Notifications
Clear all

Ransonware  

  RSS
 Anonymous

Hello Guys

I got a client who had his system encrypted by ransomware. His system is running in a raid setup.
I am wondering when a file is encrypted, does it take the orignal and encrypt it, thereby creating a new file, in which case it is possible to carve the orignal file or is that not possible ?

i was thinking of using FTK imager to do live capture.

Thanks and take care
Kitty.

Quote
Posted : 08/12/2017 9:56 am
TinyBrain
(@tinybrain)
Active Member

Not answerable in this form. What exactly ransomware was in use?

ReplyQuote
Posted : 08/12/2017 10:21 am
jaclaz
(@jaclaz)
Community Legend

I got a client who had his system encrypted by ransomware. His system is running in a raid setup.
I am wondering when a file is encrypted, does it take the orignal and encrypt it, thereby creating a new file, in which case it is possible to carve the orignal file or is that not possible ?

Surprisingly, i depends on the specific exact ransomware, including the specific exact variant.

Some ransomware was badly coded (and partial data can be recovered the way you suggested ), some other ransomware has been badly coded and decrypting keys can be calculated (thus recovering ALL the data), most is unfortunately "well" coded and there are no known ways to recover data.

jaclaz

ReplyQuote
Posted : 08/12/2017 10:24 am
 Anonymous

Surprisingly, i depends on the specific exact ransomware, including the specific exact variant.

Some ransomware was badly coded (and partial data can be recovered the way you suggested ), some other ransomware has been badly coded and decrypting keys can be calculated (thus recovering ALL the data), most is unfortunately "well" coded and there are no known ways to recover data.

jaclaz

thank you for the reply, i am doing live capture now.

ReplyQuote
Posted : 08/12/2017 11:22 am
Bunnysniper
(@bunnysniper)
Active Member

thank you for the reply, i am doing live capture now.

Do not forget to capture the memory! It may contain the encryption key! So if everything is encrypted on the disc, this key might rescue the data.

best regards,
Robin

ReplyQuote
Posted : 08/12/2017 11:31 am
 Anonymous

Do not forget to capture the memory! It may contain the encryption key! So if everything is encrypted on the disc, this key might rescue the data.

best regards,
Robin

I never thought of that, thank you for that info.
Should I Volatility to analyze the memory or are there other options availble to me ?

ReplyQuote
Posted : 08/12/2017 11:36 am
Bunnysniper
(@bunnysniper)
Active Member

Do not forget to capture the memory! It may contain the encryption key! So if everything is encrypted on the disc, this key might rescue the data.

I never thought of that, thank you for that info.
Should I Volatility to analyze the memory or are there other options availble to me ?

You are welcome. If an encryption key is really held in memory, depends on the version of ransomware. If you capture the memory and image the hard drive, you have done everything you can do NOW in this "Evidence Collection Phase". This might be enough to rescue the data…but it is still possible that all those files are lost and there is nothing unencrypted, which could help you.

Try to identify the kind of ransomware and its "specifications". Even if you cant rescue anything, you might be able to this in a few months when the FBI has arrested those criminals. So put the disc into a shelf and do not install a new Windows OS on it.

Good hunting!

ReplyQuote
Posted : 08/12/2017 11:49 am
Dimi
 Dimi
(@dimi)
New Member

Try www.nomoreransom.org for possible decryption

ReplyQuote
Posted : 08/12/2017 9:02 pm
Share: