All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 24 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: Ransomware on USB-stick?
PostPosted: March 18th, 2021, 7:35 
Offline

Joined: October 20th, 2014, 5:25
Posts: 138
Location: Sweden
Today a customer brought me a USB-stick for investigation. She said that when it was inserted, Windows could find it but asked the user if the stick should be formatted. She clicked "no" and pulled out, never touching it again. Then she called me and brought it here.

First thing I did was to mirror the stick, no read errors or anything like that. Got a 64GB image dump which I'm currently investigating in DMDE using Raw, NTFS and extFAT-filters. I expected to see something during the scan, but I get literally nothing except for a System Volume Information-folder and a single file called xyzhdndoakdahgjd1.txt, which is 20MB large. Even if she acidentally clicked "yes" to the format question, I would have seen a lot of old files, but no.

Sysinfo tells me the stick was formatted 2017-01-15 which is prior she bought it, and the mystery file is timestamped the day after. This does not add up, and something is fishy here but I cannot figure out what. I tried to recover the txt-file in DMDE but was told there was a I/O error so I cannot peek its contents.

What happened to the stick? Has it been the victim of a ransomware attack or something? I've never seen it before.

(While writing this post DMDE finished the scan 100% with 0% information found)


Attachments:
Screenshot_9.png
Screenshot_9.png [ 43.39 KiB | Viewed 17966 times ]
Top
 Profile  
 
 Post subject: Re: Ransomware on USB-stick?
PostPosted: March 18th, 2021, 7:50 
Offline

Joined: October 20th, 2014, 5:25
Posts: 138
Location: Sweden
I just performed a test by compressing the image (64GB):

Code:
bos@basterd:/backup/$ time gzip -1c Martina1.img > img.gz

real    6m45.718s
user    5m19.580s
sys     0m32.104s
bos@basterd:/backup/a$ du -sh img.gz
262M    img.gz


And that tells me that the image is basically filled with zeroes, so the drive has most likely been wiped. The test does not, however, give an answer to what the mystery txt-file is about; why it's there and what it contains.


Top
 Profile  
 
 Post subject: Re: Ransomware on USB-stick?
PostPosted: March 18th, 2021, 7:59 
Offline
User avatar

Joined: May 13th, 2019, 7:50
Posts: 907
Location: Nederland
When you look with disk editor, largely zeros? If she's really telling the whole story, my guess is corrupt translation table.

Ransomware leaves data behind for you to unlock after paying ransom. Ransomware that wipes everything does not make sense.

Quote:
I tried to recover the txt-file in DMDE but was told there was a I/O error so I cannot peek its contents.


Heuh? After scanning your image file? If you open folder in hex editor and jump to first cluster file?

_________________
Joep - http://www.disktuna.com - video & photo repair & recovery service


Top
 Profile  
 
 Post subject: Re: Ransomware on USB-stick?
PostPosted: March 18th, 2021, 8:05 
Offline
User avatar

Joined: May 13th, 2019, 7:50
Posts: 907
Location: Nederland
bos wrote:
I just performed a test by compressing the image (64GB):

Code:
bos@basterd:/backup/$ time gzip -1c Martina1.img > img.gz

real    6m45.718s
user    5m19.580s
sys     0m32.104s
bos@basterd:/backup/a$ du -sh img.gz
262M    img.gz


And that tells me that the image is basically filled with zeroes, so the drive has most likely been wiped.


Or translation table corrupt. But then this file indeed would be a weird anomaly.

_________________
Joep - http://www.disktuna.com - video & photo repair & recovery service


Top
 Profile  
 
 Post subject: Re: Ransomware on USB-stick?
PostPosted: March 18th, 2021, 8:57 
Offline
User avatar

Joined: April 20th, 2017, 7:28
Posts: 121
Question little bit out of topic...how do you deal with Ransomware device ? That USB drive could infect your system, isn't it ?
I got two disks from a customer, they are encrypted by ransomware. So far, I did nothing, I don't want to infect my system, I am building a Ubuntu PC for that purpose, is it the right way ?


