Join Us!

Notifications
Clear all

Encrypted file  

  RSS
Defuser
(@defuser)
New Member

Hi everyone

I'm looking into a case where a sensitive document is encrypted (we're speaking about Ransomware here) on Windows XP. This file is not to be found on the directory, so it's basically made unavailable ("deleted"). I was wondering if there is any way how I could recover the file or at least the contents of it, by using a tool on Linux as an example or anything else. I've worked with Foremost but apparently this tool did not recover this file.

 

Quote
Posted : 21/05/2020 6:08 pm
xandstorm
(@xandstorm)
Member

First i would see if i could identify the type and version of ransomware. Subsequently you could see if there is a general decryptor available in the public domain. There are several websites that can analyze the encrypted file for you and provide a reasonably accurate identification. Just google.

ReplyQuote
Posted : 21/05/2020 6:42 pm
jaclaz
(@jaclaz)
Community Legend

I don't get it.

If the file is deleted and you cannot recover it, how do you know it is encrypted?

A ransomware does not delete files, it encrypts them, usually renaming them, so that - once the ransom is paid - they can be decrypted with the provided key.

Of course if the ransomware author keeps up to his/her word and does send a valid decrypting key.

jaclaz

ReplyQuote
Posted : 21/05/2020 6:49 pm
Defuser
(@defuser)
New Member

Let me clear one thing up, by "deleted" I didn't mean to say that it was actually deleted, but just that it's not in place. If it's not there I also can't upload it. I suppose it's cryptographically made unavailable

Thank you for the replies btw

This post was modified 3 months ago 2 times by Defuser
ReplyQuote
Posted : 21/05/2020 7:13 pm
jaclaz
(@jaclaz)
Community Legend
Posted by: @defuser

Let me clear one thing up, by "deleted" I didn't mean to say that it was actually deleted, but just that it's not in place. If it's not there I also can't upload it. I suppose it's cryptographically made unavailable

Thank you for the replies btw

Well, you are not clearing anything, with all due respect.

You are saying that something that you cannot find:

1) exists
2) it is encrypted

There is no such thing AFAICT as "Cryptographically made unavailable", a file is encrypted and findable but not viewable OR not encrypted and findable and viewable.

The file system is simply ar a different level than "file encryption", in any case if you cannot find the file you also cannot say if it is encrypted or not.

And again all examples of actual ransomware I know of are based on the idea of obtaining a ransom, so they leave files visible (so that the victim can "see" them) but make them inaccessible by encrypting them (so that the victim is induced to pay the ransom as the only obstacle to access the documents is a password/key).

Unless it is a "special", "new" Ransomware, possibly specifically targeted to you or your customer, and that was never already spread "in the wild", it will have a "name" and with it one can search for other cases (whether a decryptor is available or not is another thing) and usually find out what is its behaviour.

jaclaz

 

 

ReplyQuote
Posted : 22/05/2020 12:09 pm
Share: