LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > General
User Name
Password
General This forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!

Notices


Reply
  Search this Thread
Old 06-05-2019, 12:37 PM   #1
l0f4r0
Member
 
Registered: Jul 2018
Location: Paris
Distribution: macOS, Slackware
Posts: 813

Rep: Reputation: 285Reputation: 285Reputation: 285
Question Retrieve encrypted data after ransomware attack on hard drive (no backup)


Do you know any soft (the platform doesn't matter) capable of retrieving the history of hard drive sectors even if overwritten?

I have serious doubts about it (it seems to me such operation is not possible because data has been lost since last writing operations, that's why overwritting a device with /dev/null or /dev/urandom is recommended if you want to get rid of it...) but my boss is telling me he's already used such a software in the past (he can't remember its name though).
What do you think?

More globally, do you know of any method to retrieve encrypted data (by ransomware) except searching for a flaw in the encryption algorithm of the malware, searching for the encryption key somewhere (not very likely) or making a restauration (no backup here...)?
Just praying? xD
 
Old 06-05-2019, 12:40 PM   #2
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 3,962
Blog Entries: 3

Rep: Reputation: 1889Reputation: 1889Reputation: 1889Reputation: 1889Reputation: 1889Reputation: 1889Reputation: 1889Reputation: 1889Reputation: 1889Reputation: 1889Reputation: 1889
If you're using OpenZFS, just roll back to the last snapshot.
 
Old 06-05-2019, 01:19 PM   #3
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,265

Rep: Reputation: 2200Reputation: 2200Reputation: 2200Reputation: 2200Reputation: 2200Reputation: 2200Reputation: 2200Reputation: 2200Reputation: 2200Reputation: 2200Reputation: 2200
Encryption is, effectively, overwriting with random data -- it is not recoverable.
You may, if you are very lucky, find some site whch somebody made which found a flaew in the encryption the attacker used. If not, there is no data.
 
Old 06-07-2019, 08:46 AM   #4
aizkorri
Member
 
Registered: Feb 2002
Location: Basque Country
Distribution: Fedora 14, Ubuntu 14.04
Posts: 434
Blog Entries: 1

Rep: Reputation: 55
I had a similar task in the past, a hard disk folder encrypted with ramsonware, they asked for money.

I got in contact with the spanish police to report the issue and they put me in contact with their IT department, and it turned out they had the decrypting application.

It is not strange that this attacks happen once and again and to different companies and there might be other people that already have fixed the problem.

I would recommend you to get in contact with French police IT, probably they have the decrypting application.
 
Old 06-07-2019, 09:16 AM   #5
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 2,889

Rep: Reputation: 1169Reputation: 1169Reputation: 1169Reputation: 1169Reputation: 1169Reputation: 1169Reputation: 1169Reputation: 1169Reputation: 1169
In theory if it's a spinner and the original data has been on the platters for a long time then there are some forensic retrieval companies that claim to read the data from deeper in the magnetic layer than normal writes (something like the data "sinks in" to the layer over time)

I'd assume that the cost of this kind of retrieval would be extremely expensive though.

It may be an option if funds are unlimited and the data is extremely important. But if it was that important it would have been backed-up multi generationally and stored off-site.
 
Old 06-13-2019, 01:56 PM   #6
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,265

Rep: Reputation: 2200Reputation: 2200Reputation: 2200Reputation: 2200Reputation: 2200Reputation: 2200Reputation: 2200Reputation: 2200Reputation: 2200Reputation: 2200Reputation: 2200
Quote:
Originally Posted by TenTenths View Post
In theory if it's a spinner and the original data has been on the platters for a long time then there are some forensic retrieval companies that claim to read the data from deeper in the magnetic layer than normal writes (something like the data "sinks in" to the layer over time)

I'd assume that the cost of this kind of retrieval would be extremely expensive though.

It may be an option if funds are unlimited and the data is extremely important. But if it was that important it would have been backed-up multi generationally and stored off-site.
do you have any links to back this up? AFAIK Gutmann himself stated this was likely not possible a couple of decades ago.
 
Old 06-13-2019, 07:36 PM   #7
LMINTUSER
LQ Newbie
 
Registered: Apr 2019
Posts: 14

Rep: Reputation: Disabled
In this age of malware, ransomware and etc. The old adage applies periodic backups is sooo important these days.

I hope you find a way to get your data back and the attacker to go to jail.
 
  


Reply

Tags
malware, mitigation, ransomware


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Ransomware attack on the NHS hazel General 81 06-08-2017 08:48 AM
LXer: Ransomware Attack Has Spread To Police Department, Institutions: Maharashtra Police LXer Syndicated Linux News 3 05-15-2017 04:17 AM
LXer: 'Accidental hero' halts ransomware attack and warns: this is not over LXer Syndicated Linux News 0 05-13-2017 11:00 AM
LXer: Locky Ransomware Spreading in Massive Spam Attack LXer Syndicated Linux News 0 03-17-2016 06:32 PM

LinuxQuestions.org > Forums > Non-*NIX Forums > General

All times are GMT -5. The time now is 06:15 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration