All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 30 posts ]  Go to page Previous  1, 2
Author Message
 Post subject: Re: Ransomware encrypted .vhdx files. What software can moun
PostPosted: September 14th, 2022, 8:21 
Offline
User avatar

Joined: May 13th, 2019, 7:50
Posts: 907
Location: Nederland
Arch Stanton wrote:
einstein9 wrote:
@ StylishJedi

@ Arch Stanton
The VM is encrypted there is no way on earth to read whats inside it without decrypting



Yes! But as I mentioned earlier and showed using the JPEG example the ransomware does not encrypt every byte of the file. It encrypts 'bands' so to speak. What I do not know is the percentage that actually gets encrypted. So this is what I'd be examining and try determine if larger files have a chance of surviving. So, interval and number of bytes that's encrypted. And see if UFS for example can handle the missing portions and treat it as if it were file system damage/corruption.


So, I tried to see if I could find how much per file gets encrypted, but I do not have these files anymore and I didn't document how many bytes I removed from the JPEG I repaired, it was just proof of concept. But it's evident that majority of data inside the encrypted file remains untouched.

Attachment:
phobos-jpeg.png
phobos-jpeg.png [ 101.7 KiB | Viewed 6323 times ]


But this (https://www.malwarebytes.com/blog/news/ ... ransomware) analysis of one particular variant suggests that only 3 chunks of 262144 bytes are encrypted. So peanuts compared to GB's worth of VHD. But we already knew only partial encryption takes place simply by looking at result of the Kernel tool scan. So again, perhaps UFS will do better, and if not it may be possible to realign data inside the VHDX file just like I do with the JPEGs.

Attachment:
phobos-jpeg-realigned.png
phobos-jpeg-realigned.png [ 133 KiB | Viewed 6320 times ]

_________________
Joep - http://www.disktuna.com - video & photo repair & recovery service


Top
 Profile  
 
 Post subject: Re: Ransomware encrypted .vhdx files. What software can moun
PostPosted: September 14th, 2022, 8:35 
Offline

Joined: November 7th, 2020, 5:31
Posts: 1084
Location: The_UK
@Arch Stanton - This is not an area I've had to look at but that's extremely interesting, thanks for posting.

_________________
Data Recovery Services in the UK.
https://www.usbrecovery.co.uk/


Top
 Profile  
 
 Post subject: Re: Ransomware encrypted .vhdx files. What software can moun
PostPosted: September 14th, 2022, 9:17 
Offline
User avatar

Joined: May 13th, 2019, 7:50
Posts: 907
Location: Nederland
Lardman wrote:
@Arch Stanton - This is not an area I've had to look at but that's extremely interesting, thanks for posting.


It's not an area I'd normally look into if it were not for a client that sent me corrupt files without telling me they were corrupt due to ransomware encryption. After I repaired them I learned they were victim of STOP DJVU ransomware. Between then and now I learned there are more ransomwares that only partially encrypt a file to save time. It sometimes allows for repair of certain file types, or make non encrypted portion viewable again. For example I made a simple and clumsy tool to repair certain media type files: https://youtu.be/3AKJ27sZ9_E. Since then most other video repair tools picked up on that, so using something like Wondershare video repair is more convenient probably.

_________________
Joep - http://www.disktuna.com - video & photo repair & recovery service


Top
 Profile  
 
 Post subject: Re: Ransomware encrypted .vhdx files. What software can moun
PostPosted: September 15th, 2022, 12:54 
Offline

Joined: March 7th, 2009, 12:43
Posts: 1080
Location: Angel Data Recovery
I might be able to help without paying anything anyone. Price for remote help sent to PM.
5 min with UFS, it has all enough to resolve your issue.

_________________
Angel Data Recovery


Top
 Profile  
 
 Post subject: Re: Ransomware encrypted .vhdx files. What software can moun
PostPosted: September 15th, 2022, 12:59 
Offline

Joined: March 7th, 2009, 12:43
Posts: 1080
Location: Angel Data Recovery
Arch Stanton wrote:
Lardman wrote:
@Arch Stanton - This is not an area I've had to look at but that's extremely interesting, thanks for posting.


It's not an area I'd normally look into if it were not for a client that sent me corrupt files without telling me they were corrupt due to ransomware encryption. After I repaired them I learned they were victim of STOP DJVU ransomware. Between then and now I learned there are more ransomwares that only partially encrypt a file to save time. It sometimes allows for repair of certain file types, or make non encrypted portion viewable again. For example I made a simple and clumsy tool to repair certain media type files: https://youtu.be/3AKJ27sZ9_E. Since then most other video repair tools picked up on that, so using something like Wondershare video repair is more convenient probably.


