Ransomed to decrypt files – recovery - Sysinternals sdelete
Posted: December 5th, 2012, 18:37
Hi Guys
I got a call to do a job where a school had been hacked. The files have been encrypted with ransomeware.
I read up on the ransomeware variant (4) the programme uses Sysinternals sdelete to remove the original files from the HDD.
The school is absolutely devastated. All the enrolment data, office data, finance data is encrypted.
I thought I might as well see what I can recover after a brief talk to the director about backup procedures etc.
I ran an excessive search on the RAID 5 with Getdataback for NTFS, what I retrieved was partially encrypted and unusable. I searched for the files created accessed modified during the time of the attack to see if I could find a trace of the ramsomeware….nothing usable any way.
One of the parents of a child at the school had spoken to another tech about the issue. I got a call from this “expert” in data recovery. I tried to explain what the hacker did and that I did the job with Getdataback and that the Sysinternals sdelete had written zeros to the sector the files were in. He told me he has worked for the CIA so I needed to run rstudio.
I’m looking for guidance from HDDguru members, Do a waste another day trying to recover the files with R-studio?
I got a call to do a job where a school had been hacked. The files have been encrypted with ransomeware.
I read up on the ransomeware variant (4) the programme uses Sysinternals sdelete to remove the original files from the HDD.
The school is absolutely devastated. All the enrolment data, office data, finance data is encrypted.
I thought I might as well see what I can recover after a brief talk to the director about backup procedures etc.
I ran an excessive search on the RAID 5 with Getdataback for NTFS, what I retrieved was partially encrypted and unusable. I searched for the files created accessed modified during the time of the attack to see if I could find a trace of the ramsomeware….nothing usable any way.
One of the parents of a child at the school had spoken to another tech about the issue. I got a call from this “expert” in data recovery. I tried to explain what the hacker did and that I did the job with Getdataback and that the Sysinternals sdelete had written zeros to the sector the files were in. He told me he has worked for the CIA so I needed to run rstudio.
I’m looking for guidance from HDDguru members, Do a waste another day trying to recover the files with R-studio?