Results 1 to 13 of 13

Thread: Ransomware problem

  1. #1
    Member
    Join Date
    Aug 2006
    Posts
    166
    Thanks
    4
    Thanked
    8 times in 8 posts

    Ransomware problem

    Hi, would appreciate some advice please.
    A relative's computer was recently infected with ransomware (Spora). Whilst the machine has been cleared of the virus, a large number of files (mainly photographs) have been left presumably with the header overwritten - normal viewing programs don't recognise the type although the file extension is for example jpg. Does anyone know of a program or utility that might return these files to their previous 'normal' setting?

  2. #2
    Admin Team peterb's Avatar
    Join Date
    Aug 2005
    Location
    Southampton
    Posts
    16,828
    Thanks
    2,111
    Thanked
    2,684 times in 2,148 posts
    • peterb's system
      • Motherboard:
      • Nascom 2
      • CPU:
      • Z80B
      • Memory:
      • 48K 8 bit memory on separate card
      • Storage:
      • Audio cassette tape - home built 5.25" floppy drive
      • Graphics card(s):
      • text output (composite video)
      • PSU:
      • Home built
      • Case:
      • Home built
      • Operating System:
      • Nas-sys
      • Monitor(s):
      • 12" monocrome composite video input
      • Internet:
      • No networking capability on this machine

    Re: Ransomware problem

    Ransom ware usually encrypts the files -which would also change the header.

    The header for a jpg file is FF D8 FF E0 so if you have a hex editor, you can manually set those values and see if the file springs to life.

    Sadly I fear you may be disappointed.
    (\__/)
    (='.'=)
    (")_(")

    Been helped or just 'Like' a post? Use the Thanks button!
    My broadband speed - 750 Meganibbles/minute

  3. #3
    Senior Member
    Join Date
    Aug 2013
    Location
    North Wales
    Posts
    1,518
    Thanks
    137
    Thanked
    197 times in 148 posts
    • virtuo's system
      • Motherboard:
      • Asus GRYPHON Z87
      • CPU:
      • i7 4790K @4.8Ghz Corsair H100i GTX
      • Memory:
      • 32Gb G.Skill TridentX 2400 @ CAS9
      • Storage:
      • Samsung 840 EVO 120Gb + Many, many HDs
      • Graphics card(s):
      • EVGA 980Ti FTW
      • PSU:
      • EVGA Supernova G2 750W
      • Case:
      • be quiet! Dark Base Pro 900 (Orange)
      • Operating System:
      • Win10, Fedora
      • Monitor(s):
      • 2x Dell U2515H 1440p DELL U3415W Ultrawide for Work
      • Internet:
      • PlusNet Unlimited 80Mb

    Re: Ransomware problem

    I'm not familiar with ths ransomware, is it the cryptographic type where you need to pay for a decode key, or has it just nobbled the files by removing parts of them?

    If it's the former, you may be stuck - depending on if you have the decode key or not. The latter you might be able to salvage as long as it is just file header/metadata that has been removed.

    In the case of JPGs, the compression means that there generally isn't much binary data in there that you can change without ruining the whole file (or a good chunk of it). Do you have an example damaged file that we could take a look at?

  4. #4
    Pork & Beans Powerup Phage's Avatar
    Join Date
    May 2009
    Location
    Kent
    Posts
    5,921
    Thanks
    1,378
    Thanked
    548 times in 468 posts
    • Phage's system
      • Motherboard:
      • Asus Crosshair VI
      • CPU:
      • 1700x @ 3.9
      • Memory:
      • 16Gb Corsair LPX
      • Storage:
      • Samsung 960 512Gb + 2Tb Seagate SSHD
      • Graphics card(s):
      • EVGA 1080ti
      • PSU:
      • BeQuiet 850w
      • Case:
      • Fractal R4
      • Operating System:
      • W10 64
      • Monitor(s):
      • Agon Gsync

    Re: Ransomware problem

    Did you try the Trend Micro Decrypter ?
    https://www.bugsfighter.com/remove-s...pt-your-files/
    Society's to blame,
    Or possibly Atari.

  5. #5
    Seething Cauldron of Hatred TheAnimus's Avatar
    Join Date
    Aug 2005
    Posts
    17,027
    Thanks
    782
    Thanked
    2,131 times in 1,391 posts

    Re: Ransomware problem

    I do not believe that works with Spora

    http://blog.trendmicro.com/trend-mic...yptor-updated/

    It isn't listed.
    throw new ArgumentException (String, String, Exception)

  6. #6
    Member
    Join Date
    Aug 2006
    Posts
    166
    Thanks
    4
    Thanked
    8 times in 8 posts

    Re: Ransomware problem

    Virtuo - cryptographic I'm afraid. Phage & TheAnimus, thanks.

    Is one of the Linux recovery programs likely to work?