Those pictures are not encrypted. They just stored "sparse way - no zeroes" inside "sparse" file vhdx.

_________________
Angel Data Recovery


Top
 Profile  
 
 Post subject: Re: Ransomware encrypted .vhdx files. What software can moun
PostPosted: September 15th, 2022, 19:53 
Offline
User avatar

Joined: May 13th, 2019, 7:50
Posts: 907
Location: Nederland
DR-Kiev wrote:
Arch Stanton wrote:
Lardman wrote:
@Arch Stanton - This is not an area I've had to look at but that's extremely interesting, thanks for posting.


It's not an area I'd normally look into if it were not for a client that sent me corrupt files without telling me they were corrupt due to ransomware encryption. After I repaired them I learned they were victim of STOP DJVU ransomware. Between then and now I learned there are more ransomwares that only partially encrypt a file to save time. It sometimes allows for repair of certain file types, or make non encrypted portion viewable again. For example I made a simple and clumsy tool to repair certain media type files: https://youtu.be/3AKJ27sZ9_E. Since then most other video repair tools picked up on that, so using something like Wondershare video repair is more convenient probably.


Those pictures are not encrypted. They just stored "sparse way - no zeroes" inside "sparse" file vhdx.


Yes we know, the vhdx files themselves are victim of ransomware though.

_________________
Joep - http://www.disktuna.com - video & photo repair & recovery service


Top
 Profile  
 
 Post subject: Re: Ransomware encrypted .vhdx files. What software can moun
PostPosted: September 19th, 2022, 20:51 
Offline

Joined: September 11th, 2022, 23:45
Posts: 11
Location: Los Angeles
Thanks for everyone's input! DR-Kiev on here helped me! A little UFS, bypassing the lazily encrypted header on the VHD files, mounting the images with iSCSi then recovering the files from those using R-Studio... tada! :)

DR-Kiev of Angel Recovery is a very lovely and talented person! He charged one-tenth of what some people here had proposed and did the work in about 30 minutes!!!

Oh, happiness! What a great forum you guys have here, so much talent and so many helpful people!

I'm very grateful and know where to look next time, which hopefully won't come soon :)

Sincerely,

Stylish


Top
 Profile  
 
 Post subject: Re: Ransomware encrypted .vhdx files. What software can moun
PostPosted: September 19th, 2022, 21:53 
Offline
User avatar

Joined: May 13th, 2019, 7:50
Posts: 907
Location: Nederland
Nice. That confirms the theory then.

_________________
Joep - http://www.disktuna.com - video & photo repair & recovery service


Top
 Profile  
 
 Post subject: Re: Ransomware encrypted .vhdx files. What software can moun
PostPosted: January 28th, 2024, 12:22 
Offline

Joined: January 27th, 2024, 22:56
Posts: 1
Location: Iowa, USA
I don't mean to hijack this thread, but I have the exact same issue. Ransomware partially encrypted a VHDX, and in my case, I just need one file on there. Using UFS, I was able to scan the drive and I see thousands of files and folders but no structure. The search function doesn't really help and is always saying there is nothing found. I even search for a file that I'm looking at, and the search function doesn't find it. I'm guessing I must be doing something wrong in how I search

The ideal situation would be to be able to mount the drive and browse it since I know where the file I'm looking for is located. Can anyone help?


Top
 Profile  
 
 Post subject: Re: Ransomware encrypted .vhdx files. What software can moun
PostPosted: January 28th, 2024, 19:25 
Offline
User avatar

Joined: May 13th, 2019, 7:50
Posts: 907
Location: Nederland
DR-Kiev wrote:
Arch Stanton wrote:
Lardman wrote:
@Arch Stanton - This is not an area I've had to look at but that's extremely interesting, thanks for posting.


It's not an area I'd normally look into if it were not for a client that sent me corrupt files without telling me they were corrupt due to ransomware encryption. After I repaired them I learned they were victim of STOP DJVU ransomware. Between then and now I learned there are more ransomwares that only partially encrypt a file to save time. It sometimes allows for repair of certain file types, or make non encrypted portion viewable again. For example I made a simple and clumsy tool to repair certain media type files: https://youtu.be/3AKJ27sZ9_E. Since then most other video repair tools picked up on that, so using something like Wondershare video repair is more convenient probably.


Those pictures are not encrypted. They just stored "sparse way - no zeroes" inside "sparse" file vhdx.


Those JPEGs were encrypted BTW, completely different case that had zero to do with a vhdx.

_________________
Joep - http://www.disktuna.com - video & photo repair & recovery service


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 30 posts ]  Go to page Previous  1, 2

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 14 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group