HDD GURU FORUMS :: View topic - Ransomware encrypted .vhdx files. What software can mount?

einstein9 wrote:

@ StylishJedi

@ Arch Stanton
The VM is encrypted there is no way on earth to read whats inside it without decrypting

Yes! But as I mentioned earlier and showed using the JPEG example the ransomware does not encrypt every byte of the file. It encrypts 'bands' so to speak. What I do not know is the percentage that actually gets encrypted. So this is what I'd be examining and try determine if larger files have a chance of surviving. So, interval and number of bytes that's encrypted. And see if UFS for example can handle the missing portions and treat it as if it were file system damage/corruption.

@Arch Stanton - This is not an area I've had to look at but that's extremely interesting, thanks for posting.

Lardman wrote:

@Arch Stanton - This is not an area I've had to look at but that's extremely interesting, thanks for posting.

It's not an area I'd normally look into if it were not for a client that sent me corrupt files without telling me they were corrupt due to ransomware encryption. After I repaired them I learned they were victim of STOP DJVU ransomware. Between then and now I learned there are more ransomwares that only partially encrypt a file to save time. It sometimes allows for repair of certain file types, or make non encrypted portion viewable again. For example I made a simple and clumsy tool to repair certain media type files: https://youtu.be/3AKJ27sZ9_E. Since then most other video repair tools picked up on that, so using something like Wondershare video repair is more convenient probably.

Arch Stanton wrote:

Lardman wrote:

@Arch Stanton - This is not an area I've had to look at but that's extremely interesting, thanks for posting.

Those pictures are not encrypted. They just stored "sparse way - no zeroes" inside "sparse" file vhdx.

Arch Stanton wrote:

Lardman wrote:

@Arch Stanton - This is not an area I've had to look at but that's extremely interesting, thanks for posting.

Those pictures are not encrypted. They just stored "sparse way - no zeroes" inside "sparse" file vhdx.

Author:	Arch Stanton [ September 14th, 2022, 8:21 ]
Post subject:	Re: Ransomware encrypted .vhdx files. What software can moun
Arch Stanton wrote: einstein9 wrote: @ StylishJedi @ Arch Stanton The VM is encrypted there is no way on earth to read whats inside it without decrypting Yes! But as I mentioned earlier and showed using the JPEG example the ransomware does not encrypt every byte of the file. It encrypts 'bands' so to speak. What I do not know is the percentage that actually gets encrypted. So this is what I'd be examining and try determine if larger files have a chance of surviving. So, interval and number of bytes that's encrypted. And see if UFS for example can handle the missing portions and treat it as if it were file system damage/corruption. So, I tried to see if I could find how much per file gets encrypted, but I do not have these files anymore and I didn't document how many bytes I removed from the JPEG I repaired, it was just proof of concept. But it's evident that majority of data inside the encrypted file remains untouched. Attachment: phobos-jpeg.png [ 101.7 KiB \| Viewed 6995 times ] But this (https://www.malwarebytes.com/blog/news/ ... ransomware) analysis of one particular variant suggests that only 3 chunks of 262144 bytes are encrypted. So peanuts compared to GB's worth of VHD. But we already knew only partial encryption takes place simply by looking at result of the Kernel tool scan. So again, perhaps UFS will do better, and if not it may be possible to realign data inside the VHDX file just like I do with the JPEGs. Attachment: phobos-jpeg-realigned.png [ 133 KiB \| Viewed 6992 times ]

Author:	Lardman [ September 14th, 2022, 8:35 ]
Post subject:	Re: Ransomware encrypted .vhdx files. What software can moun
@Arch Stanton - This is not an area I've had to look at but that's extremely interesting, thanks for posting.

Author:	Arch Stanton [ September 14th, 2022, 9:17 ]
Post subject:	Re: Ransomware encrypted .vhdx files. What software can moun
Lardman wrote: @Arch Stanton - This is not an area I've had to look at but that's extremely interesting, thanks for posting. It's not an area I'd normally look into if it were not for a client that sent me corrupt files without telling me they were corrupt due to ransomware encryption. After I repaired them I learned they were victim of STOP DJVU ransomware. Between then and now I learned there are more ransomwares that only partially encrypt a file to save time. It sometimes allows for repair of certain file types, or make non encrypted portion viewable again. For example I made a simple and clumsy tool to repair certain media type files: https://youtu.be/3AKJ27sZ9_E. Since then most other video repair tools picked up on that, so using something like Wondershare video repair is more convenient probably.

Author:	DR-Kiev [ September 15th, 2022, 12:54 ]
Post subject:	Re: Ransomware encrypted .vhdx files. What software can moun
I might be able to help without paying anything anyone. Price for remote help sent to PM. 5 min with UFS, it has all enough to resolve your issue.

