HDD GURU FORUMS :: View topic - Ransomware encrypted .vhdx files. What software can mount?

HDD GURU FORUMS http://forum.hddguru.com/

Ransomware encrypted .vhdx files. What software can mount? http://forum.hddguru.com/viewtopic.php?f=7&t=42707	Page 1 of 2

Author:

StylishJedi [ September 12th, 2022, 0:13 ]

Post subject:

Ransomware encrypted .vhdx files. What software can mount?

Hi Gurus!

I have an urgent matter

I have several ransomware-encrypted .vhdx files that contain critical data that unfortunately doesn't exist in a fresh backup somewhere

https://do-it-rmm.s3.us-west-1.amazonaws.com/encrypted+vhdx+files.png

A colleague told me that it's likely that only the only the catalog or $MFT might be encrypted so it won't mount... I should be able to get the data?

He told me you guys are the best and will likely have recommendations.

Please help! I'll be up all night waiting for a reply.

Thank you!

Attachments:

encrypted vhdx files.png [ 803.33 KiB | Viewed 21321 times ]

Author:	lifeguarddubai [ September 12th, 2022, 3:33 ]
Post subject:	Re: Ransomware encrypted .vhdx files. What software can moun
your data got effected with 3 different ransomware hackers i dont think it can be recover without key.

Author:	northwind [ September 12th, 2022, 4:41 ]
Post subject:	Re: Ransomware encrypted .vhdx files. What software can moun
lifeguarddubai wrote: your data got effected with 3 different ransomware hackers Where is this conclusion coming from? StylishJedi wrote: A colleague told me that it's likely that only the only the catalog or $MFT might be encrypted so it won't mount... I should be able to get the data? No. You got infected with Phobos Ransomware which, after studying and researching it for several years, I found that it has no weaknesses. HOWEVER, depending on what kind of files these virtual drives contain, I might be able to help. But it won't be cheap.

Author:	StylishJedi [ September 12th, 2022, 10:13 ]
Post subject:	Re: Ransomware encrypted .vhdx files. What software can moun
I mostly am looking for the Quickbooks files(s) on one server. So I would be wasting my time with Kernel for VHD?

Author:	StylishJedi [ September 12th, 2022, 10:14 ]
Post subject:	Re: Ransomware encrypted .vhdx files. What software can moun
lifeguarddubai wrote: your data got effected with 3 different ransomware hackers i dont think it can be recover without key. How can you tell just from that screenshot?

Author:	Arch Stanton [ September 12th, 2022, 11:03 ]
Post subject:	Re: Ransomware encrypted .vhdx files. What software can moun
Phobos, no known method to decrypt. Depending on file type partial repair may be possible as I found when examining this JPEG file: https://www.instagram.com/p/CdyLVH6ojkt/

Author:

StylishJedi [ September 12th, 2022, 11:38 ]

Post subject:

Re: Ransomware encrypted .vhdx files. What software can moun

Kernel for VHD only shows me tons of NTFS filesystem chunks with similar useless files in them...

Attachments:

Screen Shot 2022-09-12 at 7.17.30 AM.png [ 2.23 MiB | Viewed 21243 times ]

Author:	StylishJedi [ September 12th, 2022, 11:51 ]
Post subject:	Re: Ransomware encrypted .vhdx files. What software can moun
What's "not cheap" in this case? Please message me or by all means post your price. Thank you! northwind wrote: lifeguarddubai wrote: your data got effected with 3 different ransomware hackers Where is this conclusion coming from? StylishJedi wrote: A colleague told me that it's likely that only the only the catalog or $MFT might be encrypted so it won't mount... I should be able to get the data? No. You got infected with Phobos Ransomware which, after studying and researching it for several years, I found that it has no weaknesses. HOWEVER, depending on what kind of files these virtual drives contain, I might be able to help. But it won't be cheap.

Author:	Arch Stanton [ September 12th, 2022, 13:42 ]
Post subject:	Re: Ransomware encrypted .vhdx files. What software can moun
StylishJedi wrote: Kernel for VHD only shows me tons of NTFS filesystem chunks with similar useless files in them... Maybe get 2nd opinion using UFS.

Author:	northwind [ September 12th, 2022, 14:39 ]
Post subject:	Re: Ransomware encrypted .vhdx files. What software can moun
I'll pass. quickbooks files are not my piece of cake and I don't know how to reconstruct them from partial results. Sorry! I'd take Arch Stanton's last advice: Use UFS, scan and mount the vhdx files you have and then select "scan for lost data" on them. Obviously, expect partial recovery results at the very best scenario.

Author:	StylishJedi [ September 13th, 2022, 2:16 ]
Post subject:	Re: Ransomware encrypted .vhdx files. What software can moun
Thanks for the advice. I may scan one of the other servers as lots of more recent documents are missing and could be good to recover, hopefully, easier than Quickbooks.