  7. #7
    Pork & Beans Powerup Phage's Avatar
    Join Date
    May 2009
    Location
    Kent
    Posts
    5,921
    Thanks
    1,378
    Thanked
    548 times in 468 posts
    • Phage's system
      • Motherboard:
      • Asus Crosshair VI
      • CPU:
      • 1700x @ 3.9
      • Memory:
      • 16Gb Corsair LPX
      • Storage:
      • Samsung 960 512Gb + 2Tb Seagate SSHD
      • Graphics card(s):
      • EVGA 1080ti
      • PSU:
      • BeQuiet 850w
      • Case:
      • Fractal R4
      • Operating System:
      • W10 64
      • Monitor(s):
      • Agon Gsync

    Re: Ransomware problem

    Googling for solutions throws up a few free tools. Have you tried them ?
    Society's to blame,
    Or possibly Atari.

  8. #8
    Member
    Join Date
    Aug 2006
    Posts
    166
    Thanks
    4
    Thanked
    8 times in 8 posts

    Re: Ransomware problem

    Yes, but Google generates a) paid for adverts and b) unreliable sources. Who do you trust? - why Hexus of course

  9. #9
    Guy
    Guy is offline
    HEXUS.social member
    Join Date
    Aug 2006
    Location
    Hampshire, UK
    Posts
    5,120
    Thanks
    359
    Thanked
    382 times in 273 posts

    Re: Ransomware problem

    If it's a Spora outbreak then they're (currently) unrecoverable.

    Ask me how I know...

    Fortunately it was a fairly minor work system and everything is kept in near enough real time backup, redundant copies, multiple revisions of each file. Still an absolute pain to go through.

  10. #10
    I really don't care Dashers's Avatar
    Join Date
    Jun 2016
    Posts
    698
    Thanks
    18
    Thanked
    85 times in 72 posts
    • Dashers's system
      • Motherboard:
      • Gigabyte GA-X99-UD4
      • CPU:
      • Intel i7-5930K
      • Memory:
      • Corsair DDR4 2800 Quad
      • Storage:
      • Intel 750 PCIe SSD; RAID-0 x2 Samsung 850 EVO; RAID-0 x2 WD Black
      • Graphics card(s):
      • EVGA GeForce GTX 970 x2 SLI
      • PSU:
      • CoolerMaster Silent Pro M2 720W
      • Case:
      • Corsair 500R
      • Operating System:
      • Windows 10
      • Monitor(s):
      • x2 23.5" 1080 72Hz OC
      • Internet:
      • Zen FTTC

    Re: Ransomware problem

    Can highly recommend readonly snapshots for protecting your data from encryption. Although I appreciate that the horse has bolted already.

    Windows does file history or volume shadow copies - this should protect you against anything working at the file-level.

  11. #11
    Kaplah! OilSheikh's Avatar
    Join Date
    Jun 2007
    Location
    Londinium
    Posts
    5,136
    Thanks
    1,439
    Thanked
    281 times in 227 posts
    • OilSheikh's system
      • Motherboard:
      • ASUS P8P67
      • CPU:
      • i7 2600 w Xigmatek Thor's Hammer+ Noctua 14cm silent fan
      • Memory:
      • 8GB Crucial Ballistix Elite Tracer 1600MHz DDR3
      • Storage:
      • Samsung 850 Evo 120GB SSD + 1TB SAMSUNG F3 + 160GB SEAGATE USB 3.0 Backup HDD
      • Graphics card(s):
      • MSI R9 380 OC
      • PSU:
      • Seasonic 600W
      • Case:
      • ZALMAN Z9 PLUS
      • Operating System:
      • Windows 7 Pro
      • Monitor(s):
      • 22" Samsung TOC
      • Internet:
      • 80Mbps Plusnet

    Re: Ransomware problem

    Wipe and reinstall, I am afraid.

  12. #12
    Ngt
    Ngt is offline
    Registered+
    Join Date
    May 2017
    Posts
    21
    Thanks
    0
    Thanked
    1 time in 1 post

    Re: Ransomware problem

    Still no decrypter available for this but it may happen eventually, it has done for a few others recently.

  13. #13
    Registered+
    Join Date
    Jun 2017
    Posts
    2
    Thanks
    0
    Thanked
    0 times in 0 posts

    Re: Ransomware problem

    Quote Originally Posted by Dashers View Post
    Can highly recommend readonly snapshots for protecting your data from encryption. Although I appreciate that the horse has bolted already.

    Windows does file history or volume shadow copies - this should protect you against anything working at the file-level.
    the first thing they do before messing with the files is run the command to delete all shaddow copys and then turn off backup (unless the back up is disconnected from the PC then your good just dont plug it back into that PC or mite wipe all the backups)

    recommand crashplan (can be used for free if you have another PC or just a external HDD that you plug in once a week)
    windows 7/8 backup works well and win 10 file history seems to work fine as well (but must use a external HDD that you Dont leave plugged in or it just encrypt them as well)

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •