Results 1 to 16 of 16

Thread: Ransomware File Recovery?

  1. #1
    ToneOholic! big_teee's Avatar
    Join Date
    Jun 2010
    Location
    Mid-South USA
    Posts
    11,404
    Thumbs Up/Down
    Received: 856/32
    Given: 846/14
    Rep Power
    22

    Ransomware File Recovery?

    My ham radio friend, Tom in west Texas, Passed away 2 years ago.
    I talked to his wife Inez, today.
    Tom had 2 Win 8 Computers, with thousands, and thousands of digital pictures on the hard drives.
    Inez turned them on to recover some of the pictures, to make a tribute slide show.
    Only to find that both computers have files locked with ransomware.
    The ransomware wants $5000 to unlock the files!
    She had a computer guy look at them with no luck?
    Is there some way, to maybe boot the computer with a OS, like linux live, and maybe recover some of the files.
    The problem I see with that is the files are encrypted?
    I am 600 miles away, so can't try anything myself.
    Trying to come up with some kind of recovery plan to suggest to Inez.
    Anyone got any ideas, or have any suggestions?
    This turned out to be a very cruel hack on my friends wife's computers!
    I would like to help her, if possible?

    T

    1 Not allowed! Not allowed!


    "You can't promote principled anti-corruption action without pissing off corrupt people!" Diplomat George Kent
    Terry

  2. #2
    Supporting Member The Dude's Avatar
    Join Date
    May 2010
    Location
    Sioux Falls, SD
    Posts
    6,317
    Thumbs Up/Down
    Received: 1,218/1
    Given: 945/1
    Rep Power
    16
    I don't think the files would be encrypted unless someone encrypted them intentionally. They would be on the drive (likely) as regular jpegs. Can she get into safe mode, or is she completely locked out? I've had good luck removing ransomware with Malwarebytes, but it sometimes has to be run from a USB stick or CD and it's usually not easy guiding people through the process of running things from a command prompt. I think your idea of booting from another disc and recovering files would work too. Depending on how many pictures you want to recover, it could take some beefy external storage. If you could just get rid of the ransomware, I might try that first.

    1 Not allowed! Not allowed!
    “Yeah, well, you know, that’s just, like, your opinion, man.”

  3. #3
    ToneOholic! big_teee's Avatar
    Join Date
    Jun 2010
    Location
    Mid-South USA
    Posts
    11,404
    Thumbs Up/Down
    Received: 856/32
    Given: 846/14
    Rep Power
    22
    I'll try to get more info.
    The files probably won't be encrypted, but access to the drive or folders, may require an encrypted key to access?
    This article in PC world shows the severity of different ransomware types.
    https://www.pcworld.com/article/2084...ansomware.html
    If someone could boot it up on a live ubuntu flash drive, we would know if they really encrypted the drive or not.
    I think it will require someone local to look at it, maybe I can give them some suggestions.
    She doesn't care about saving the software, OS, just wants to recover some documents and the pictures.
    Thanks,
    T
    **
    Hope it doesn't have this one!
    https://images.techhive.com/images/a...49480-orig.jpg

    1 Not allowed! Not allowed!
    Last edited by big_teee; 10-18-2017 at 06:44 AM.


    "You can't promote principled anti-corruption action without pissing off corrupt people!" Diplomat George Kent
    Terry

  4. #4
    Old Timer J M Fahey's Avatar
    Join Date
    Oct 2007
    Location
    Buenos Aires, Argentina
    Posts
    11,753
    Thumbs Up/Down
    Received: 1,880/23
    Given: 1,463/35
    Rep Power
    27
    Not ransomware but short ago I had a similar problem, maybe something of what I did might help.
    A few months ago, my old but trusty Toshiba NB505 crashed, motherboard dead.

    I bought exact same model, used of course, just to transplant my old hard disk into it, turn it on and keep working, I have customers/billing/sales/tax/appointments/etc, data in it.

    Computer turned up to be a dog, from day 1 and when I tried to send it back, sellers disappeared, their ID was fake, the phone was from a disposable prepaid chip, the works.

