September 14th, 2022, 8:21
Arch Stanton wrote:einstein9 wrote:@ StylishJedi
@ Arch Stanton
The VM is encrypted there is no way on earth to read whats inside it without decrypting
Yes! But as I mentioned earlier and showed using the JPEG example the ransomware does not encrypt every byte of the file. It encrypts 'bands' so to speak. What I do not know is the percentage that actually gets encrypted. So this is what I'd be examining and try determine if larger files have a chance of surviving. So, interval and number of bytes that's encrypted. And see if UFS for example can handle the missing portions and treat it as if it were file system damage/corruption.
September 14th, 2022, 8:35
September 14th, 2022, 9:17
Lardman wrote:@Arch Stanton - This is not an area I've had to look at but that's extremely interesting, thanks for posting.
September 15th, 2022, 12:54
September 15th, 2022, 12:59
Arch Stanton wrote:Lardman wrote:@Arch Stanton - This is not an area I've had to look at but that's extremely interesting, thanks for posting.
It's not an area I'd normally look into if it were not for a client that sent me corrupt files without telling me they were corrupt due to ransomware encryption. After I repaired them I learned they were victim of STOP DJVU ransomware. Between then and now I learned there are more ransomwares that only partially encrypt a file to save time. It sometimes allows for repair of certain file types, or make non encrypted portion viewable again. For example I made a simple and clumsy tool to repair certain media type files: https://youtu.be/3AKJ27sZ9_E. Since then most other video repair tools picked up on that, so using something like Wondershare video repair is more convenient probably.
September 15th, 2022, 19:53
DR-Kiev wrote:Arch Stanton wrote:Lardman wrote:@Arch Stanton - This is not an area I've had to look at but that's extremely interesting, thanks for posting.
It's not an area I'd normally look into if it were not for a client that sent me corrupt files without telling me they were corrupt due to ransomware encryption. After I repaired them I learned they were victim of STOP DJVU ransomware. Between then and now I learned there are more ransomwares that only partially encrypt a file to save time. It sometimes allows for repair of certain file types, or make non encrypted portion viewable again. For example I made a simple and clumsy tool to repair certain media type files: https://youtu.be/3AKJ27sZ9_E. Since then most other video repair tools picked up on that, so using something like Wondershare video repair is more convenient probably.
Those pictures are not encrypted. They just stored "sparse way - no zeroes" inside "sparse" file vhdx.
September 19th, 2022, 20:51
September 19th, 2022, 21:53
January 28th, 2024, 12:22
January 28th, 2024, 19:25
DR-Kiev wrote:Arch Stanton wrote:Lardman wrote:@Arch Stanton - This is not an area I've had to look at but that's extremely interesting, thanks for posting.
It's not an area I'd normally look into if it were not for a client that sent me corrupt files without telling me they were corrupt due to ransomware encryption. After I repaired them I learned they were victim of STOP DJVU ransomware. Between then and now I learned there are more ransomwares that only partially encrypt a file to save time. It sometimes allows for repair of certain file types, or make non encrypted portion viewable again. For example I made a simple and clumsy tool to repair certain media type files: https://youtu.be/3AKJ27sZ9_E. Since then most other video repair tools picked up on that, so using something like Wondershare video repair is more convenient probably.
Those pictures are not encrypted. They just stored "sparse way - no zeroes" inside "sparse" file vhdx.
Powered by phpBB © phpBB Group.