All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 30 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: Ransomware encrypted .vhdx files. What software can mount?
PostPosted: September 12th, 2022, 0:13 
Offline

Joined: September 11th, 2022, 23:45
Posts: 11
Location: Los Angeles
Hi Gurus!

I have an urgent matter :( I have several ransomware-encrypted .vhdx files that contain critical data that unfortunately doesn't exist in a fresh backup somewhere :(

https://do-it-rmm.s3.us-west-1.amazonaws.com/encrypted+vhdx+files.png

A colleague told me that it's likely that only the only the catalog or $MFT might be encrypted so it won't mount... I should be able to get the data?

He told me you guys are the best and will likely have recommendations.

Please help! I'll be up all night waiting for a reply.

:(

Thank you!


Attachments:
encrypted vhdx files.png
encrypted vhdx files.png [ 803.33 KiB | Viewed 12848 times ]
Top
 Profile  
 
 Post subject: Re: Ransomware encrypted .vhdx files. What software can moun
PostPosted: September 12th, 2022, 3:33 
Offline
User avatar

Joined: July 19th, 2017, 2:05
Posts: 109
Location: Dubai
your data got effected with 3 different ransomware hackers i dont think it can be recover without key.

_________________
Specialized in Physical Data Recovery

https://lifeguarddatarecovery.com


Top
 Profile  
 
 Post subject: Re: Ransomware encrypted .vhdx files. What software can moun
PostPosted: September 12th, 2022, 4:41 
Offline
User avatar

Joined: January 28th, 2009, 10:54
Posts: 3452
Location: Greece
lifeguarddubai wrote:
your data got effected with 3 different ransomware hackers


Where is this conclusion coming from?

StylishJedi wrote:
A colleague told me that it's likely that only the only the catalog or $MFT might be encrypted so it won't mount... I should be able to get the data?


No.
You got infected with Phobos Ransomware which, after studying and researching it for several years, I found that it has no weaknesses.

HOWEVER,
depending on what kind of files these virtual drives contain, I might be able to help. But it won't be cheap.

_________________
http://www.northwind.gr
SandForce SSD Recovery
Ransomware Reverse Engineering - NoMoreRansom! partners


Top
 Profile  
 
 Post subject: Re: Ransomware encrypted .vhdx files. What software can moun
PostPosted: September 12th, 2022, 10:13 
Offline

Joined: September 11th, 2022, 23:45
Posts: 11
Location: Los Angeles
I mostly am looking for the Quickbooks files(s) on one server.

So I would be wasting my time with Kernel for VHD? :(


Top
 Profile  
 
 Post subject: Re: Ransomware encrypted .vhdx files. What software can moun
PostPosted: September 12th, 2022, 10:14 
Offline

Joined: September 11th, 2022, 23:45
Posts: 11
Location: Los Angeles
lifeguarddubai wrote:
your data got effected with 3 different ransomware hackers i dont think it can be recover without key.


How can you tell just from that screenshot?


Top
 Profile  
 
 Post subject: Re: Ransomware encrypted .vhdx files. What software can moun
PostPosted: September 12th, 2022, 11:03 
Offline
User avatar

Joined: May 13th, 2019, 7:50
Posts: 907
Location: Nederland
Phobos, no known method to decrypt. Depending on file type partial repair may be possible as I found when examining this JPEG file: https://www.instagram.com/p/CdyLVH6ojkt/

_________________
Joep - http://www.disktuna.com - video & photo repair & recovery service


Top
 Profile  
 
 Post subject: Re: Ransomware encrypted .vhdx files. What software can moun
PostPosted: September 12th, 2022, 11:38 
Offline

Joined: September 11th, 2022, 23:45
Posts: 11
Location: Los Angeles
Kernel for VHD only shows me tons of NTFS filesystem chunks with similar useless files in them...


Attachments:
Screen Shot 2022-09-12 at 7.17.30 AM.png
Screen Shot 2022-09-12 at 7.17.30 AM.png [ 2.23 MiB | Viewed 12770 times ]
Top
 Profile  
 
 Post subject: Re: Ransomware encrypted .vhdx files. What software can moun
PostPosted: September 12th, 2022, 11:51 
Offline

Joined: September 11th, 2022, 23:45
Posts: 11
Location: Los Angeles
What's "not cheap" in this case? Please message me or by all means post your price. Thank you!


northwind wrote:
lifeguarddubai wrote:
your data got effected with 3 different ransomware hackers


Where is this conclusion coming from?

StylishJedi wrote:
A colleague told me that it's likely that only the only the catalog or $MFT might be encrypted so it won't mount... I should be able to get the data?


No.
You got infected with Phobos Ransomware which, after studying and researching it for several years, I found that it has no weaknesses.

HOWEVER,
depending on what kind of files these virtual drives contain, I might be able to help. But it won't be cheap.


Top
 Profile  
 
 Post subject: Re: Ransomware encrypted .vhdx files. What software can moun
PostPosted: September 12th, 2022, 13:42 
Offline
User avatar

Joined: May 13th, 2019, 7:50
Posts: 907
Location: Nederland
StylishJedi wrote:
Kernel for VHD only shows me tons of NTFS filesystem chunks with similar useless files in them...


Maybe get 2nd opinion using UFS.

_________________
Joep - http://www.disktuna.com - video & photo repair & recovery service


Top
 Profile  
 
 Post subject: Re: Ransomware encrypted .vhdx files. What software can moun
PostPosted: September 12th, 2022, 14:39 
Offline
User avatar

Joined: January 28th, 2009, 10:54
Posts: 3452
Location: Greece
I'll pass.

quickbooks files are not my piece of cake and I don't know how to reconstruct them from partial results.
Sorry!

I'd take Arch Stanton's last advice: Use UFS, scan and mount the vhdx files you have and then select "scan for lost data" on them.
Obviously, expect partial recovery results at the very best scenario.

_________________
http://www.northwind.gr
SandForce SSD Recovery
Ransomware Reverse Engineering - NoMoreRansom! partners


Top
 Profile  
 
 Post subject: Re: Ransomware encrypted .vhdx files. What software can moun
PostPosted: September 13th, 2022, 2:16 
Offline

Joined: September 11th, 2022, 23:45
Posts: 11
Location: Los Angeles
Thanks for the advice. I may scan one of the other servers as lots of more recent documents are missing and could be good to recover, hopefully, easier than Quickbooks.


Top
 Profile  
 
 Post subject: Re: Ransomware encrypted .vhdx files. What software can moun
PostPosted: September 13th, 2022, 2:28 
Offline
User avatar

Joined: May 13th, 2010, 11:17
Posts: 2785
Location: Kuwait
StylishJedi wrote:
Hi Gurus!

I have an urgent matter :( I have several ransomware-encrypted .vhdx files that contain critical data that unfortunately doesn't exist in a fresh backup somewhere :(

https://do-it-rmm.s3.us-west-1.amazonaws.com/encrypted+vhdx+files.png

A colleague told me that it's likely that only the only the catalog or $MFT might be encrypted so it won't mount... I should be able to get the data?

He told me you guys are the best and will likely have recommendations.

Please help! I'll be up all night waiting for a reply.

:(

Thank you!


upload here a sample JPG/DOC/XLS/PDF files to tell you,,, one sample is enough +the msg which has the key

_________________
Kuwait Data Recovery - UNIX GTC
The only reason for time is so that everything doesn't happen at once. By: Albert Einstein


Top
 Profile  
 
 Post subject: Re: Ransomware encrypted .vhdx files. What software can moun
PostPosted: September 13th, 2022, 3:18 
Offline
User avatar

Joined: July 12th, 2010, 4:38
Posts: 1418
Location: Portugal
Just for the sake of knowing: have you contacted the hackers and know the price they want?

It's bad, but sometimes it's the only way. Unfortunately, I have paid a few...

_________________
http://www.pclab.com.pt facebook.com/PCLAB.A.T
ACELab partner


Top
 Profile  
 
 Post subject: Re: Ransomware encrypted .vhdx files. What software can moun
PostPosted: September 13th, 2022, 6:40 
Offline
User avatar

Joined: May 13th, 2010, 11:17
Posts: 2785
Location: Kuwait
pclab wrote:
Just for the sake of knowing: have you contacted the hackers and know the price they want?

It's bad, but sometimes it's the only way. Unfortunately, I have paid a few...


I know some *clients* paid via BTC and did not get anything

so

Will you pay the unknown 1000$ or pay the known 500$ (just saying)

_________________
Kuwait Data Recovery - UNIX GTC
The only reason for time is so that everything doesn't happen at once. By: Albert Einstein


Top
 Profile  
 
 Post subject: Re: Ransomware encrypted .vhdx files. What software can moun
PostPosted: September 13th, 2022, 10:46 
Offline

Joined: September 11th, 2022, 23:45
Posts: 11
Location: Los Angeles
pclab wrote:
Just for the sake of knowing: have you contacted the hackers and know the price they want?

