Ransomware attack file recovery

We will talk about everything you can do to decrypt your files after a ransomware attack.

If you’re lucky enough and your falls possibly aren’t encrypted yet check out our full guide on how to deal with a ransomware attack which is widely viewed and well-received, link.

Now we have to deal with this unintelligible gibberish which used to be our important data.

Dealing with a ransomware attack!
Step1 : Reverse Engineering ransomware Executable.
Step2: Analyzing memory dumps
Step3: Assisted brute force.
Most ransomware will tell you that there’s no way to decrypt your files without paying the ransom but of course, that isn’t always true.

To kick things off let’s talk about what encryption essentially is. it’s basically the process of encoding the data that you have in a different language.

One that can only be understood by someone who possesses the key that was used to encrypt your data. so, one way you can decrypt your files is by having the key.

It is also possible to decrypt your files without the key by a method which involves brute force, but we’ll talk about that later.

First, let’s talk about the two scenarios where we might be able to recover the key. now in this case we’re looking at the ransomware jigsaw.

This is a fairly old variant almost historic at this point, but it will serve for the purposes of demonstration.

You can see like most ransomware it tells you that your files are encrypted and there is no way to get your data back.

If we try and analyze the actual ransomware executable with DeeAnn spy which is going to allow us to decompile it and try to read parts of the source code.

You will see that we’ve got a program called bitcoin blackmailer here and if we open it up you can see we’ve got the main function and under that, we’ve got different forms.

Most importantly we’ve got a config. If we go ahead and open that as you will see we’ve got the product title, which is Firefox that’s what this masquerades house we’ve got the encryption file extension “dot fun”.

we know the max file size to encrypt n bytes. and then what do we have here? the Encryption password.

There you go that’s a static key which means the key that was used to encrypt your false.

In this case, it is hard-coded within the actual ransomware executable, so as long as you have the executable you have the key.

For long we can use this to decrypt your false now obviously just having the keys half the battle you still have to write a Decrypter using it to translate this into this.

Thankfully you don’t have to do this yourself, there are lots of excellent resources where you can find publicly create a decryptor style’ allow you to get your data back for free.

Some include the gnome or ransom project, but for this example, we’re just gonna look at MC sauce decryption tools because I genuinely believe that this is one of the best and easiest ways to go through with this.

All you have to do is upload an encrypted file or the ransom note, so we’ll just select our data click on open and once we hit the upload button, we will get a result.

In this case, it has identified the ransomware as the jigsaw, This is the absolute best-case scenario.

If this is what you see it’s your lucky day all you have to do is click for more information. and you can go ahead and download the Decrypted directly and once we have that we can go ahead and run it.

select our folder and click on decrypt.

and boom, as you can see our pictures, are restored.

This is rarely going to be the case for most modern ransomware, especially if it’s a targeted attack.

We’ll move on to the next method we can potentially find a key.

Now assuming your system is still running and the ransomware is active. you might be able to get a system memory dump, for a specific process you can do this simply by going into something like process hacker.

Select create a dump file, once this is done you can go ahead and use some kind of hex editor to Open it.

You have all the data that the process was actually using in memory.

If you’re lucky again this might include some strings that might be useful in the process of decryption.

Example, again if it has some kind of a static key.

This is where it might show up now obviously at this point, we’re getting into it founds forensics. you might even need to look at a complete system memory dump using something like the volatility suite. but again, if you’re desperate for your data this is an option to consider.

Obviously this is not always going to work. for example, if the ransomware uses RSA or asymmetric encryption there will be a public key for encryption and a private key for decryption.

Even if you find the public key all tough luck cuz it won’t really help you get your data back.

Now let’s assume both these methods have failed.

Around somewhere is quite resilient and it has left no traces in memory or otherwise, that leaves us with only one option.

That is to use brute force which is exactly what it sounds like breaking in through the door.

Well not exactly in computational terms it means trying every single combination of characters that could represent the key.

Unfortunately for you however if the ransomware has implemented a modern encryption method successfully. such as AES 256 or our say you will need more energy than the Sun can provide and its life span.

More time than how long the universe has existed to try all the possible combinations required.

You’ve literally got the laws of thermodynamics against you, but wait that’s as you mean ransomware developers don’t ever make mistakes, which is far from the truth.

You see the encryption algorithm itself might be secure, but its implementation within the ransomware program may have several flaws.

for example, they might be using a random number generation process that is somewhat predictable.

let’s say they use system time that way if you know what time the encryption event occurred you might be able to narrow down the possible outcomes.

There are lots of pseudo-random number generators. sometimes even small flaws with regards to how the key was generated, can vastly narrow down the number of combinations. you have to brute-force to actually get the key.

You’re able to find any such metadata with regards to how the original encryption process was performed.

What kind of seeding process was used?

You might actually be able to brute-force your way through with some powerful hardware, there you go you have an excuse to buy a GTX 2080 now.

If you’re able to decrypt your false great, if not well at least you can play some games right.

I guess until that is encrypted too but anyway there you have it those are pretty much all your options. of course, I cannot stress enough that prevention is the best way to protect yourself from ransomware.

And by the time your data is encrypted you’re already fighting a losing battle, very high cost, low chance of success.

And as Gimli says in Lord of the Rings what are we waiting for. but seriously if your home user and the first option I mentioned don’t work out your best bet might just be to reformat your system.

but if you are business and it’s something mission-critical and you’re even considering paying the ransom or authors you can consider these professional options.

now DMC soft decryption page also has a form that you can use to get in touch.

it’s a brief questionnaire and depending on your situation they might be able to help.

sometimes even if you pay the ransom or author’s you will get a decryption tool that either doesn’t work. or won’t help you restore your organization in a timely manner.

That’s where some of these methods can vastly reduce the time and headache that you have to deal with when it comes to decrypting your files.

Again, I will stress that if you can help it anything that does not involve paying the ransom our authors are always preferable.

I know it’s probably not what you’re hoping for maybe you were hoping there’s a magic formula, but this is the science and I think it’s much better to have an understanding of your actual options, rather than shooting in the dark.

and potentially falling prey to more scams that pretend that there’s an easier way around this.

There you have it I hope you enjoyed this

always stay secure stay informed

Leave a Comment