Author:	DR-Kiev [ September 15th, 2022, 12:59 ]
Post subject:	Re: Ransomware encrypted .vhdx files. What software can moun
Arch Stanton wrote: Lardman wrote: @Arch Stanton - This is not an area I've had to look at but that's extremely interesting, thanks for posting. It's not an area I'd normally look into if it were not for a client that sent me corrupt files without telling me they were corrupt due to ransomware encryption. After I repaired them I learned they were victim of STOP DJVU ransomware. Between then and now I learned there are more ransomwares that only partially encrypt a file to save time. It sometimes allows for repair of certain file types, or make non encrypted portion viewable again. For example I made a simple and clumsy tool to repair certain media type files: https://youtu.be/3AKJ27sZ9_E. Since then most other video repair tools picked up on that, so using something like Wondershare video repair is more convenient probably. Those pictures are not encrypted. They just stored "sparse way - no zeroes" inside "sparse" file vhdx.

HDD GURU FORUMS http://forum.hddguru.com/

Ransomware encrypted .vhdx files. What software can mount? http://forum.hddguru.com/viewtopic.php?f=7&t=42707	Page 2 of 2

Author:	Arch Stanton [ September 15th, 2022, 19:53 ]
Post subject:	Re: Ransomware encrypted .vhdx files. What software can moun
DR-Kiev wrote: Arch Stanton wrote: Lardman wrote: @Arch Stanton - This is not an area I've had to look at but that's extremely interesting, thanks for posting. It's not an area I'd normally look into if it were not for a client that sent me corrupt files without telling me they were corrupt due to ransomware encryption. After I repaired them I learned they were victim of STOP DJVU ransomware. Between then and now I learned there are more ransomwares that only partially encrypt a file to save time. It sometimes allows for repair of certain file types, or make non encrypted portion viewable again. For example I made a simple and clumsy tool to repair certain media type files: https://youtu.be/3AKJ27sZ9_E. Since then most other video repair tools picked up on that, so using something like Wondershare video repair is more convenient probably. Those pictures are not encrypted. They just stored "sparse way - no zeroes" inside "sparse" file vhdx. Yes we know, the vhdx files themselves are victim of ransomware though.

Author:	StylishJedi [ September 19th, 2022, 20:51 ]
Post subject:	Re: Ransomware encrypted .vhdx files. What software can moun
Thanks for everyone's input! DR-Kiev on here helped me! A little UFS, bypassing the lazily encrypted header on the VHD files, mounting the images with iSCSi then recovering the files from those using R-Studio... tada! DR-Kiev of Angel Recovery is a very lovely and talented person! He charged one-tenth of what some people here had proposed and did the work in about 30 minutes!!! Oh, happiness! What a great forum you guys have here, so much talent and so many helpful people! I'm very grateful and know where to look next time, which hopefully won't come soon Sincerely, Stylish

Author:	Arch Stanton [ September 19th, 2022, 21:53 ]
Post subject:	Re: Ransomware encrypted .vhdx files. What software can moun
Nice. That confirms the theory then.

Author:	mkemper321 [ January 28th, 2024, 12:22 ]
Post subject:	Re: Ransomware encrypted .vhdx files. What software can moun
I don't mean to hijack this thread, but I have the exact same issue. Ransomware partially encrypted a VHDX, and in my case, I just need one file on there. Using UFS, I was able to scan the drive and I see thousands of files and folders but no structure. The search function doesn't really help and is always saying there is nothing found. I even search for a file that I'm looking at, and the search function doesn't find it. I'm guessing I must be doing something wrong in how I search The ideal situation would be to be able to mount the drive and browse it since I know where the file I'm looking for is located. Can anyone help?

Author:	Arch Stanton [ January 28th, 2024, 19:25 ]
Post subject:	Re: Ransomware encrypted .vhdx files. What software can moun
DR-Kiev wrote: Arch Stanton wrote: Lardman wrote: @Arch Stanton - This is not an area I've had to look at but that's extremely interesting, thanks for posting. It's not an area I'd normally look into if it were not for a client that sent me corrupt files without telling me they were corrupt due to ransomware encryption. After I repaired them I learned they were victim of STOP DJVU ransomware. Between then and now I learned there are more ransomwares that only partially encrypt a file to save time. It sometimes allows for repair of certain file types, or make non encrypted portion viewable again. For example I made a simple and clumsy tool to repair certain media type files: https://youtu.be/3AKJ27sZ9_E. Since then most other video repair tools picked up on that, so using something like Wondershare video repair is more convenient probably. Those pictures are not encrypted. They just stored "sparse way - no zeroes" inside "sparse" file vhdx. Those JPEGs were encrypted BTW, completely different case that had zero to do with a vhdx.

Page 2 of 2	All times are UTC - 5 hours [ DST ]
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/