    Just to try to annoy them, say call 3AM or something and tell dem ugly things, I tried to read the disk that came with it, and on which I was not really interested, but might give me lots of clues about them.

    Disk had been reformatted with Windows 8 and locked, and only way to get in was to connect to a Google account whose name and password I did not know.
    Or fully reformat it and install a new OS from scratch, which of course would fully erase any old data.
    So I put the disk on an USB disk case, plugged it into another computer and tried to read it from outside.
    NO WAY without the d*mned Google account.

    So I downloaded (on my disk, of course) data recovery software, I think it was Get Data Back "NTFS"???? (the file system under which the drive was formatted) and let it chugging all night.

    Next day I was presented with a mile long list of files it had found, and asked me which I wanted to recover.
    Mind you; Data, not Software.

    I first recovered some 200 DOCX documents which I copied to my own drive, then some 5000 .jpgs which I browsed and of which I copied some 200, including her honeymoon pictures, vacation snapshots and young kids birthdays.

    Mind you GDB does not know the original picture name; to it, itīs just a chunk of digital data, so pictures get a random generated name, such as $494A.JPG .
    Looks like all file names start with "$"
    Anotherf "problem" is that it apparently finds 2 - 5 -10 copies of exact same picture, all but one are unreadable: just partly overwritten "ghost" copies, created each time you *viewed* it.
    Of course, only the last one is valid.
    Or is it the first one?


    What I mean that a similar system might be used on your Friendīs computer.

    FWIW my old computer (still) runs W7 starter, what was preloaded , and the disk I read usede W8.
    Mind you, I could never *start* it or run anything (unless I fully format it first) but get Data back coukld read it, I guess they low level read sector by sector and couldnīt care less about Operating Sistem and similar stuff.

    I suggest your friendīs wife mails you both computers (if netbooks) or at least the hard disks, and you, who are computer savvy, try cracking it in your free time.

    0 Not allowed! Not allowed!
    Last edited by J M Fahey; 10-18-2017 at 06:59 AM.
    Juan Manuel Fahey

  5. #5
    ToneOholic! big_teee's Avatar
    Join Date
    Jun 2010
    Location
    Mid-South USA
    Posts
    11,404
    Thumbs Up/Down
    Received: 856/32
    Given: 846/14
    Rep Power
    22
    Thanks for the info.
    I think he had souped up tower computers.
    Probably 3.5" desktop drives.
    I have lots of 2.5" laptop stuff, drives and drive mountings.
    I don't understand the hacking mentality, destroying peoples valuable files and memories!
    She has another local tech guy, that was a good friend of Tom's, that is supposed to look it over, when he has time.
    I've offered to do whatever I can, and whatever she wants me to try!
    Thanks,
    T

    0 Not allowed! Not allowed!


    "You can't promote principled anti-corruption action without pissing off corrupt people!" Diplomat George Kent
    Terry

  6. #6
    Supporting Member
    Join Date
    Dec 2009
    Location
    UK
    Posts
    3,438
    Thumbs Up/Down
    Received: 178/0
    Given: 20/0
    Rep Power
    13
    There are a number of approaches used and it's important to identify the signature of the ransomware either through the message or from the files themselves. Often most of the files are encrypted using a background routine that's either been inadvertently downloaded or intentionally run by the victim. I regularly get bogus calls from India and Pakistan claiming to be from my service provider and asking to take control of my PC to fix faults. Sometimes they claim to be from 'Windows'.

    A starting point is https://malwarehunterteam.com. You can use this to identify the ransomware and to see if there's a fix.

