Posey's Tips & Tricks

Real-World Ransomware Recovery

I was recently tasked with giving a family member's PC an overhaul. The machine was painfully slow and, upon closer examination, I found that the machine had suffered a ransomware attack several years ago. As far as I could tell, the ransomware itself had been removed, but there were still thousands of encrypted files remaining on the machine.

I wanted to see if it was possible to recover any of the data. At the same time though, I also wanted to perform the recovery operation in as safe a manner as possible, so as not to put my own environment in jeopardy.

The first thing that I did was to boot the machine into Safe Mode. I then used RoboCopy to copy the hard drive's full contents to a portable hard drive. I did this because it would allow me to work with the individual files outside of the Windows operating system, thereby minimizing the chances of accidentally triggering a ransomware infection.

Once I had made a copy of all the files stored on the machine's hard disk, the next thing that I did was to log onto a healthy machine and then create a Hyper-V virtual machine running Windows 10.

Once the VM was fully patched and ready to use, I powered it down and then mounted the virtual hard disk as a drive on the host machine.  For those who might not be familiar with this process, you need only to right click on the virtual hard disk file and select the Mount command from the Windows shortcut menu. This will cause Windows to treat the virtual disk as though it were a physical hard drive connected to the machine. It is extremely important however, that you do not attempt to mount any virtual hard disk for which checkpoints exist. Otherwise, the mounting process will invalidate the checkpoints, and may also cause the disk to become corrupted. You can read more about this issue here.

With the virtual disk mounted, I created a couple of folders on the virtual hard disk. I noticed that there were two different file extensions that had been assigned to the encrypted files and so I created a separate folder for each of those file extensions.

The next thing that I did was to use Windows Search to search the external USB hard disk containing all of the files from the previously infected machine. I performed two different searches, one for each file extension. My goal was to locate every encrypted file on the entire disk. When the searches were complete, I copied the encrypted files to the designated folders within the virtual hard disk. At that point, I dismounted the virtual hard disk.

By this point within the recovery process, I had created a virtual machine that I could use as an isolated recovery platform. I had also located all of the encrypted data and copied it to the virtual machine. I sorted the encrypted data into folders based on the encryption type.

The next step was to download a ransomware decryptor. One of the main reasons why I wanted to perform the decryption process within a virtual machine is because a lot of the decryptors that are available online are sketchy, to say the least. I have even heard stories about ransomware masquerading as a decryptor. For this particular job, I decided to download the Trend Micro Ransomware Decryptor.

Even though Trend Micro is a well-established antimalware vendor, I really didn't want to take any chances. With the download complete, I shut down my virtual machine and then removed the virtual network adapter. That way, if anything were to happen to trigger a ransomware infection, the infection should be confined to the virtual machine. The absence of a virtual network adapter would keep the infection from spreading to other devices on my network. The lack of a network connection kept Microsoft Defender Smart Screen from being able to analyze the decryptor, but I was still able to run the tool.

Ultimately, I was able to recover some, but not all of the encrypted data. Eight years ago, it would have been impossible to recover any of the data, so maintaining a copy of the encrypted data ultimately did prove to be fruitful.

About the Author

Brien Posey is a 22-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.


comments powered by Disqus

Subscribe on YouTube