Ad Widget

Collapse

Announcement

Collapse
No announcement yet.

Ransomware File Recovery?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Ransomware File Recovery?

    My ham radio friend, Tom in west Texas, Passed away 2 years ago.
    I talked to his wife Inez, today.
    Tom had 2 Win 8 Computers, with thousands, and thousands of digital pictures on the hard drives.
    Inez turned them on to recover some of the pictures, to make a tribute slide show.
    Only to find that both computers have files locked with ransomware.
    The ransomware wants $5000 to unlock the files!
    She had a computer guy look at them with no luck?
    Is there some way, to maybe boot the computer with a OS, like linux live, and maybe recover some of the files.
    The problem I see with that is the files are encrypted?
    I am 600 miles away, so can't try anything myself.
    Trying to come up with some kind of recovery plan to suggest to Inez.
    Anyone got any ideas, or have any suggestions?
    This turned out to be a very cruel hack on my friends wife's computers!
    I would like to help her, if possible?

    T
    "If Hitler invaded Hell, I would make at least a favourable reference of the Devil in the House of Commons." Winston Churchill
    Terry

  • #2
    I don't think the files would be encrypted unless someone encrypted them intentionally. They would be on the drive (likely) as regular jpegs. Can she get into safe mode, or is she completely locked out? I've had good luck removing ransomware with Malwarebytes, but it sometimes has to be run from a USB stick or CD and it's usually not easy guiding people through the process of running things from a command prompt. I think your idea of booting from another disc and recovering files would work too. Depending on how many pictures you want to recover, it could take some beefy external storage. If you could just get rid of the ransomware, I might try that first.
    "I took a photo of my ohm meter... It didn't help." Enzo 8/20/22

    Comment


    • #3
      I'll try to get more info.
      The files probably won't be encrypted, but access to the drive or folders, may require an encrypted key to access?
      This article in PC world shows the severity of different ransomware types.
      https://www.pcworld.com/article/2084...ansomware.html
      If someone could boot it up on a live ubuntu flash drive, we would know if they really encrypted the drive or not.
      I think it will require someone local to look at it, maybe I can give them some suggestions.
      She doesn't care about saving the software, OS, just wants to recover some documents and the pictures.
      Thanks,
      T
      **
      Hope it doesn't have this one!
      https://images.techhive.com/images/a...49480-orig.jpg
      Last edited by big_teee; 10-18-2017, 05:44 AM.
      "If Hitler invaded Hell, I would make at least a favourable reference of the Devil in the House of Commons." Winston Churchill
      Terry

      Comment


      • #4
        Not ransomware but short ago I had a similar problem, maybe something of what I did might help.
        A few months ago, my old but trusty Toshiba NB505 crashed, motherboard dead.

        I bought exact same model, used of course, just to transplant my old hard disk into it, turn it on and keep working, I have customers/billing/sales/tax/appointments/etc, data in it.

        Computer turned up to be a dog, from day 1 and when I tried to send it back, sellers disappeared, their ID was fake, the phone was from a disposable prepaid chip, the works.

        Just to try to annoy them, say call 3AM or something and tell dem ugly things, I tried to read the disk that came with it, and on which I was not really interested, but might give me lots of clues about them.

        Disk had been reformatted with Windows 8 and locked, and only way to get in was to connect to a Google account whose name and password I did not know.
        Or fully reformat it and install a new OS from scratch, which of course would fully erase any old data.
        So I put the disk on an USB disk case, plugged it into another computer and tried to read it from outside.
        NO WAY without the d*mned Google account.

        So I downloaded (on my disk, of course) data recovery software, I think it was Get Data Back "NTFS"???? (the file system under which the drive was formatted) and let it chugging all night.

        Next day I was presented with a mile long list of files it had found, and asked me which I wanted to recover.
        Mind you; Data, not Software.

        I first recovered some 200 DOCX documents which I copied to my own drive, then some 5000 .jpgs which I browsed and of which I copied some 200, including her honeymoon pictures, vacation snapshots and young kids birthdays.

        Mind you GDB does not know the original picture name; to it, it´s just a chunk of digital data, so pictures get a random generated name, such as $494A.JPG .
        Looks like all file names start with "$"
        Anotherf "problem" is that it apparently finds 2 - 5 -10 copies of exact same picture, all but one are unreadable: just partly overwritten "ghost" copies, created each time you *viewed* it.
        Of course, only the last one is valid.
        Or is it the first one?


        What I mean that a similar system might be used on your Friend´s computer.

        FWIW my old computer (still) runs W7 starter, what was preloaded , and the disk I read usede W8.
        Mind you, I could never *start* it or run anything (unless I fully format it first) but get Data back coukld read it, I guess they low level read sector by sector and couldn´t care less about Operating Sistem and similar stuff.

        I suggest your friend´s wife mails you both computers (if netbooks) or at least the hard disks, and you, who are computer savvy, try cracking it in your free time.
        Last edited by J M Fahey; 10-18-2017, 05:59 AM.
        Juan Manuel Fahey

        Comment


        • #5
          Thanks for the info.
          I think he had souped up tower computers.
          Probably 3.5" desktop drives.
          I have lots of 2.5" laptop stuff, drives and drive mountings.
          I don't understand the hacking mentality, destroying peoples valuable files and memories!
          She has another local tech guy, that was a good friend of Tom's, that is supposed to look it over, when he has time.
          I've offered to do whatever I can, and whatever she wants me to try!
          Thanks,
          T
          "If Hitler invaded Hell, I would make at least a favourable reference of the Devil in the House of Commons." Winston Churchill
          Terry

          Comment


          • #6
            There are a number of approaches used and it's important to identify the signature of the ransomware either through the message or from the files themselves. Often most of the files are encrypted using a background routine that's either been inadvertently downloaded or intentionally run by the victim. I regularly get bogus calls from India and Pakistan claiming to be from my service provider and asking to take control of my PC to fix faults. Sometimes they claim to be from 'Windows'.

            A starting point is https://malwarehunterteam.com. You can use this to identify the ransomware and to see if there's a fix.

            See also here for more information; Ransomware: How to recover your encrypted files, the last guide.Security Affairs

            Comment


            • #7
              New Virus Decides If Your Computer Good for Mining or Ransomware.
              Saw this on Hacker News, and thought You want to read, and be aware of this.
              https://thehackernews.com/2018/07/cr...ansomware.html
              T
              "If Hitler invaded Hell, I would make at least a favourable reference of the Devil in the House of Commons." Winston Churchill
              Terry

              Comment


              • #8
                Originally posted by big_teee View Post
                New Virus Decides If Your Computer Good for Mining or Ransomware.
                Saw this on Hacker News, and thought You want to read, and be aware of this.
                https://thehackernews.com/2018/07/cr...ansomware.html
                T
                Seems it's going after the Russian Population....Wonder how Stans doing.

                nosaj
                soldering stuff that's broken, breaking stuff that works, Yeah!

                Comment


                • #9
                  Originally posted by nosaj View Post
                  Wonder how Stans doing.

                  nosaj
                  "If Hitler invaded Hell, I would make at least a favourable reference of the Devil in the House of Commons." Winston Churchill
                  Terry

                  Comment


                  • #10
                    Originally posted by big_teee View Post
                    My ham radio friend, Tom in west Texas, Passed away 2 years ago.
                    I talked to his wife Inez, today.
                    Tom had 2 Win 8 Computers, with thousands, and thousands of digital pictures on the hard drives.
                    Inez turned them on to recover some of the pictures, to make a tribute slide show.
                    Only to find that both computers have files locked with ransomware.
                    The ransomware wants $5000 to unlock the files!
                    She had a computer guy look at them with no luck?
                    Is there some way, to maybe boot the computer with a OS, like linux live, and maybe recover some of the files.
                    The problem I see with that is the files are encrypted?
                    I am 600 miles away, so can't try anything myself.
                    Trying to come up with some kind of recovery plan to suggest to Inez.
                    Anyone got any ideas, or have any suggestions?
                    This turned out to be a very cruel hack on my friends wife's computers!
                    I would like to help her, if possible?

                    T
                    If its the real thing, and I hope to hell it is not, yes, there is a virus (or whatever you want to call it) that is EXTREMELY efficient, runs in the background, and encrypts files. When it gets to a certain point, it sends a message back to the mother ship, and alerts you to the ransome. If it is the real encrypt ransomware, its going to be tough to get the files back.

                    I hope its a fake and the files are really not encrypted.

                    Here's one article. https://malwaretips.com/blogs/remove...crypted-virus/
                    The only good solid state amp is a dead solid state amp. Unless it sounds really good, then its OK.

                    Comment


                    • #11
                      Originally posted by Mick Bailey View Post
                      There are a number of approaches used and it's important to identify the signature of the ransomware either through the message or from the files themselves. Often most of the files are encrypted using a background routine that's either been inadvertently downloaded or intentionally run by the victim. I regularly get bogus calls from India and Pakistan claiming to be from my service provider and asking to take control of my PC to fix faults. Sometimes they claim to be from 'Windows'.

                      A starting point is https://malwarehunterteam.com. You can use this to identify the ransomware and to see if there's a fix.

                      See also here for more information; Ransomware: How to recover your encrypted files, the last guide.Security Affairs
                      Re calls from various places, me too, I wondered how widespread it was. Really curious how the heck they got my phone number. I get the idea they can see a piece of our account information through a remote web connection somehow. I got one call, recognized what was happening, and led the guy for about 2 hours off and on. I kept playing dumb. He wanted to "fix something" via remote connection. Blahh
                      The only good solid state amp is a dead solid state amp. Unless it sounds really good, then its OK.