Top
 Profile  
 
 Post subject: Re: Ransomware on USB-stick?
PostPosted: March 18th, 2021, 9:13 
Offline

Joined: November 7th, 2020, 5:31
Posts: 1084
Location: The_UK
Arch Stanton wrote:
Or translation table corrupt. But then this file indeed would be a weird anomaly.
I've seen a few like that which had been intentionally wiped, not sure using what software though. Wonder what the contents of the file look like in hex. Id also be tempted to do a quick chip off to see some raw data, that would rule out the controller too.

samstown wrote:
...how do you deal with Ransomware device ? That USB drive could infect your system, isn't it ?
If you're not mounting the device it should maintain separation, but it's always a concern with Windows and a device, less so with an image file. Linux is the easiest and cheapest way to sandbox it.

_________________
Data Recovery Services in the UK.
https://www.usbrecovery.co.uk/


Last edited by Lardman on March 18th, 2021, 9:17, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Ransomware on USB-stick?
PostPosted: March 18th, 2021, 9:13 
Offline
User avatar

Joined: May 13th, 2019, 7:50
Posts: 907
Location: Nederland
Drives are encrypted, they're not contagious if you just read them. Ransomware itself in essence is just an executable like for example Notepad.exe. If you attach a drive containing Notepad.exe nothing will happen unless Notepad.exe is is run. So the ransomware software needs to be executed to be dangerous. If an USB flash drive is prepped to spread ransomware, so setup to autorun the ransomware executable, then that would be a different story.

That being said, it is never a bad idea to run Linux with drives attached to image them better be safe than sorry.

Any idea already what ransomware you're dealing with?

_________________
Joep - http://www.disktuna.com - video & photo repair & recovery service


Top
 Profile  
 
 Post subject: Re: Ransomware on USB-stick?
PostPosted: March 18th, 2021, 9:46 
Offline
User avatar

Joined: April 20th, 2017, 7:28
Posts: 121
Arch Stanton wrote:
Drives are encrypted, they're not contagious if you just read them. Ransomware itself in essence is just an executable like for example Notepad.exe. If you attach a drive containing Notepad.exe nothing will happen unless Notepad.exe is is run. So the ransomware software needs to be executed to be dangerous. If an USB flash drive is prepped to spread ransomware, so setup to autorun the ransomware executable, then that would be a different story.

That being said, it is never a bad idea to run Linux with drives attached to image them better be safe than sorry.

Any idea already what ransomware you're dealing with?


Thank you. I don't want to hack this post. I'll create a new one with my ransomware question. Here is what customer got. He didn't pay. We had backup from last week. He's just looking for two files if possible.


Attachments:
ransomware.JPG
ransomware.JPG [ 119.05 KiB | Viewed 17928 times ]
Top
 Profile  
 
 Post subject: Re: Ransomware on USB-stick?
PostPosted: March 18th, 2021, 10:03 
Offline
User avatar

Joined: May 13th, 2019, 7:50
Posts: 907
Location: Nederland
Paying often enough is not a guarantee you'll be sent a decryptor. I have seen plenty of cases where people pay and get nothing, or a reply stating they want more.

To exactly know the ransomware upload an encrypted file here: https://id-ransomware.malwarehunterteam.com/ but it looks like Crysis Ransomware (= Dharma Ransomware). ID-Ransomware site will also tell you if there's a decryptor available.

If not:

- I regularly saw ransomware fail encrypt deeper nested folders, so you can always check those. Sometimes simply renaming them (get rid of ransomware extension) is enough to do the trick. A RAW scan will of course detect such files too which may be responsible for part of successful recoveries attributed to PhotoRec I sometimes see in forums.

- In general many ransomwares write encrypted data to newly created file and deletes original. If you're lucky original data may survive although there's of course the huge risk those newly created encrypted files overwrite 'vacant' clusters of the deleted original files.

_________________
Joep - http://www.disktuna.com - video & photo repair & recovery service


Top
 Profile  
 
 Post subject: Re: Ransomware on USB-stick?
PostPosted: March 18th, 2021, 10:28 
Offline
User avatar

Joined: April 20th, 2017, 7:28
Posts: 121
Arch Stanton wrote:
Paying often enough is not a guarantee you'll be sent a decryptor. I have seen plenty of cases where people pay and get nothing, or a reply stating they want more.