    See also here for more information; Ransomware: How to recover your encrypted files, the last guide.Security Affairs

    3 Not allowed! Not allowed!

  7. #7
    ToneOholic! big_teee's Avatar
    Join Date
    Jun 2010
    Location
    Mid-South USA
    Posts
    11,404
    Thumbs Up/Down
    Received: 856/32
    Given: 846/14
    Rep Power
    22
    New Virus Decides If Your Computer Good for Mining or Ransomware.
    Saw this on Hacker News, and thought You want to read, and be aware of this.
    https://thehackernews.com/2018/07/cr...ansomware.html
    T

    1 Not allowed! Not allowed!


    "You can't promote principled anti-corruption action without pissing off corrupt people!" Diplomat George Kent
    Terry

  8. #8
    Master Destroyer nosaj's Avatar
    Join Date
    Sep 2011
    Location
    Pace, FL
    Posts
    3,213
    Thumbs Up/Down
    Received: 1,093/102
    Given: 146/35
    Rep Power
    12
    Quote Originally Posted by big_teee View Post
    New Virus Decides If Your Computer Good for Mining or Ransomware.
    Saw this on Hacker News, and thought You want to read, and be aware of this.
    https://thehackernews.com/2018/07/cr...ansomware.html
    T
    Seems it's going after the Russian Population....Wonder how Stans doing.

    nosaj

    1 Not allowed! Not allowed!
    Binkie McFartnuggets‏:If we really wanted to know the meaning of life we would have fed Stephen Hawking shrooms a long time ago.

  9. #9
    ToneOholic! big_teee's Avatar
    Join Date
    Jun 2010
    Location
    Mid-South USA
    Posts
    11,404
    Thumbs Up/Down
    Received: 856/32
    Given: 846/14
    Rep Power
    22
    Quote Originally Posted by nosaj View Post
    Wonder how Stans doing.

    nosaj

    1 Not allowed! Not allowed!


    "You can't promote principled anti-corruption action without pissing off corrupt people!" Diplomat George Kent
    Terry

  10. #10
    Supporting Member
    Join Date
    Mar 2017
    Location
    Massachusetts, USA
    Posts
    1,431
    Thumbs Up/Down
    Received: 162/0
    Given: 2,444/0
    Rep Power
    4
    Quote Originally Posted by big_teee View Post
    My ham radio friend, Tom in west Texas, Passed away 2 years ago.
    I talked to his wife Inez, today.
    Tom had 2 Win 8 Computers, with thousands, and thousands of digital pictures on the hard drives.
    Inez turned them on to recover some of the pictures, to make a tribute slide show.
    Only to find that both computers have files locked with ransomware.
    The ransomware wants $5000 to unlock the files!
    She had a computer guy look at them with no luck?
    Is there some way, to maybe boot the computer with a OS, like linux live, and maybe recover some of the files.
    The problem I see with that is the files are encrypted?
    I am 600 miles away, so can't try anything myself.
    Trying to come up with some kind of recovery plan to suggest to Inez.
    Anyone got any ideas, or have any suggestions?
    This turned out to be a very cruel hack on my friends wife's computers!
    I would like to help her, if possible?

    T
    If its the real thing, and I hope to hell it is not, yes, there is a virus (or whatever you want to call it) that is EXTREMELY efficient, runs in the background, and encrypts files. When it gets to a certain point, it sends a message back to the mother ship, and alerts you to the ransome. If it is the real encrypt ransomware, its going to be tough to get the files back.

    I hope its a fake and the files are really not encrypted.

    Here's one article. https://malwaretips.com/blogs/remove...crypted-virus/

    0 Not allowed! Not allowed!
    The only good solid state amp is a dead solid state amp. Unless it sounds really good, then its OK.

  11. #11
    Supporting Member
    Join Date
    Mar 2017
    Location
    Massachusetts, USA
    Posts
    1,431
    Thumbs Up/Down
    Received: 162/0
    Given: 2,444/0
    Rep Power
    4
    Quote Originally Posted by Mick Bailey View Post
    There are a number of approaches used and it's important to identify the signature of the ransomware either through the message or from the files themselves. Often most of the files are encrypted using a background routine that's either been inadvertently downloaded or intentionally run by the victim. I regularly get bogus calls from India and Pakistan claiming to be from my service provider and asking to take control of my PC to fix faults. Sometimes they claim to be from 'Windows'.

