All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 5 posts ] 
Author Message
 Post subject: .eking PHOBOS
PostPosted: May 11th, 2022, 9:25 
Offline
User avatar

Joined: October 14th, 2005, 9:26
Posts: 1029
Hi to all! :mrgreen:
files are encrypted!!!for Ransomware PHOBOS .

Is decrypter? is file .FDB.

info.txt
!!!All of your files are encrypted!!!
To decrypt them send e-mail to this address: "BillScars@gmx.com."
If we don't answer in 24h., send e-mail to this address: "billscars@mailfence.com."

:?:

_________________
Нет ничего невозможного


Top
 Profile  
 
 Post subject: Re: .eking PHOBOS
PostPosted: May 11th, 2022, 10:28 
Offline
User avatar

Joined: January 28th, 2009, 10:54
Posts: 3445
Location: Greece
No one in the world can decrypt Phobos / Dharma.

If someone can, then they own the master key (so they're the ransomware developers) or they're simply lying and they're part of the operation (ie. they're in touch with the criminals, they get a discount and then pocket the difference/fee).

You can check existing solutions here: https://www.nomoreransom.org/en/decryption-tools.html

_________________
http://www.northwind.gr
SandForce SSD Recovery
Ransomware Reverse Engineering - NoMoreRansom! partners


Top
 Profile  
 
 Post subject: Re: .eking PHOBOS
PostPosted: May 11th, 2022, 11:58 
Offline
User avatar

Joined: October 14th, 2005, 9:26
Posts: 1029
Ok thanks!

_________________
Нет ничего невозможного


Top
 Profile  
 
 Post subject: Re: .eking PHOBOS
PostPosted: June 3rd, 2022, 4:52 
Offline

Joined: March 11th, 2021, 10:13
Posts: 184
Location: Switzerland
Just a note, I had an IT company coming with eking ransomware from one of their customer on a server with 3 x 450 GB Seagate SAS drive. I image the drive and recreate the RAID in DE. Not all files visible on FS were encrypted. I also did a RAW recovery and got some data. (they paid the ransom but never received the key).

At the end, I can't say customer was happy as important files were still encrypted but they were surprise to get something. They asked me and paid to get an image of the RAID. They could then rebuild server and still have all data.

When I get Ranswomare customer, I always try everything possible and most of the time customer are happy. I can't decrypt files but I am giving them some data.


Top
 Profile  
 
 Post subject: Re: .eking PHOBOS
PostPosted: June 4th, 2022, 9:58 
Offline
User avatar

Joined: May 13th, 2019, 7:50
Posts: 907
Location: Nederland
suricate.ch wrote:
Just a note, I had an IT company coming with eking ransomware from one of their customer on a server with 3 x 450 GB Seagate SAS drive. I image the drive and recreate the RAID in DE. Not all files visible on FS were encrypted. I also did a RAW recovery and got some data. (they paid the ransom but never received the key).

At the end, I can't say customer was happy as important files were still encrypted but they were surprise to get something. They asked me and paid to get an image of the RAID. They could then rebuild server and still have all data.

When I get Ransomware customer, I always try everything possible and most of the time customer are happy. I can't decrypt files but I am giving them some data.


Many ransomware seem to do: open file > read file > encrypt (some or all) data > create new file > write encrypted data > > save new file > delete original file. So in essence we're dealing with deleted file type recovery with everything that's normally attached to this type of recovery, so:

- Can be overwritten at any time (clusters).
- FS meta data can be overwritten, file records be re-used.
- Can be trimmed at any time (if drive supports it).

I have had clients that using my JpegDigger and claimed they were able to recover upto 30% of original jpeg fles (RAW scan / their estimate). Others virtually nothing. It depends on specific circumstances if data somehow survives.

Then there's the thing, that I have seen with several ransomwares, they only go a few level deep, directory wise. So data buried deeper in folder structure may not be encrypted at all. Always worth at least checking that, you can be a hero without doing anything ;)

_________________
Joep - http://www.disktuna.com - video & photo repair & recovery service


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group