Dchelp.org ransomware solution

[terminator2]

One of my customers server and all attached networked laptops /desktops are locked by relatively unknown dchelp.org ransomware. It used diskcryptor utility to lock file system metadata.
It has made server non bootable and has changed file system into RAW by encrypting both boot sectors.
Is there any known solution for this variant. What will be cost of recovery ?

Attachments

[Arch Stanton]

RAW by encrypting both boot sectors. ?

Is that all it did as far as you can tell? Can you still see MFT?

[terminator2]

RAW by encrypting both boot sectors. ?

Is that all it did as far as you can tell? Can you still see MFT?

Hi Arch
Thanks . This ransomware has capability to modify MBR and after restarts login window appears where victim has to enter password given by hackers to gain access to data. I think they have modified disk sectors as well ( it uses diskcryptor utility )
I have scanned disk using R-studio which has shown 1.5TB data as deleted but disturbed folder structure (newer data not found). MFT's are damaged too.
I think due to partial encryption login window is not appearing so even hackers might not be able to decrypt data .

Here is first 100MB sectors and partial scan log by dmde -
https://drive.google.com/file/d/1gLpv3T ... sp=sharing

Attachments

Screenshot 2023-08-28 223050.png (5.42 KiB) Viewed 13904 times

[Arch Stanton]

I don't care much for the scan log and first 100 MB won't show us MFT.

Stuff like this is of no help, https://forum.hddguru.com/download/file ... &mode=view, it makes no sense to view an MBR as MFT entry.

If the DMDE scan result, https://forum.hddguru.com/download/file ... &mode=view is result of full scan then indeed it looks like no MFT results unfortunately so far.

So hopes the ransomware is dumb (with limited CIH virus type damage), leaving easy to repair or work-around damage, seems futile.

[terminator2]

I don't care much for the scan log and first 100 MB won't show us MFT.

Stuff like this is of no help, https://forum.hddguru.com/download/file ... &mode=view, it makes no sense to view an MBR as MFT entry.

If the DMDE scan result, https://forum.hddguru.com/download/file ... &mode=view is result of full scan then indeed it looks like no MFT results unfortunately so far.

So hopes the ransomware is dumb (with limited CIH virus type damage), leaving easy to repair or work-around damage, seems futile.

Since encryption was interrupted full disk encryption might not have taken place. But you are right MFT's might have been encrypted.Since R-studio couldn't locate MFT's , I have not run DMDE fully .Attached log is partial only (4%)
As per FBI ---
The ransomware program consists of the open source, off-the-shelf, disk encryption software
DiskCryptor wrapped in a program which installs and starts disk encryption in the background using
a key of the attacker’s choosing. The attacker passes the encryption key via the command-line
parameter: [Ransomware Filename].exe <password>. The ransomware extracts a set of
files and installs an encryption service. The ransomware program restarts the system about two
minutes after installation of DiskCryptor to complete driver installation. The encryption key and the
shutdown time variable are saved to the configuration file (myConf.txt) and is readable until the
second restart about two hours later which concludes the encryption and displays the ransom note.
If any of the DiskCryptor files are detected, attempts should be made to determine if the myConf.txt
is still accessible. If so, then the password can be recovered without paying the ransom. This
opportunity is limited to the point in which the system reboots for the second time
Thanks for your help