Ransomware encrypted .vhdx files. What software can mount?

[Arch Stanton]

@ StylishJedi

@ Arch Stanton
The VM is encrypted there is no way on earth to read whats inside it without decrypting

Yes! But as I mentioned earlier and showed using the JPEG example the ransomware does not encrypt every byte of the file. It encrypts 'bands' so to speak. What I do not know is the percentage that actually gets encrypted. So this is what I'd be examining and try determine if larger files have a chance of surviving. So, interval and number of bytes that's encrypted. And see if UFS for example can handle the missing portions and treat it as if it were file system damage/corruption.

So, I tried to see if I could find how much per file gets encrypted, but I do not have these files anymore and I didn't document how many bytes I removed from the JPEG I repaired, it was just proof of concept. But it's evident that majority of data inside the encrypted file remains untouched.

But this (https://www.malwarebytes.com/blog/news/ ... ransomware) analysis of one particular variant suggests that only 3 chunks of 262144 bytes are encrypted. So peanuts compared to GB's worth of VHD. But we already knew only partial encryption takes place simply by looking at result of the Kernel tool scan. So again, perhaps UFS will do better, and if not it may be possible to realign data inside the VHDX file just like I do with the JPEGs.

[Lardman]

@Arch Stanton - This is not an area I've had to look at but that's extremely interesting, thanks for posting.

[Arch Stanton]

@Arch Stanton - This is not an area I've had to look at but that's extremely interesting, thanks for posting.

It's not an area I'd normally look into if it were not for a client that sent me corrupt files without telling me they were corrupt due to ransomware encryption. After I repaired them I learned they were victim of STOP DJVU ransomware. Between then and now I learned there are more ransomwares that only partially encrypt a file to save time. It sometimes allows for repair of certain file types, or make non encrypted portion viewable again. For example I made a simple and clumsy tool to repair certain media type files: https://youtu.be/3AKJ27sZ9_E. Since then most other video repair tools picked up on that, so using something like Wondershare video repair is more convenient probably.

[DR-Kiev]

I might be able to help without paying anything anyone. Price for remote help sent to PM.
5 min with UFS, it has all enough to resolve your issue.

[DR-Kiev]

@Arch Stanton - This is not an area I've had to look at but that's extremely interesting, thanks for posting.

It's not an area I'd normally look into if it were not for a client that sent me corrupt files without telling me they were corrupt due to ransomware encryption. After I repaired them I learned they were victim of STOP DJVU ransomware. Between then and now I learned there are more ransomwares that only partially encrypt a file to save time. It sometimes allows for repair of certain file types, or make non encrypted portion viewable again. For example I made a simple and clumsy tool to repair certain media type files: https://youtu.be/3AKJ27sZ9_E. Since then most other video repair tools picked up on that, so using something like Wondershare video repair is more convenient probably.

Those pictures are not encrypted. They just stored "sparse way - no zeroes" inside "sparse" file vhdx.

[Arch Stanton]

@Arch Stanton - This is not an area I've had to look at but that's extremely interesting, thanks for posting.

It's not an area I'd normally look into if it were not for a client that sent me corrupt files without telling me they were corrupt due to ransomware encryption. After I repaired them I learned they were victim of STOP DJVU ransomware. Between then and now I learned there are more ransomwares that only partially encrypt a file to save time. It sometimes allows for repair of certain file types, or make non encrypted portion viewable again. For example I made a simple and clumsy tool to repair certain media type files: https://youtu.be/3AKJ27sZ9_E. Since then most other video repair tools picked up on that, so using something like Wondershare video repair is more convenient probably.

Those pictures are not encrypted. They just stored "sparse way - no zeroes" inside "sparse" file vhdx.

Yes we know, the vhdx files themselves are victim of ransomware though.

[StylishJedi]

Thanks for everyone's input! DR-Kiev on here helped me! A little UFS, bypassing the lazily encrypted header on the VHD files, mounting the images with iSCSi then recovering the files from those using R-Studio... tada!

DR-Kiev of Angel Recovery is a very lovely and talented person! He charged one-tenth of what some people here had proposed and did the work in about 30 minutes!!!

Oh, happiness! What a great forum you guys have here, so much talent and so many helpful people!

I'm very grateful and know where to look next time, which hopefully won't come soon

Sincerely,

Stylish

[Arch Stanton]

Nice. That confirms the theory then.

[mkemper321]

I don't mean to hijack this thread, but I have the exact same issue. Ransomware partially encrypted a VHDX, and in my case, I just need one file on there. Using UFS, I was able to scan the drive and I see thousands of files and folders but no structure. The search function doesn't really help and is always saying there is nothing found. I even search for a file that I'm looking at, and the search function doesn't find it. I'm guessing I must be doing something wrong in how I search

The ideal situation would be to be able to mount the drive and browse it since I know where the file I'm looking for is located. Can anyone help?

[Arch Stanton]

@Arch Stanton - This is not an area I've had to look at but that's extremely interesting, thanks for posting.

It's not an area I'd normally look into if it were not for a client that sent me corrupt files without telling me they were corrupt due to ransomware encryption. After I repaired them I learned they were victim of STOP DJVU ransomware. Between then and now I learned there are more ransomwares that only partially encrypt a file to save time. It sometimes allows for repair of certain file types, or make non encrypted portion viewable again. For example I made a simple and clumsy tool to repair certain media type files: https://youtu.be/3AKJ27sZ9_E. Since then most other video repair tools picked up on that, so using something like Wondershare video repair is more convenient probably.

Those pictures are not encrypted. They just stored "sparse way - no zeroes" inside "sparse" file vhdx.

Those JPEGs were encrypted BTW, completely different case that had zero to do with a vhdx.