It's bad, but sometimes it's the only way. Unfortunately, I have paid a few...


Yes they wanted $22000 for a small company with 7 workstations and a few VM servers

Fortunately they didn't get to one of the backups but it had been tampered with and turned off months before, so data is a bit old.


Top
 Profile  
 
 Post subject: Re: Ransomware encrypted .vhdx files. What software can moun
PostPosted: September 13th, 2022, 10:58 
Offline

Joined: September 11th, 2022, 23:45
Posts: 11
Location: Los Angeles
einstein9 wrote:
StylishJedi wrote:
Hi Gurus!

I have an urgent matter :( I have several ransomware-encrypted .vhdx files that contain critical data that unfortunately doesn't exist in a fresh backup somewhere :(

https://do-it-rmm.s3.us-west-1.amazonaws.com/encrypted+vhdx+files.png

A colleague told me that it's likely that only the only the catalog or $MFT might be encrypted so it won't mount... I should be able to get the data?

He told me you guys are the best and will likely have recommendations.

Please help! I'll be up all night waiting for a reply.

:(

Thank you!


upload here a sample JPG/DOC/XLS/PDF files to tell you,,, one sample is enough +the msg which has the key


The problem is the DOC/XLS/PDF that are relevant and needed are all on the VM's that are encrypted. Can't get to them :(


Top
 Profile  
 
 Post subject: Re: Ransomware encrypted .vhdx files. What software can moun
PostPosted: September 13th, 2022, 11:38 
Offline
User avatar

Joined: May 13th, 2019, 7:50
Posts: 907
Location: Nederland
But did you scan the VHD's with anything else than Kernel in the meantime?

_________________
Joep - http://www.disktuna.com - video & photo repair & recovery service


Top
 Profile  
 
 Post subject: Re: Ransomware encrypted .vhdx files. What software can moun
PostPosted: September 14th, 2022, 2:29 
Offline
User avatar

Joined: May 13th, 2010, 11:17
Posts: 2785
Location: Kuwait
@ StylishJedi

Without sample Docs as mentioned will be difficult to judge really,,, you don`t have even any sample default doc/pdf/jpg from the OS
but it has to be encrypted

@ Arch Stanton
The VM is encrypted there is no way on earth to read whats inside it without decrypting

@pclab
Just to add here, i know a big company who already PAID about 15,000$ and the hacker gave them the utility & key to decrypt their DB but guess what !!
it decrypted the old useless DB files and when they asked for the rest they asked for more $$$..
The money is gone and no data,,, back to square one :idea:

_________________
Kuwait Data Recovery - UNIX GTC
The only reason for time is so that everything doesn't happen at once. By: Albert Einstein


Top
 Profile  
 
 Post subject: Re: Ransomware encrypted .vhdx files. What software can moun
PostPosted: September 14th, 2022, 3:27 
Offline
User avatar

Joined: July 12th, 2010, 4:38
Posts: 1418
Location: Portugal
Yeah, we need to have some luck as well.
Fortunately the 3 or 4 cases I already paid came out all OK.

_________________
http://www.pclab.com.pt facebook.com/PCLAB.A.T
ACELab partner


Top
 Profile  
 
 Post subject: Re: Ransomware encrypted .vhdx files. What software can moun
PostPosted: September 14th, 2022, 5:29 
Offline
User avatar

Joined: May 13th, 2019, 7:50
Posts: 907
Location: Nederland
einstein9 wrote:
@ StylishJedi

@ Arch Stanton
The VM is encrypted there is no way on earth to read whats inside it without decrypting



Yes! But as I mentioned earlier and showed using the JPEG example the ransomware does not encrypt every byte of the file. It encrypts 'bands' so to speak. What I do not know is the percentage that actually gets encrypted. So this is what I'd be examining and try determine if larger files have a chance of surviving. So, interval and number of bytes that's encrypted. And see if UFS for example can handle the missing portions and treat it as if it were file system damage/corruption.

_________________
Joep - http://www.disktuna.com - video & photo repair & recovery service


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 30 posts ]  Go to page 1, 2  Next

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 14 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group