that it's not in place. If it's not there I also can't upload it. I suppose it's cryptographically made unavailable
Thank you for the replies btw
Let me clear one thing up, by "deleted" I didn't mean to say that it was actually deleted, but just that it's not in place. If it's not there I also can't upload it. I suppose it's cryptographically made unavailable
Thank you for the replies btw
Well, you are not clearing anything, with all due respect.
You are saying that something that you cannot find:
1) exists
2) it is encrypted
There is no such thing AFAICT as "Cryptographically made unavailable", a file is encrypted and findable but not viewable OR not encrypted and findable and viewable.
The file system is simply ar a different level than "file encryption", in any case if you cannot find the file you also cannot say if it is encrypted or not.
And again all examples of actual ransomware I know of are based on the idea of obtaining a ransom, so they leave files visible (so that the victim can "see" them) but make them inaccessible by encrypting them (so that the victim is induced to pay the ransom as the only obstacle to access the documents is a password/key).
Unless it is a "special", "new" Ransomware, possibly specifically targeted to you or your customer, and that was never already spread "in the wild", it will have a "name" and with it one can search for other cases (whether a decryptor is available or not is another thing) and usually find out what is its behaviour.
jaclaz