Data recovery and disk repair questions and discussions related to old-fashioned SATA, SAS, SCSI, IDE, MFM hard drives - any type of storage device that has moving parts
May 14th, 2017, 14:18
I have been hit with wannacry ransomware. DECADES of family photos and videos are now inaccessible. I plan to pay tomorrow (and only because it takes time for me to be approved to open a bitcoin account in my country). However, I expect only a 1% chance at most that the author will make good on his word. This is because there are others who have paid and nothing has happened.
So assuming the payment route fails what should I do next? On one hand I want to use recovery tools and see if there are data in the "blank areas" of my hard drive that can be recovered (kind of like how people accidentally delete all their photos but the photos are still "there"). On the other hand I don't want to tamper with anything in the unlikely case suddenly the author lets me decrypt I need to leave the ransomware intact (and possibly the doublepulsar backdoor too) so I have a way to possibly have a conversation with the author (he has never replied so far from the "contact us" box).
Is there any way I can clone the drives so that it also clones the data in the areas that are marked as "nothing there" (when there might be something there?). I am very desperate, my gut is wrenching and I'm popping antacid nonstop. Any help or advice would be greatly appreciated.
May 14th, 2017, 18:22
https://www.bleepingcomputer.com/news/security/wana-decryptor-wanacrypt0r-technical-nose-dive/There are three hard coded bitcoin addresses in the WanaCrypt0r ransomware. These bitcoin addresses are 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94, 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw, and 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn. Maybe I am missing something, but what I do not understand is if so many people are utilizing the same bitcoin address, how will the ransomware developers be able to differentiate the victims that have paid from those who have not?
For example, people have paid ransom to my assigned bitcoin address, yet the program still states I did not pay.
May 14th, 2017, 19:47
Yes, purchase the necessary larger-than-your-internal HD external HD and immediately usb or dvd boot Macrium Reflect, AOMEI Backupper, EaseUS ToDo, Image for Windows, or anything similar, make full images of your OS and Data partitions onto detachable reliable external HD. If/when you get your stuff back, you make another set of full images onto said external HD.
May 14th, 2017, 22:40
Yes, I echo what RolandJS said.
Before trying anything, Image your drives that are affected.
common replies to this are:
1-But I cant afford another drive
2-I don't know how to do this
3-I don't want to do this, is there an easier way
4-I don't have time to do this
Answers:
1- You will then need a decryptor. If there isn't one, you will need to pay. If the criminals do not provide a key or decryptor, your files are gone.
2-Find someone that does, or learn. Only do disk operations when you are sure you know what you are doing. if you image over the wrong drive, you can permanently destroy your files.
3-Stop and think what is going to be easier, taking a risky shortcut or just biting the bullet and doing some work. If you image your drive first, you can try "easy" options and at least have some options if you have no success.
4-This is unfortunate as the criminals don't care. It is going to take time, and it is going to be inconvenient.
from what I have heard, you can thank the NSA for developing the exploit, but keeping it to themselves - to then get stolen and leaked to ransomware developers. maybe they are working on a decryptor?
The SMB exploit has been fixed that is causing this latest Hullabaloo, so get the windows update released by MS the last few days. If you haven't updated windows, then do this now.
May 15th, 2017, 6:28
HaQue wrote:The SMB exploit has been fixed that is causing this latest Hullabaloo, so get the windows update released by MS the last few days. If you haven't updated windows, then do this now.
I agree,
although the SMB exploit (eternalblue), is not the cause of the infection. Is responsible for the rapid diffusion through local computer networks, so the damages were more important in large companies. The first infection is done by traditional methods (e-mail, links ...... etc).
The patch would not prevent infection, but if it would prevent propagation through local networks
May 15th, 2017, 7:37
Apparently anything really LONG needs "moderator approval" here. I posted a long message with multiple quotes and replies but it's been held for about 10 hours. But shorter messages it lets me. So I will try to separate the long post and post one by one until it doesn't let me again.
RolandJS wrote: (shortened due to restriction)
Which of these and which options to choose to make sure it clones every sector, even the "unassigned sectors" (which may have something behind it for "undelete")?
May 15th, 2017, 7:46
I am guessing that I cannot have more than one quote per post because it did it to me again for a short post. I will try posting without quoting people now.
Replying to HaQue regarding noransom site
Been there, unfortunately my strain isn't one of them.
regarding bleepingcomputer
I came over from here from there.
regarding kill-switch
I was infected before they kill-switched it.
reply to Spildit regarding identifying who paid
The ransomer wouldn't reply to me regarding anything legitimate that would facilitate paying him and identifying that I paid.
May 15th, 2017, 7:49
For everyone's information. Messaged the ransomer the exact unique amount I would pay beforehand. Paid that amount. Nothing happened, as completely expected. Still had to try because what was lost was priceless.
May 15th, 2017, 9:29
Paying is not going to make sure you have the files back.
I have doubts that the authors of this ramsonware know how to decrypt the files .........
May 15th, 2017, 9:39
I am cloning "sector by sector" with EaseUS Todo as I speak. One thing that happened was that putting in an exactly identical 3 TB drive model (hence same size and sectors) it told me I had insufficient space. I had to put in a 4 TB drive to "sector by sector" copy a 3 TB drive. Is this normal?
May 15th, 2017, 10:07
colanco wrote:Paying is not going to make sure you have the files back.
I have doubts that the authors of this ramsonware know how to decrypt the files .........
There was a "test decrypt" and it decrypted a handful of files.
May 15th, 2017, 11:24
arbee66 wrote:RolandJS wrote: (shortened due to restriction)
Which of these and
which options to choose to make sure it clones every sector, even the "unassigned sectors" (which may have something behind it for "undelete")?
As far as I know, any major backup/restore/clone utility can make a one-pass sector-by-sector clone or full image. As for walking you through the steps, I cannot as I am in and out of classrooms all week, and moving during the weekends.
May 15th, 2017, 14:32
Spildit wrote:If you have a router and/or a decent firewall that should protect the SMB server ports from outside (WAN) access, problem would be LAN propagation.
One of the main companies affected in Spain, is "telefóncia" and its director of cyber security is a well known Spanish hacker (Chema Mártinez) who knows where he steps and in my opinion did an excellent job since the damages did not affect critical systems of the company.
A undistinguished security director, closes all the doors and converts the network terminals into little less than paperweight without practically access to the outside, but surely safe .....
The difficulty is that the terminals are functional, taking the risks under control
June 16th, 2017, 8:37
arbee66 wrote:I have been hit with wannacry ransomware. DECADES of family photos and videos are now inaccessible. I plan to pay tomorrow (and only because it takes time for me to be approved to open a bitcoin account in my country). However, I expect only a 1% chance at most that the author will make good on his word. This is because there are others who have paid and nothing has happened.
Hello! You were able to decrypt the files?
June 16th, 2017, 20:01
Unfortunately it is still a requirement the PC hasnt been rebooted, or memory alloc hasnt changed for where the keys were.
Powered by phpBB © phpBB Group.