March 18th, 2021, 7:35
March 18th, 2021, 7:50
bos@basterd:/backup/$ time gzip -1c Martina1.img > img.gz
real 6m45.718s
user 5m19.580s
sys 0m32.104s
bos@basterd:/backup/a$ du -sh img.gz
262M img.gz
March 18th, 2021, 7:59
I tried to recover the txt-file in DMDE but was told there was a I/O error so I cannot peek its contents.
March 18th, 2021, 8:05
bos wrote:I just performed a test by compressing the image (64GB):
- Code:
bos@basterd:/backup/$ time gzip -1c Martina1.img > img.gz
real 6m45.718s
user 5m19.580s
sys 0m32.104s
bos@basterd:/backup/a$ du -sh img.gz
262M img.gz
And that tells me that the image is basically filled with zeroes, so the drive has most likely been wiped.
March 18th, 2021, 8:57
March 18th, 2021, 9:13
I've seen a few like that which had been intentionally wiped, not sure using what software though. Wonder what the contents of the file look like in hex. Id also be tempted to do a quick chip off to see some raw data, that would rule out the controller too.Arch Stanton wrote:Or translation table corrupt. But then this file indeed would be a weird anomaly.
If you're not mounting the device it should maintain separation, but it's always a concern with Windows and a device, less so with an image file. Linux is the easiest and cheapest way to sandbox it.samstown wrote:...how do you deal with Ransomware device ? That USB drive could infect your system, isn't it ?
March 18th, 2021, 9:13
March 18th, 2021, 9:46
Arch Stanton wrote:Drives are encrypted, they're not contagious if you just read them. Ransomware itself in essence is just an executable like for example Notepad.exe. If you attach a drive containing Notepad.exe nothing will happen unless Notepad.exe is is run. So the ransomware software needs to be executed to be dangerous. If an USB flash drive is prepped to spread ransomware, so setup to autorun the ransomware executable, then that would be a different story.
That being said, it is never a bad idea to run Linux with drives attached to image them better be safe than sorry.
Any idea already what ransomware you're dealing with?
March 18th, 2021, 10:03
March 18th, 2021, 10:28
Arch Stanton wrote:Paying often enough is not a guarantee you'll be sent a decryptor. I have seen plenty of cases where people pay and get nothing, or a reply stating they want more.
To exactly know the ransomware upload an encrypted file here: https://id-ransomware.malwarehunterteam.com/ but it looks like Crysis Ransomware (= Dharma Ransomware). ID-Ransomware site will also tell you if there's a decryptor available.
If not:
- I regularly saw ransomware fail encrypt deeper nested folders, so you can always check those. Sometimes simply renaming them (get rid of ransomware extension) is enough to do the trick. A RAW scan will of course detect such files too which may be responsible for part of successful recoveries attributed to PhotoRec I sometimes see in forums.
- In general many ransomwares write encrypted data to newly created file and deletes original. If you're lucky original data may survive although there's of course the huge risk those newly created encrypted files overwrite 'vacant' clusters of the deleted original files.
March 21st, 2021, 4:21
Arch Stanton wrote:When you look with disk editor, largely zeros?
Arch Stanton wrote:Heuh? After scanning your image file? If you open folder in hex editor and jump to first cluster file?
March 21st, 2021, 7:50
This is the weird thing. I can hex-dump the file in DMDE, and I had no read errors whatsoever when I created the image. Yet DMDE tells me partition table is corrupt (but still lists a valid partition) and that there's an I/O when extracting the file itself.
Corrupt translation tables is a great guess of yours, and the best one I have for now. I will ask dust off the VNR and see if it can do some magic here.
March 23rd, 2021, 5:56
March 23rd, 2021, 6:02
April 11th, 2021, 5:08
Arch Stanton wrote:Drives are encrypted, they're not contagious if you just read them. Ransomware itself in essence is just an executable like for example Notepad.exe. If you attach a drive containing Notepad.exe nothing will happen unless Notepad.exe is is run. So the ransomware software needs to be executed to be dangerous. If an USB flash drive is prepped to spread ransomware, so setup to autorun the ransomware executable, then that would be a different story.
That being said, it is never a bad idea to run Linux with drives attached to image them better be safe than sorry.
Any idea already what ransomware you're dealing with?
April 11th, 2021, 8:15
May 6th, 2021, 17:32
May 6th, 2021, 19:32
May 7th, 2021, 1:55
Powered by phpBB © phpBB Group.