I tried to recover the txt-file in DMDE but was told there was a I/O error so I cannot peek its contents.

I just performed a test by compressing the image (64GB):



And that tells me that the image is basically filled with zeroes, so the drive has most likely been wiped.

Or translation table corrupt. But then this file indeed would be a weird anomaly.

...how do you deal with Ransomware device ? That USB drive could infect your system, isn't it ?

Drives are encrypted, they're not contagious if you just read them. Ransomware itself in essence is just an executable like for example Notepad.exe. If you attach a drive containing Notepad.exe nothing will happen unless Notepad.exe is is run. So the ransomware software needs to be executed to be dangerous. If an USB flash drive is prepped to spread ransomware, so setup to autorun the ransomware executable, then that would be a different story.

That being said, it is never a bad idea to run Linux with drives attached to image them better be safe than sorry.

Any idea already what ransomware you're dealing with?

Paying often enough is not a guarantee you'll be sent a decryptor. I have seen plenty of cases where people pay and get nothing, or a reply stating they want more.

To exactly know the ransomware upload an encrypted file here: https://id-ransomware.malwarehunterteam.com/ but it looks like Crysis Ransomware (= Dharma Ransomware). ID-Ransomware site will also tell you if there's a decryptor available.

If not:

- I regularly saw ransomware fail encrypt deeper nested folders, so you can always check those. Sometimes simply renaming them (get rid of ransomware extension) is enough to do the trick. A RAW scan will of course detect such files too which may be responsible for part of successful recoveries attributed to PhotoRec I sometimes see in forums.

- In general many ransomwares write encrypted data to newly created file and deletes original. If you're lucky original data may survive although there's of course the huge risk those newly created encrypted files overwrite 'vacant' clusters of the deleted original files.

When you look with disk editor, largely zeros?

Heuh? After scanning your image file? If you open folder in hex editor and jump to first cluster file?

This is the weird thing. I can hex-dump the file in DMDE, and I had no read errors whatsoever when I created the image. Yet DMDE tells me partition table is corrupt (but still lists a valid partition) and that there's an I/O when extracting the file itself.

Corrupt translation tables is a great guess of yours, and the best one I have for now. I will ask dust off the VNR and see if it can do some magic here.

Drives are encrypted, they're not contagious if you just read them. Ransomware itself in essence is just an executable like for example Notepad.exe. If you attach a drive containing Notepad.exe nothing will happen unless Notepad.exe is is run. So the ransomware software needs to be executed to be dangerous. If an USB flash drive is prepped to spread ransomware, so setup to autorun the ransomware executable, then that would be a different story.

That being said, it is never a bad idea to run Linux with drives attached to image them better be safe than sorry.

Any idea already what ransomware you're dealing with?