Hi Guys
I got a call to do a job where a school had been hacked. The files have been encrypted with ransomeware.
I read up on the ransomeware variant (4) the programme uses Sysinternals sdelete to remove the original files from the HDD.
The school is absolutely devastated. All the enrolment data, office data, finance data is encrypted.
I thought I might as well see what I can recover after a brief talk to the director about backup procedures etc.
I ran an excessive search on the RAID 5 with Getdataback for NTFS, what I retrieved was partially encrypted and unusable. I searched for the files created accessed modified during the time of the attack to see if I could find a trace of the ramsomeware….nothing usable any way.
One of the parents of a child at the school had spoken to another tech about the issue. I got a call from this “expert” in data recovery. I tried to explain what the hacker did and that I did the job with Getdataback and that the Sysinternals sdelete had written zeros to the sector the files were in. He told me he has worked for the CIA so I needed to run rstudio.
I’m looking for guidance from HDDguru members, Do a waste another day trying to recover the files with R-studio?

The files are in the state they are in. No tool will change that in any way, whether is GDB, R-Studio or Recoverzilla, even if ran by the FBI.

The FBI guys thinks can do something? Send him a couple of the files. Let him decrypt them.

_________________
Hard Disk Drive (HDD), Solid State Drive (SSD, SATA, NVMe, etc), USB Flash Drive and RAID Data Recovery Specialist in Massachusetts

As far as I know there is not a known solution to this.

_________________
You don't have to backup all of your files, just the ones you want to keep.

I was called in post event; I put in place a threefold backup on a server. Onsite, offsite, removable.
The RDP was the default port, user/password the same and I would have had a password attempt lockout in group policy.
It would have been a simple job for the skiddie @ 95.154.230.253 (hide my ass) Then the following IP addresses 79.181.249.76, 80.179.69.211, 87.68.144.247
wmic.exe /node:IPaddrees ComputerSystem Get UserName
Output
UserName
DOMAIN\User
brute force attack with something like 'Brutus AET2'
What a shame a small community school were sabotaged so easily.
I wonder if this expert that worked for the CIA can crack AES 256, I think I’ll send him a file.
Thanks guys, I thought I'd done what could be done. I humbly asked because the more I learn, I realize, the more I don’t know.
Thanks again, I really appreciate forums like this, where we help each other.