                      Comment


                      • #12
                        Originally posted by mikepukmel View Post
                        Re calls from various places, me too, I wondered how widespread it was. Really curious how the heck they got my phone number. I get the idea they can see a piece of our account information through a remote web connection somehow. I got one call, recognized what was happening, and led the guy for about 2 hours off and on. I kept playing dumb. He wanted to "fix something" via remote connection. Blahh
                        Leading the creep on for 2 hours for your own entertainment can be a bit of fun. And meanwhile he's not pestering someone else nor wrecking their computers. If that's the kind of entertainment you enjoy, there are literally thousands of youtube videos from 2 minutes to over an hour long, exchanges between ordinary folks - some with excellent computer skills - and these dopes that try to get you to let them into your computer so they can install malware then charge big money to "fix the problem" they caused. Sound familiar? The videos where the scammer's computer, sometimes all the computers linked to it at scam central, wind up being "bricked" iow made useless permanently. Also, by watching these you can learn a vocabulary of insults in Hindi and some other languages. Good fun if you're bored.

                        How did they get your number? Those bastids call everybody! As you approach Medicare age, you'll be getting multiple daily calls from all sorts of scammers trying to convince you to sign up for their services. All they're doing is gathering your personal data for identity theft. You can play 'em for fun or just hang up. One thing I've noticed on many scam calls, there's a couple seconds hesitation before the caller speak, and if you listen carefully there's a "boing" sound. "BOING", cue the scammer's schpiel...
                        This isn't the future I signed up for.

                        Comment


                        • #13
                          Originally posted by Leo_Gnardo View Post
                          Leading the creep on for 2 hours for your own entertainment can be a bit of fun. And meanwhile he's not pestering someone else nor wrecking their computers. If that's the kind of entertainment you enjoy, there are literally thousands of youtube videos from 2 minutes to over an hour long, exchanges between ordinary folks - some with excellent computer skills - and these dopes that try to get you to let them into your computer so they can install malware then charge big money to "fix the problem" they caused. Sound familiar? The videos where the scammer's computer, sometimes all the computers linked to it at scam central, wind up being "bricked" iow made useless permanently. Also, by watching these you can learn a vocabulary of insults in Hindi and some other languages. Good fun if you're bored.

                          How did they get your number? Those bastids call everybody! As you approach Medicare age, you'll be getting multiple daily calls from all sorts of scammers trying to convince you to sign up for their services. All they're doing is gathering your personal data for identity theft. You can play 'em for fun or just hang up. One thing I've noticed on many scam calls, there's a couple seconds hesitation before the caller speak, and if you listen carefully there's a "boing" sound. "BOING", cue the scammer's schpiel...
                          Oh man, good time for us to sell this house, and get that cabin in the woods. No internet, no phone. Hold on. No internet means no music-electronics-forum. OK scrap that idea.
                          The only good solid state amp is a dead solid state amp. Unless it sounds really good, then its OK.

                          Comment


                          • #14
                            Originally posted by big_teee View Post
                            My ham radio friend, Tom in west Texas, Passed away 2 years ago.
                            I talked to his wife Inez, today.
                            Tom had 2 Win 8 Computers, with thousands, and thousands of digital pictures on the hard drives.
                            Inez turned them on to recover some of the pictures, to make a tribute slide show.
                            Only to find that both computers have files locked with ransomware.
                            The ransomware wants $5000 to unlock the files!
                            She had a computer guy look at them with no luck?
                            Is there some way, to maybe boot the computer with a OS, like linux live, and maybe recover some of the files.
                            The problem I see with that is the files are encrypted?
                            I am 600 miles away, so can't try anything myself.
                            Trying to come up with some kind of recovery plan to suggest to Inez.
                            Anyone got any ideas, or have any suggestions?
                            This turned out to be a very cruel hack on my friends wife's computers!
                            I would like to help her, if possible?

                            T
                            I hate to tell her to run the computers, if its not done encrypting yet. Any chance she sent you a screen shot of the message, or if she can't get one, maybe a digital camera photo of the screen, so we can google the malware?
                            The only good solid state amp is a dead solid state amp. Unless it sounds really good, then its OK.

                            Comment


                            • #15
                              I don't think the files would be encrypted unless someone encrypted them intentionally. They would be on the drive (likely) as regular jpegs. Can she get into safe mode, or is she completely locked out? I've had good luck removing ransomware with Malwarebytes, but it sometimes has to be run from a USB stick or CD and it's usually not easy guiding people through the process of running things from a command prompt. I think your idea of booting from another disc and recovering files would work too. Depending on how many pictures you want to recover, it could take some beefy external storage. If you could just get rid of the ransomware, I might try that first.
                              IMHO, Dr.Web Light is a good options as well as ESET Mobile Security & Antivirus.
                              Last edited by big_teee; 03-26-2019, 07:37 PM. Reason: Rmvd link, and gave warning infraction!

                              Comment

                              Working...
                              X