.eking PHOBOS

[sempre]

Hi to all!
files are encrypted!!!for Ransomware PHOBOS .

Is decrypter? is file .FDB.

info.txt
!!!All of your files are encrypted!!!
To decrypt them send e-mail to this address: "BillScars@gmx.com."
If we don't answer in 24h., send e-mail to this address: "billscars@mailfence.com."

[northwind]

No one in the world can decrypt Phobos / Dharma.

If someone can, then they own the master key (so they're the ransomware developers) or they're simply lying and they're part of the operation (ie. they're in touch with the criminals, they get a discount and then pocket the difference/fee).

You can check existing solutions here: https://www.nomoreransom.org/en/decryption-tools.html

[sempre]

Ok thanks!

[suricate.ch]

Just a note, I had an IT company coming with eking ransomware from one of their customer on a server with 3 x 450 GB Seagate SAS drive. I image the drive and recreate the RAID in DE. Not all files visible on FS were encrypted. I also did a RAW recovery and got some data. (they paid the ransom but never received the key).

At the end, I can't say customer was happy as important files were still encrypted but they were surprise to get something. They asked me and paid to get an image of the RAID. They could then rebuild server and still have all data.

When I get Ranswomare customer, I always try everything possible and most of the time customer are happy. I can't decrypt files but I am giving them some data.

[Arch Stanton]

Just a note, I had an IT company coming with eking ransomware from one of their customer on a server with 3 x 450 GB Seagate SAS drive. I image the drive and recreate the RAID in DE. Not all files visible on FS were encrypted. I also did a RAW recovery and got some data. (they paid the ransom but never received the key).

At the end, I can't say customer was happy as important files were still encrypted but they were surprise to get something. They asked me and paid to get an image of the RAID. They could then rebuild server and still have all data.

When I get Ransomware customer, I always try everything possible and most of the time customer are happy. I can't decrypt files but I am giving them some data.

Many ransomware seem to do: open file > read file > encrypt (some or all) data > create new file > write encrypted data > > save new file > delete original file. So in essence we're dealing with deleted file type recovery with everything that's normally attached to this type of recovery, so:

- Can be overwritten at any time (clusters).
- FS meta data can be overwritten, file records be re-used.
- Can be trimmed at any time (if drive supports it).

I have had clients that using my JpegDigger and claimed they were able to recover upto 30% of original jpeg fles (RAW scan / their estimate). Others virtually nothing. It depends on specific circumstances if data somehow survives.

Then there's the thing, that I have seen with several ransomwares, they only go a few level deep, directory wise. So data buried deeper in folder structure may not be encrypted at all. Always worth at least checking that, you can be a hero without doing anything