LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   General (https://www.linuxquestions.org/questions/general-10/)
-   -   Retrieve encrypted data after ransomware attack on hard drive (no backup) (https://www.linuxquestions.org/questions/general-10/retrieve-encrypted-data-after-ransomware-attack-on-hard-drive-no-backup-4175655204/)

l0f4r0 06-05-2019 12:37 PM

Retrieve encrypted data after ransomware attack on hard drive (no backup)
 
Do you know any soft (the platform doesn't matter) capable of retrieving the history of hard drive sectors even if overwritten?

I have serious doubts about it (it seems to me such operation is not possible because data has been lost since last writing operations, that's why overwritting a device with /dev/null or /dev/urandom is recommended if you want to get rid of it...) but my boss is telling me he's already used such a software in the past (he can't remember its name though).
What do you think?

More globally, do you know of any method to retrieve encrypted data (by ransomware) except searching for a flaw in the encryption algorithm of the malware, searching for the encryption key somewhere (not very likely) or making a restauration (no backup here...)?
Just praying? xD

Turbocapitalist 06-05-2019 12:40 PM

If you're using OpenZFS, just roll back to the last snapshot.

273 06-05-2019 01:19 PM

Encryption is, effectively, overwriting with random data -- it is not recoverable.
You may, if you are very lucky, find some site whch somebody made which found a flaew in the encryption the attacker used. If not, there is no data.

aizkorri 06-07-2019 08:46 AM

I had a similar task in the past, a hard disk folder encrypted with ramsonware, they asked for money.

I got in contact with the spanish police to report the issue and they put me in contact with their IT department, and it turned out they had the decrypting application.

It is not strange that this attacks happen once and again and to different companies and there might be other people that already have fixed the problem.

I would recommend you to get in contact with French police IT, probably they have the decrypting application.

TenTenths 06-07-2019 09:16 AM

In theory if it's a spinner and the original data has been on the platters for a long time then there are some forensic retrieval companies that claim to read the data from deeper in the magnetic layer than normal writes (something like the data "sinks in" to the layer over time)

I'd assume that the cost of this kind of retrieval would be extremely expensive though.

It may be an option if funds are unlimited and the data is extremely important. But if it was that important it would have been backed-up multi generationally and stored off-site.

273 06-13-2019 01:56 PM

Quote:

Originally Posted by TenTenths (Post 6003082)
In theory if it's a spinner and the original data has been on the platters for a long time then there are some forensic retrieval companies that claim to read the data from deeper in the magnetic layer than normal writes (something like the data "sinks in" to the layer over time)

I'd assume that the cost of this kind of retrieval would be extremely expensive though.

It may be an option if funds are unlimited and the data is extremely important. But if it was that important it would have been backed-up multi generationally and stored off-site.

do you have any links to back this up? AFAIK Gutmann himself stated this was likely not possible a couple of decades ago.

LMINTUSER 06-13-2019 07:36 PM

In this age of malware, ransomware and etc. The old adage applies periodic backups is sooo important these days.

I hope you find a way to get your data back and the attacker to go to jail.

l0f4r0 06-19-2019 08:50 AM

Thank you all for your feedbacks!

The filesystem is Windows NTFS and the ransomware appears to be Snatch. All files have been encrypted and appended with ".jzkwx" extension.
According to the Internet, there's no way to decrypt files as the encryption algorithm is rock solid (at least RSA 2048b for the asymetric part). Anyway, does somebody have any personal experience/knowledge about Snatch to share?

NB : this is not my hard drive but a colleague's.


All times are GMT -5. The time now is 07:24 PM.