To exactly know the ransomware upload an encrypted file here: https://id-ransomware.malwarehunterteam.com/ but it looks like Crysis Ransomware (= Dharma Ransomware). ID-Ransomware site will also tell you if there's a decryptor available.

If not:

- I regularly saw ransomware fail encrypt deeper nested folders, so you can always check those. Sometimes simply renaming them (get rid of ransomware extension) is enough to do the trick. A RAW scan will of course detect such files too which may be responsible for part of successful recoveries attributed to PhotoRec I sometimes see in forums.

- In general many ransomwares write encrypted data to newly created file and deletes original. If you're lucky original data may survive although there's of course the huge risk those newly created encrypted files overwrite 'vacant' clusters of the deleted original files.

Thank you for all the information, very usefull.


Top
 Profile  
 
 Post subject: Re: Ransomware on USB-stick?
PostPosted: March 21st, 2021, 4:21 
Offline

Joined: October 20th, 2014, 5:25
Posts: 138
Location: Sweden
Arch Stanton wrote:
When you look with disk editor, largely zeros?


Correct, I see only zeros when hex-dumping the file in DMDE.

Arch Stanton wrote:
Heuh? After scanning your image file? If you open folder in hex editor and jump to first cluster file?


This is the weird thing. I can hex-dump the file in DMDE, and I had no read errors whatsoever when I created the image. Yet DMDE tells me partition table is corrupt (but still lists a valid partition) and that there's an I/O when extracting the file itself.

Corrupt translation tables is a great guess of yours, and the best one I have for now. I will ask dust off the VNR and see if it can do some magic here.


Top
 Profile  
 
 Post subject: Re: Ransomware on USB-stick?
PostPosted: March 21st, 2021, 7:50 
Offline
User avatar

Joined: May 13th, 2019, 7:50
Posts: 907
Location: Nederland
Quote:
This is the weird thing. I can hex-dump the file in DMDE, and I had no read errors whatsoever when I created the image. Yet DMDE tells me partition table is corrupt (but still lists a valid partition) and that there's an I/O when extracting the file itself.


Yes, so I meant do not use DMDE's browse feature to get to the file. Instead you can view the directory in editor which for example allows you to evaluate start cluster for the mystery file. If you have an invalid value there and cluster happens to be outside of the volume it may explain the IO error as it would be trying to read non existing LBA.

Partition table corrupt and DMDE detecting a valid partition is not uncommon, even without full scan it often detects 'lost' partitions.

Quote:
Corrupt translation tables is a great guess of yours, and the best one I have for now. I will ask dust off the VNR and see if it can do some magic here.


Even just amount of data in dump may give a hint.

_________________
Joep - http://www.disktuna.com - video & photo repair & recovery service


Top
 Profile  
 
 Post subject: Re: Ransomware on USB-stick?
PostPosted: March 23rd, 2021, 5:56 
Offline

Joined: October 20th, 2014, 5:25
Posts: 138
Location: Sweden
Now I made a dump of the chip. Single 64GB chip (ID 98DE949376, Toshiba P0170007-5) with unknown controller (potted IC). The only entropy I can find is near the beginning, looks like an XOR-key, but the rest of the chip is basically gray and white areas. Seems to me it's completely wiped.

I can't figure out what on earth happened. Wipe-out due to ESD or something?


Attachments:
Screenshot_10.png
Screenshot_10.png [ 66.75 KiB | Viewed 17640 times ]
Screenshot_11.png
Screenshot_11.png [ 147.82 KiB | Viewed 17640 times ]
Top
 Profile  
 
 Post subject: Re: Ransomware on USB-stick?
PostPosted: March 23rd, 2021, 6:02 
Offline

Joined: October 20th, 2014, 5:25
Posts: 138
Location: Sweden
I found this near the middle. Looks like ECC, and that's the only non-repetitive pattern I can find in the whole chip. Maybe this is the mystery file.

