Results 1 to 11 of 11

Thread: Ransomware problem

  1. #1
    Member
    Join Date
    Aug 2006
    Posts
    163
    Thanks
    4
    Thanked
    8 times in 8 posts

    Ransomware problem

    Hi, would appreciate some advice please.
    A relative's computer was recently infected with ransomware (Spora). Whilst the machine has been cleared of the virus, a large number of files (mainly photographs) have been left presumably with the header overwritten - normal viewing programs don't recognise the type although the file extension is for example jpg. Does anyone know of a program or utility that might return these files to their previous 'normal' setting?

  2. #2
    Admin Team peterb's Avatar
    Join Date
    Aug 2005
    Location
    Southampton
    Posts
    16,279
    Thanks
    1,995
    Thanked
    2,578 times in 2,067 posts
    • peterb's system
      • Motherboard:
      • Nascom 2
      • CPU:
      • Z80B
      • Memory:
      • 48K 8 bit memory on separate card
      • Storage:
      • Audio cassette tape - home built 5.25" floppy drive
      • Graphics card(s):
      • text output (composite video)
      • PSU:
      • Home built
      • Case:
      • Home built
      • Operating System:
      • Nas-sys
      • Monitor(s):
      • 12" monocrome composite video input
      • Internet:
      • No networking capability on this machine

    Re: Ransomware problem

    Ransom ware usually encrypts the files -which would also change the header.

    The header for a jpg file is FF D8 FF E0 so if you have a hex editor, you can manually set those values and see if the file springs to life.

    Sadly I fear you may be disappointed.
    (\__/)
    (='.'=)
    (")_(")

    My broadband speed - 750 Meganibbles/minute

  3. #3
    Senior Member
    Join Date
    Aug 2013
    Location
    North Wales
    Posts
    1,411
    Thanks
    136
    Thanked
    179 times in 135 posts
    • virtuo's system
      • Motherboard:
      • Asus GRYPHON Z87
      • CPU:
      • i7 4790K @4.8Ghz Corsair H100i GTX
      • Memory:
      • 32Gb G.Skill TridentX 2400 @ CAS9
      • Storage:
      • Samsung 840 EVO 120Gb + Many, many HDs
      • Graphics card(s):
      • EVGA 980Ti FTW
      • PSU:
      • EVGA Supernova G2 750W
      • Case:
      • be quiet! Dark Base Pro 900 (Orange)
      • Operating System:
      • Win10, Fedora
      • Monitor(s):
      • 2x Dell U2515H 1440p DELL U3415W Ultrawide for Work
      • Internet:
      • PlusNet Unlimited 80Mb

    Re: Ransomware problem

    I'm not familiar with ths ransomware, is it the cryptographic type where you need to pay for a decode key, or has it just nobbled the files by removing parts of them?

    If it's the former, you may be stuck - depending on if you have the decode key or not. The latter you might be able to salvage as long as it is just file header/metadata that has been removed.

    In the case of JPGs, the compression means that there generally isn't much binary data in there that you can change without ruining the whole file (or a good chunk of it). Do you have an example damaged file that we could take a look at?

  4. #4
    Pork & Beans Powerup Phage's Avatar
    Join Date
    May 2009
    Location
    Kent
    Posts
    5,867
    Thanks
    1,360
    Thanked
    542 times in 465 posts
    • Phage's system
      • Motherboard:
      • Gigabyte Z87 UD4H
      • CPU:
      • 4770k @ 4.3
      • Memory:
      • 16Gb Corsair Vengeance
      • Storage:
      • MX100 512 Gb + 2Tb Seagate SSHD
      • Graphics card(s):
      • EVGA 1080ti
      • PSU:
      • BeQuiet 850w
      • Case:
      • Fractal R4
      • Operating System:
      • W10 64
      • Monitor(s):
      • Asus PB278Q

    Re: Ransomware problem

    Did you try the Trend Micro Decrypter ?
    https://www.bugsfighter.com/remove-s...pt-your-files/
    Society's to blame,
    Or possibly Atari.