    A starting point is https://malwarehunterteam.com. You can use this to identify the ransomware and to see if there's a fix.

    See also here for more information; Ransomware: How to recover your encrypted files, the last guide.Security Affairs
    Re calls from various places, me too, I wondered how widespread it was. Really curious how the heck they got my phone number. I get the idea they can see a piece of our account information through a remote web connection somehow. I got one call, recognized what was happening, and led the guy for about 2 hours off and on. I kept playing dumb. He wanted to "fix something" via remote connection. Blahh

    0 Not allowed! Not allowed!
    The only good solid state amp is a dead solid state amp. Unless it sounds really good, then its OK.

  12. #12
    Old Timer Leo_Gnardo's Avatar
    Join Date
    Sep 2012
    Location
    Dogpatch-on-Hudson
    Posts
    6,393
    Thumbs Up/Down
    Received: 1,411/21
    Given: 1,196/0
    Rep Power
    14
    Quote Originally Posted by mikepukmel View Post
    Re calls from various places, me too, I wondered how widespread it was. Really curious how the heck they got my phone number. I get the idea they can see a piece of our account information through a remote web connection somehow. I got one call, recognized what was happening, and led the guy for about 2 hours off and on. I kept playing dumb. He wanted to "fix something" via remote connection. Blahh
    Leading the creep on for 2 hours for your own entertainment can be a bit of fun. And meanwhile he's not pestering someone else nor wrecking their computers. If that's the kind of entertainment you enjoy, there are literally thousands of youtube videos from 2 minutes to over an hour long, exchanges between ordinary folks - some with excellent computer skills - and these dopes that try to get you to let them into your computer so they can install malware then charge big money to "fix the problem" they caused. Sound familiar? The videos where the scammer's computer, sometimes all the computers linked to it at scam central, wind up being "bricked" iow made useless permanently. Also, by watching these you can learn a vocabulary of insults in Hindi and some other languages. Good fun if you're bored.

    How did they get your number? Those bastids call everybody! As you approach Medicare age, you'll be getting multiple daily calls from all sorts of scammers trying to convince you to sign up for their services. All they're doing is gathering your personal data for identity theft. You can play 'em for fun or just hang up. One thing I've noticed on many scam calls, there's a couple seconds hesitation before the caller speak, and if you listen carefully there's a "boing" sound. "BOING", cue the scammer's schpiel...

    1 Not allowed! Not allowed!
    Enjoy. Every. Sandwich.

  13. #13
    Supporting Member
    Join Date
    Mar 2017
    Location
    Massachusetts, USA
    Posts
    1,431
    Thumbs Up/Down
    Received: 162/0
    Given: 2,444/0
    Rep Power
    4
    Quote Originally Posted by Leo_Gnardo View Post
    Leading the creep on for 2 hours for your own entertainment can be a bit of fun. And meanwhile he's not pestering someone else nor wrecking their computers. If that's the kind of entertainment you enjoy, there are literally thousands of youtube videos from 2 minutes to over an hour long, exchanges between ordinary folks - some with excellent computer skills - and these dopes that try to get you to let them into your computer so they can install malware then charge big money to "fix the problem" they caused. Sound familiar? The videos where the scammer's computer, sometimes all the computers linked to it at scam central, wind up being "bricked" iow made useless permanently. Also, by watching these you can learn a vocabulary of insults in Hindi and some other languages. Good fun if you're bored.

    How did they get your number? Those bastids call everybody! As you approach Medicare age, you'll be getting multiple daily calls from all sorts of scammers trying to convince you to sign up for their services. All they're doing is gathering your personal data for identity theft. You can play 'em for fun or just hang up. One thing I've noticed on many scam calls, there's a couple seconds hesitation before the caller speak, and if you listen carefully there's a "boing" sound. "BOING", cue the scammer's schpiel...
    Oh man, good time for us to sell this house, and get that cabin in the woods. No internet, no phone. Hold on. No internet means no music-electronics-forum. OK scrap that idea.

    0 Not allowed! Not allowed!
    The only good solid state amp is a dead solid state amp. Unless it sounds really good, then its OK.

  14. #14
    Supporting Member
    Join Date
    Mar 2017
    Location
    Massachusetts, USA
    Posts
    1,431
    Thumbs Up/Down
    Received: 162/0
    Given: 2,444/0
    Rep Power
    4
    Quote Originally Posted by big_teee View Post
    My ham radio friend, Tom in west Texas, Passed away 2 years ago.
    I talked to his wife Inez, today.
    Tom had 2 Win 8 Computers, with thousands, and thousands of digital pictures on the hard drives.
    Inez turned them on to recover some of the pictures, to make a tribute slide show.
    Only to find that both computers have files locked with ransomware.
    The ransomware wants $5000 to unlock the files!
    She had a computer guy look at them with no luck?
    Is there some way, to maybe boot the computer with a OS, like linux live, and maybe recover some of the files.
    The problem I see with that is the files are encrypted?
    I am 600 miles away, so can't try anything myself.
    Trying to come up with some kind of recovery plan to suggest to Inez.
    Anyone got any ideas, or have any suggestions?
    This turned out to be a very cruel hack on my friends wife's computers!
    I would like to help her, if possible?

    T
    I hate to tell her to run the computers, if its not done encrypting yet. Any chance she sent you a screen shot of the message, or if she can't get one, maybe a digital camera photo of the screen, so we can google the malware?

    0 Not allowed! Not allowed!
    The only good solid state amp is a dead solid state amp. Unless it sounds really good, then its OK.

  15. #15
    New Member
    Join Date
    Mar 2019
    Posts
    1
    Thumbs Up/Down
    Received: 0/0
    Given: 0/0
    Rep Power
    0
    I don't think the files would be encrypted unless someone encrypted them intentionally. They would be on the drive (likely) as regular jpegs. Can she get into safe mode, or is she completely locked out? I've had good luck removing ransomware with Malwarebytes, but it sometimes has to be run from a USB stick or CD and it's usually not easy guiding people through the process of running things from a command prompt. I think your idea of booting from another disc and recovering files would work too. Depending on how many pictures you want to recover, it could take some beefy external storage. If you could just get rid of the ransomware, I might try that first.
    IMHO, Dr.Web Light is a good options as well as ESET Mobile Security & Antivirus.

    0 Not allowed! Not allowed!
    Last edited by big_teee; 03-26-2019 at 08:37 PM. Reason: Rmvd link, and gave warning infraction!

  16. #16
    ToneOholic! big_teee's Avatar
    Join Date
    Jun 2010
    Location
    Mid-South USA
    Posts
    11,404
    Thumbs Up/Down
    Received: 856/32
    Given: 846/14
    Rep Power
    22
    I didn't hear her outcome.
    Since we are 600+ miles a part, she let a local friend work on the computers.
    I hope they came to a happy ending?
    Hopefully most of the ransomware era is over.
    I haven't heard of any lately, except on PC Matic commercials.
    Losing all you files and photos to a foreign bandit is a bad deal at best!
    T

    0 Not allowed! Not allowed!
    Last edited by big_teee; 03-27-2019 at 09:17 AM.


    "You can't promote principled anti-corruption action without pissing off corrupt people!" Diplomat George Kent
    Terry

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Marshall 2210 Reverb Recovery
    By lowell in forum Maintenance, Troubleshooting & Repair
    Replies: 3
    Last Post: 09-14-2016, 07:00 AM
  2. PS recovery time calculations Q?
    By Chuck H in forum Theory & Design
    Replies: 19
    Last Post: 05-19-2015, 08:31 PM
  3. Grid leak as reverb recovery?
    By Chuck H in forum Theory & Design
    Replies: 7
    Last Post: 02-23-2014, 05:45 PM
  4. Soft recovery diodes
    By Rhodesplyr in forum Music Electronics
    Replies: 3
    Last Post: 09-29-2010, 03:51 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •