|
I just became the hapless victim of some vicious Ransomware - the kind that encrypts all your data to make it inaccessible and leaves you with a message demanding money in return for their secret decryption key. I know it's a particularly vicious new crime, and not easy to solve outside of giving in to the virus-maker's demands. I have filed a crime victim's report with the FBI for the first time in my life, though I know chances are slim they can/will help a lone private citizen (and my trust in that institution isn't what it used to be).
I was wondering if ANYBODY out there can suggest ANYTHING that would help me get my data/documents/computer games back - there's a lot of it, and it's precious to me.
As for my own efforts, so far, I have tried:
- antivirus software to remove the virus (it seems like that worked, but my data remains encrypted)
- sending my computer "back in time" to a previous save point (sadly, there are none, because I thought the computer made those automatically)
- a program called ShadowExplorer, which I'm not sure what it does/did.
Any and all assistance with this is welcome (as long as it's actually assistance and not just abuse or just telling me I'm SOL - I know the latter is a real possibility, so it doesn't help to repeat it here).
| 2 people marked this as a favorite. |
Not sure if this will help you or not.
For an older but outdated item
PCworld's 2014 article You want an adblocker to view this one.
| 1 person marked this as a favorite. |
Try malwarebytes.com It gives you a free trial. If this is the type of software than can block some anti-virus programs, then you may need to boot up in safe mode.
If you know the name of the ransomware or you can describe what the screen looks like that will help.
PM me if needed.
|
|
If you know the name of the ransomware or you can describe what the screen looks like that will help.
No "screen," just a .TXT file telling me what they did, that they want money for the decryption key, 4 possible E-mail addresses to reach them at, and the personal ID they assigned me.
How much do they want? Curious if there is a fundraiser or something you could try with friends and family?
They don't say how much they want. I guess they expect me to ask them.
I picked up a habit of doing all my browsing from a no-access account on my computer, having set up a separate administrative account for security/instillation/etc. Fortunately for me, I was able to log on to the admin account which remained unaffected. From there malwarebytes got it out.
I had no problems at all after it ran.
| 3 people marked this as a favorite. |
Whatever you do, ABSOLUTELY DO NOT PAY RANSOM. This will only do what they want, and encourage them to continue their reign of extortion(*), and you have no proof that they will do what they say anyway -- if they are willing to invade your computer and hold its contents hostage, who is to say that they won't just demand more and more(**)?
(*)Including using the resources gained to expand their operations to hacking hospitals (#1, #2, #3), thereby holding people's lives for ransom.
(**)Including possibly demanding that you do something that would put you in a state of criminal liability.
This is unfortunate. There is no way to decrypt files that have been encrypted if the attacker knows what they are doing. You have to restore from backups or recover the original files, which is what you tried to do. Windows keeps automatic backups in shadow mode, which is what ShadowExplorer was trying to access. Unfortunately, the ransomware writers know about it, and likely have deleted it, which would explain why it didn't find anything for you.
It may be possible for various reasons for a trained forensic data recovery specialist to retrieve the data. Sometimes, overwriting a file does not really completely overwrite it for various reasons, and it can be manually recovered, potentially with additional help from specialized hardware (this is why people really serious about security, like the NSA, physically destroy hard drives instead of just deleting them when they need to clear something). I am not entirely sure if this can work to recover data lost to ransomware, although some random googling suggests that they might in some circumstances.
Note that manual forensic data recovery is very expensive (the one time I've seen someone do it, it cost $1200. They were recovering 3 months of research data on a badly damaged hard drive they foolishly kept no backups of), and unlikely to work for mass data recovery. If you have something small and extremely valuable, it could be an option to pursue.
As I said, keep tabs on Kapersky's decrypter. On the most recent it might not work, but if they were using a slightly older version...it works.
There are instructions on how to use it to decrypt.
If you can't use it, or the ransomware is too new for it to decrypt...
All I could say then, is, good luck.
The newest builds supposedly affect the boot and sometimes even the bios. That's a pretty hefty thing to get past.
Even if the decrypter works, I'd still say you need to wipe the drive. It's been shown even if a ransom is paid, they'll leave all sorts of nasty things on the drive.
You would really have to want a very VITAL file to pay up instead of doing a complete and total reformat and wipe...IMO.
|
|
So, just about end of story: We worked with Kapersky labs, they tried to save my stuff, they couldn't, my computer was wiped and I lost everything - with one possible exception: The ransom note said we could send them a single encrypted file so they could prove to us that they could get us back what they stole if we paid up. A file that I cared about particularly (having no duplicate on my other computer) was sent, we'll see if we can eke that freebie out of them.
All that time I put into all those games, though...lost....
I wonder if they actually encrypted the whole drive or just the TOC. In either event it may be worthwhile to pull the drive and use another machine to run data recovery software.
Edit: The reason I ask is because if they actually encrypted the whole drive it would have taken hours depending on how much data you have. That's why I think they probably targeted the TOC or MBR. In which case you should still be able to get your data back using recovery software.
Save files can be found online for many games. It is not going to be perfect, but it can get you some hope back.
|
|
@BigDTBone: Sounds like possibly a good idea, but it's too late for that. My computer's been WIPED. I even lost my Internet Favorites list by mistake (I don't know if there'd be any way to recover that?).
Save files can be found online for many games. It is not going to be perfect, but it can get you some hope back.
What about games that were never online in the first place? I did download Might & Magic VIII from GoodOldGames, are you saying they might have kept my save files from that (even though it's not an online game)?
| 1 person marked this as a favorite. |
I think she meant you could find a save file online that might be at least somewhat close to where you were at.
After one virus attack almost 50% of my HDD has just vanished, I am at loss :(