  5. #5
    Seething Cauldron of Hatred TheAnimus's Avatar
    Join Date
    Aug 2005
    Posts
    16,954
    Thanks
    775
    Thanked
    2,116 times in 1,381 posts

    Re: Ransomware problem

    I do not believe that works with Spora

    http://blog.trendmicro.com/trend-mic...yptor-updated/

    It isn't listed.
    throw new ArgumentException (String, String, Exception)

  6. #6
    Member
    Join Date
    Aug 2006
    Posts
    163
    Thanks
    4
    Thanked
    8 times in 8 posts

    Re: Ransomware problem

    Virtuo - cryptographic I'm afraid. Phage & TheAnimus, thanks.

    Is one of the Linux recovery programs likely to work?

  7. #7
    Pork & Beans Powerup Phage's Avatar
    Join Date
    May 2009
    Location
    Kent
    Posts
    5,867
    Thanks
    1,360
    Thanked
    542 times in 465 posts
    • Phage's system
      • Motherboard:
      • Gigabyte Z87 UD4H
      • CPU:
      • 4770k @ 4.3
      • Memory:
      • 16Gb Corsair Vengeance
      • Storage:
      • MX100 512 Gb + 2Tb Seagate SSHD
      • Graphics card(s):
      • EVGA 1080ti
      • PSU:
      • BeQuiet 850w
      • Case:
      • Fractal R4
      • Operating System:
      • W10 64
      • Monitor(s):
      • Asus PB278Q

    Re: Ransomware problem

    Googling for solutions throws up a few free tools. Have you tried them ?
    Society's to blame,
    Or possibly Atari.

  8. #8
    Member
    Join Date
    Aug 2006
    Posts
    163
    Thanks
    4
    Thanked
    8 times in 8 posts

    Re: Ransomware problem

    Yes, but Google generates a) paid for adverts and b) unreliable sources. Who do you trust? - why Hexus of course

  9. #9
    Guy
    Guy is offline
    HEXUS.social member
    Join Date
    Aug 2006
    Location
    Hampshire, UK
    Posts
    5,108
    Thanks
    359
    Thanked
    378 times in 269 posts

    Re: Ransomware problem

    If it's a Spora outbreak then they're (currently) unrecoverable.

    Ask me how I know...

    Fortunately it was a fairly minor work system and everything is kept in near enough real time backup, redundant copies, multiple revisions of each file. Still an absolute pain to go through.

  10. #10
    I really don't care Dashers's Avatar
    Join Date
    Jun 2016
    Posts
    543
    Thanks
    11
    Thanked
    67 times in 55 posts
    • Dashers's system
      • Motherboard:
      • Gigabyte GA-X99-UD4
      • CPU:
      • Intel i7-5930K
      • Memory:
      • Corsair DDR4 2800 Quad
      • Storage:
      • Intel 750 PCIe SSD; RAID-0 x2 Samsung 850 EVO; RAID-0 x2 WD Black
      • Graphics card(s):
      • EVGA GeForce GTX 970 x2 SLI
      • PSU:
      • CoolerMaster Silent Pro M2 720W
      • Case:
      • Corsair 500R
      • Operating System:
      • Windows 10
      • Monitor(s):
      • x2 23.5" 1080 72Hz OC
      • Internet:
      • Zen FTTC

    Re: Ransomware problem

    Can highly recommend readonly snapshots for protecting your data from encryption. Although I appreciate that the horse has bolted already.

    Windows does file history or volume shadow copies - this should protect you against anything working at the file-level.

  11. #11
    Kaplah! OilSheikh's Avatar
    Join Date
    Jun 2007
    Location
    Londinium
    Posts
    5,108
    Thanks
    1,431
    Thanked
    280 times in 226 posts
    • OilSheikh's system
      • Motherboard:
      • ASUS P8P67
      • CPU:
      • i7 2600 w Xigmatek Thor's Hammer+ Noctua 14cm silent fan
      • Memory:
      • 8GB Crucial Ballistix Elite Tracer 1600MHz DDR3
      • Storage:
      • Samsung 850 Evo 120GB SSD + 1TB SAMSUNG F3 + 160GB SEAGATE USB 3.0 Backup HDD
      • Graphics card(s):
      • MSI R9 380 OC
      • PSU:
      • Seasonic 600W
      • Case:
      • ZALMAN Z9 PLUS
      • Operating System:
      • Windows 7 Pro
      • Monitor(s):
      • 22" Samsung TOC
      • Internet:
      • 80Mbps Plusnet

    Re: Ransomware problem

    Wipe and reinstall, I am afraid.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •