Ransomware problem

[oldboy47]

Hi, would appreciate some advice please.
A relative's computer was recently infected with ransomware (Spora). Whilst the machine has been cleared of the virus, a large number of files (mainly photographs) have been left presumably with the header overwritten - normal viewing programs don't recognise the type although the file extension is for example jpg. Does anyone know of a program or utility that might return these files to their previous 'normal' setting?

[peterb]

Ransom ware usually encrypts the files -which would also change the header.

The header for a jpg file is FF D8 FF E0 so if you have a hex editor, you can manually set those values and see if the file springs to life.

Sadly I fear you may be disappointed.

[virtuo]

I'm not familiar with ths ransomware, is it the cryptographic type where you need to pay for a decode key, or has it just nobbled the files by removing parts of them?

If it's the former, you may be stuck - depending on if you have the decode key or not. The latter you might be able to salvage as long as it is just file header/metadata that has been removed.

In the case of JPGs, the compression means that there generally isn't much binary data in there that you can change without ruining the whole file (or a good chunk of it). Do you have an example damaged file that we could take a look at?

[Phage]

Did you try the Trend Micro Decrypter ?
https://www.bugsfighter.com/remove-s...pt-your-files/

[TheAnimus]

I do not believe that works with Spora

http://blog.trendmicro.com/trend-mic...yptor-updated/

It isn't listed.

[oldboy47]

Virtuo - cryptographic I'm afraid. Phage & TheAnimus, thanks.

Is one of the Linux recovery programs likely to work?

[Phage]

Googling for solutions throws up a few free tools. Have you tried them ?

[oldboy47]

Yes, but Google generates a) paid for adverts and b) unreliable sources. Who do you trust? - why Hexus of course

[Guy]

If it's a Spora outbreak then they're (currently) unrecoverable.

Ask me how I know...

Fortunately it was a fairly minor work system and everything is kept in near enough real time backup, redundant copies, multiple revisions of each file. Still an absolute pain to go through.

[Dashers]

Can highly recommend readonly snapshots for protecting your data from encryption. Although I appreciate that the horse has bolted already.

Windows does file history or volume shadow copies - this should protect you against anything working at the file-level.

[OilSheikh]

Wipe and reinstall, I am afraid.

[Ngt]

Still no decrypter available for this but it may happen eventually, it has done for a few others recently.

[leexgxreal]

Can highly recommend readonly snapshots for protecting your data from encryption. Although I appreciate that the horse has bolted already.

Windows does file history or volume shadow copies - this should protect you against anything working at the file-level.

the first thing they do before messing with the files is run the command to delete all shaddow copys and then turn off backup (unless the back up is disconnected from the PC then your good just dont plug it back into that PC or mite wipe all the backups)

recommand crashplan (can be used for free if you have another PC or just a external HDD that you plug in once a week)
windows 7/8 backup works well and win 10 file history seems to work fine as well (but must use a external HDD that you Dont leave plugged in or it just encrypt them as well)