HDD GURU FORUMS

Hi Gurus!

I have an urgent matter I have several ransomware-encrypted .vhdx files that contain critical data that unfortunately doesn't exist in a fresh backup somewhere

https://do-it-rmm.s3.us-west-1.amazonaws.com/encrypted+vhdx+files.png

A colleague told me that it's likely that only the only the catalog or $MFT might be encrypted so it won't mount... I should be able to get the data?

He told me you guys are the best and will likely have recommendations.

Please help! I'll be up all night waiting for a reply.



Thank you!

your data got effected with 3 different ransomware hackers i dont think it can be recover without key.

lifeguarddubai wrote:your data got effected with 3 different ransomware hackers

Where is this conclusion coming from?

StylishJedi wrote:A colleague told me that it's likely that only the only the catalog or $MFT might be encrypted so it won't mount... I should be able to get the data?

No.
You got infected with Phobos Ransomware which, after studying and researching it for several years, I found that it has no weaknesses.

HOWEVER,
depending on what kind of files these virtual drives contain, I might be able to help. But it won't be cheap.

I mostly am looking for the Quickbooks files(s) on one server.

So I would be wasting my time with Kernel for VHD?

lifeguarddubai wrote:your data got effected with 3 different ransomware hackers i dont think it can be recover without key.

How can you tell just from that screenshot?

Phobos, no known method to decrypt. Depending on file type partial repair may be possible as I found when examining this JPEG file: https://www.instagram.com/p/CdyLVH6ojkt/

Kernel for VHD only shows me tons of NTFS filesystem chunks with similar useless files in them...

What's "not cheap" in this case? Please message me or by all means post your price. Thank you!

northwind wrote:

lifeguarddubai wrote:your data got effected with 3 different ransomware hackers

Where is this conclusion coming from?

StylishJedi wrote:A colleague told me that it's likely that only the only the catalog or $MFT might be encrypted so it won't mount... I should be able to get the data?

No.
You got infected with Phobos Ransomware which, after studying and researching it for several years, I found that it has no weaknesses.

HOWEVER,
depending on what kind of files these virtual drives contain, I might be able to help. But it won't be cheap.

StylishJedi wrote:Kernel for VHD only shows me tons of NTFS filesystem chunks with similar useless files in them...

Maybe get 2nd opinion using UFS.

I'll pass.

quickbooks files are not my piece of cake and I don't know how to reconstruct them from partial results.
Sorry!

I'd take Arch Stanton's last advice: Use UFS, scan and mount the vhdx files you have and then select "scan for lost data" on them.
Obviously, expect partial recovery results at the very best scenario.

Thanks for the advice. I may scan one of the other servers as lots of more recent documents are missing and could be good to recover, hopefully, easier than Quickbooks.

StylishJedi wrote:Hi Gurus!

I have an urgent matter I have several ransomware-encrypted .vhdx files that contain critical data that unfortunately doesn't exist in a fresh backup somewhere

https://do-it-rmm.s3.us-west-1.amazonaws.com/encrypted+vhdx+files.png

A colleague told me that it's likely that only the only the catalog or $MFT might be encrypted so it won't mount... I should be able to get the data?

He told me you guys are the best and will likely have recommendations.

Please help! I'll be up all night waiting for a reply.



Thank you!

upload here a sample JPG/DOC/XLS/PDF files to tell you,,, one sample is enough +the msg which has the key

Just for the sake of knowing: have you contacted the hackers and know the price they want?

It's bad, but sometimes it's the only way. Unfortunately, I have paid a few...

pclab wrote:Just for the sake of knowing: have you contacted the hackers and know the price they want?

It's bad, but sometimes it's the only way. Unfortunately, I have paid a few...

I know some *clients* paid via BTC and did not get anything

so

Will you pay the unknown 1000$ or pay the known 500$ (just saying)

pclab wrote:Just for the sake of knowing: have you contacted the hackers and know the price they want?

It's bad, but sometimes it's the only way. Unfortunately, I have paid a few...

Yes they wanted $22000 for a small company with 7 workstations and a few VM servers

Fortunately they didn't get to one of the backups but it had been tampered with and turned off months before, so data is a bit old.

einstein9 wrote:

StylishJedi wrote:Hi Gurus!

I have an urgent matter I have several ransomware-encrypted .vhdx files that contain critical data that unfortunately doesn't exist in a fresh backup somewhere

https://do-it-rmm.s3.us-west-1.amazonaws.com/encrypted+vhdx+files.png

A colleague told me that it's likely that only the only the catalog or $MFT might be encrypted so it won't mount... I should be able to get the data?

He told me you guys are the best and will likely have recommendations.

Please help! I'll be up all night waiting for a reply.



Thank you!

upload here a sample JPG/DOC/XLS/PDF files to tell you,,, one sample is enough +the msg which has the key

The problem is the DOC/XLS/PDF that are relevant and needed are all on the VM's that are encrypted. Can't get to them

But did you scan the VHD's with anything else than Kernel in the meantime?

@ StylishJedi

Without sample Docs as mentioned will be difficult to judge really,,, you don`t have even any sample default doc/pdf/jpg from the OS
but it has to be encrypted

@ Arch Stanton
The VM is encrypted there is no way on earth to read whats inside it without decrypting

@pclab
Just to add here, i know a big company who already PAID about 15,000$ and the hacker gave them the utility & key to decrypt their DB but guess what !!
it decrypted the old useless DB files and when they asked for the rest they asked for more $$$..
The money is gone and no data,,, back to square one

Yeah, we need to have some luck as well.
Fortunately the 3 or 4 cases I already paid came out all OK.

einstein9 wrote:@ StylishJedi

@ Arch Stanton
The VM is encrypted there is no way on earth to read whats inside it without decrypting

Yes! But as I mentioned earlier and showed using the JPEG example the ransomware does not encrypt every byte of the file. It encrypts 'bands' so to speak. What I do not know is the percentage that actually gets encrypted. So this is what I'd be examining and try determine if larger files have a chance of surviving. So, interval and number of bytes that's encrypted. And see if UFS for example can handle the missing portions and treat it as if it were file system damage/corruption.