Other than that, I find no resemblances of LBN at all on the chip.


Attachments:
Screenshot_12.png
Screenshot_12.png [ 270.46 KiB | Viewed 17638 times ]
Top
 Profile  
 
 Post subject: Re: Ransomware on USB-stick?
PostPosted: March 23rd, 2021, 7:16 
Offline
User avatar

Joined: May 13th, 2019, 7:50
Posts: 907
Location: Nederland
https://youtu.be/hAAlDoAtV7Y

_________________
Joep - http://www.disktuna.com - video & photo repair & recovery service


Top
 Profile  
 
 Post subject: Re: Ransomware on USB-stick?
PostPosted: April 11th, 2021, 5:08 
Offline

Joined: March 2nd, 2020, 6:04
Posts: 24
Location: Sweden
Arch Stanton wrote:
Drives are encrypted, they're not contagious if you just read them. Ransomware itself in essence is just an executable like for example Notepad.exe. If you attach a drive containing Notepad.exe nothing will happen unless Notepad.exe is is run. So the ransomware software needs to be executed to be dangerous. If an USB flash drive is prepped to spread ransomware, so setup to autorun the ransomware executable, then that would be a different story.

That being said, it is never a bad idea to run Linux with drives attached to image them better be safe than sorry.

Any idea already what ransomware you're dealing with?


You're right about this, but I just want to mention that some USB drives can infect systems without containing a visible executable (file attributes aside). Have a look at this. While it's unlikely to be relevant to this case, it's something to keep in mind while plugging in foreign USB drives into your computer.


Top
 Profile  
 
 Post subject: Re: Ransomware on USB-stick?
PostPosted: April 11th, 2021, 8:15 
Offline
User avatar

Joined: May 13th, 2019, 7:50
Posts: 907
Location: Nederland
Well, since this appears to be a mystery USB, and background story is also kind of vague, perhaps! Why not? Maybe someone was trying to hack/attack the client that brought in the stick.

https://www.bleepingcomputer.com/news/s ... b-attacks/

However I responded to samstown's message. And an USB drive or whatever drive containing ransomware encrypted data in itself is harmless. The encrypted data itself is harmless.

_________________
Joep - http://www.disktuna.com - video & photo repair & recovery service


Top
 Profile  
 
 Post subject: Re: Ransomware on USB-stick?
PostPosted: May 6th, 2021, 17:32 
Offline

Joined: December 14th, 2020, 11:51
Posts: 50
Location: France
I am back.. with another Ransomware on QNAP RAID1 two disks (maybe would be nice to have a Ransomware Topic on this Forum?). I haven't received the drive from previous customer, he said it's not urgent as he only want two files.

This one is different, it's a private QNAP with all family pics. They are asking for 0.01 BTC (600 USD). Ransomware is QLocker.

I tried
https://id-ransomware.malwarehunterteam.com/ no solutions

When I try on
https://www.nomoreransom.org/crypto-sheriff.php?lang=en

I upload the file... and...back the to the main page where it's asking to choose a language. Looks like there is a bug. I treid with Chrome and FF.
Renaming/removing .7z file name to original extension doesn't work (that would have been too easy, of course).

Any hints ?


Top
 Profile  
 
 Post subject: Re: Ransomware on USB-stick?
PostPosted: May 6th, 2021, 19:32 
Offline
User avatar

Joined: May 13th, 2019, 7:50
Posts: 907
Location: Nederland
For laughs try unzipping them. I know of one case where it actually worked.

_________________
Joep - http://www.disktuna.com - video & photo repair & recovery service


Top
 Profile  
 
 Post subject: Re: Ransomware on USB-stick?
PostPosted: May 7th, 2021, 1:55 
Offline

Joined: December 14th, 2020, 11:51
Posts: 50
Location: France
Thank you Arch , I did try Unzip, no luck.

The great URL you shared is helpfull.

https://www.bleepingcomputer.com/forums ... -nas-hack/

I think I'll try to recreate the RAID on UFS or PC3K and try a RAW scan.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 24 posts ]  Go to page 1, 2  Next

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: csava, Google Adsense [Bot] and 20 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group