Author:	einstein9 [ September 13th, 2022, 2:28 ]
Post subject:	Re: Ransomware encrypted .vhdx files. What software can moun
StylishJedi wrote: Hi Gurus! I have an urgent matter I have several ransomware-encrypted .vhdx files that contain critical data that unfortunately doesn't exist in a fresh backup somewhere https://do-it-rmm.s3.us-west-1.amazonaws.com/encrypted+vhdx+files.png A colleague told me that it's likely that only the only the catalog or $MFT might be encrypted so it won't mount... I should be able to get the data? He told me you guys are the best and will likely have recommendations. Please help! I'll be up all night waiting for a reply. Thank you! upload here a sample JPG/DOC/XLS/PDF files to tell you,,, one sample is enough +the msg which has the key

Author:	pclab [ September 13th, 2022, 3:18 ]
Post subject:	Re: Ransomware encrypted .vhdx files. What software can moun
Just for the sake of knowing: have you contacted the hackers and know the price they want? It's bad, but sometimes it's the only way. Unfortunately, I have paid a few...

Author:	einstein9 [ September 13th, 2022, 6:40 ]
Post subject:	Re: Ransomware encrypted .vhdx files. What software can moun
pclab wrote: Just for the sake of knowing: have you contacted the hackers and know the price they want? It's bad, but sometimes it's the only way. Unfortunately, I have paid a few... I know some clients paid via BTC and did not get anything so Will you pay the unknown 1000$ or pay the known 500$ (just saying)

Author:	StylishJedi [ September 13th, 2022, 10:46 ]
Post subject:	Re: Ransomware encrypted .vhdx files. What software can moun
pclab wrote: Just for the sake of knowing: have you contacted the hackers and know the price they want? It's bad, but sometimes it's the only way. Unfortunately, I have paid a few... Yes they wanted $22000 for a small company with 7 workstations and a few VM servers Fortunately they didn't get to one of the backups but it had been tampered with and turned off months before, so data is a bit old.

Author:	StylishJedi [ September 13th, 2022, 10:58 ]
Post subject:	Re: Ransomware encrypted .vhdx files. What software can moun
einstein9 wrote: StylishJedi wrote: Hi Gurus! I have an urgent matter I have several ransomware-encrypted .vhdx files that contain critical data that unfortunately doesn't exist in a fresh backup somewhere https://do-it-rmm.s3.us-west-1.amazonaws.com/encrypted+vhdx+files.png A colleague told me that it's likely that only the only the catalog or $MFT might be encrypted so it won't mount... I should be able to get the data? He told me you guys are the best and will likely have recommendations. Please help! I'll be up all night waiting for a reply. Thank you! upload here a sample JPG/DOC/XLS/PDF files to tell you,,, one sample is enough +the msg which has the key The problem is the DOC/XLS/PDF that are relevant and needed are all on the VM's that are encrypted. Can't get to them

Author:	Arch Stanton [ September 13th, 2022, 11:38 ]
Post subject:	Re: Ransomware encrypted .vhdx files. What software can moun
But did you scan the VHD's with anything else than Kernel in the meantime?

Author:	einstein9 [ September 14th, 2022, 2:29 ]
Post subject:	Re: Ransomware encrypted .vhdx files. What software can moun
@ StylishJedi Without sample Docs as mentioned will be difficult to judge really,,, you don`t have even any sample default doc/pdf/jpg from the OS but it has to be encrypted @ Arch Stanton The VM is encrypted there is no way on earth to read whats inside it without decrypting @pclab Just to add here, i know a big company who already PAID about 15,000$ and the hacker gave them the utility & key to decrypt their DB but guess what !! it decrypted the old useless DB files and when they asked for the rest they asked for more $$$.. The money is gone and no data,,, back to square one

Author:	pclab [ September 14th, 2022, 3:27 ]
Post subject:	Re: Ransomware encrypted .vhdx files. What software can moun
Yeah, we need to have some luck as well. Fortunately the 3 or 4 cases I already paid came out all OK.

Author:	Arch Stanton [ September 14th, 2022, 5:29 ]
Post subject:	Re: Ransomware encrypted .vhdx files. What software can moun
einstein9 wrote: @ StylishJedi @ Arch Stanton The VM is encrypted there is no way on earth to read whats inside it without decrypting Yes! But as I mentioned earlier and showed using the JPEG example the ransomware does not encrypt every byte of the file. It encrypts 'bands' so to speak. What I do not know is the percentage that actually gets encrypted. So this is what I'd be examining and try determine if larger files have a chance of surviving. So, interval and number of bytes that's encrypted. And see if UFS for example can handle the missing portions and treat it as if it were file system damage/corruption.

Page 1 of 2	All times are UTC - 5 hours [ DST ]
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/