Recovery of files from old HDD infected with ransomware [SOLVED]

Hello there!

This is Hrishikesh.

I was just cleaning my tech compartment when I found an old HDD.
This HDD was infected with some ransomware sometime in 2020 and the OS on it was Windows 10.

Is there any possibility of recovering those files from Linux. I have a converter which can convert normall SATA HDD into USB drives.

So is there any method to recover them?
If yes, is the method safe?

Thanks and Regards,
Hrishikesh,

1 Like

Hi Hrishikesh,

I am no expert and this is just my thoughts on your posting.
1 - I would first backup the Linux system I was going to use to access the HDD with ransomware.
2 - I would attach the HDD to Linux system using a SATA to USB cable.
3 - I would not worry too much about the ransomware because Windows .exe files can not be executed in Linux (without Wine).
4 - Recover the files.
5 - Format the HDD using Linux with ext4 format.

That is what I would do if I had this problem.

Good luck,
Howard

4 Likes

Thank you very much, Howard.

So should I create a backup using timeshift?

Also, the ransomware decrypters available on the net or even on popular websites like NoMoreRansome, then how can i decrypt the photos? The only imp thing on the drive is photos. Do you know any tools which would help?

Thanks in advance!
Cheers!

2 Likes

I am sorry, I did not realize the disk was also encrypted.
I have no experience removing encryption from files.

3 Likes

Oh!
No problem!
Will check the internet if the decrypters are available.

Also looking for more guidance from experienced people like you from the forum!
Waiting for more responses!

Thanks!

2 Likes

I am with howard
Plug the drive into a linux box and see what you can or cannot open as a first step, if its a windows issue, usually linux just ignores that part.

But would need more info to give more details.

3 Likes

Can you pls mention what details u need?

Do you know what encryption method was used ?
What ransomeware involved.

Once you plug it into a linux box and try to open it you may get messages which will help us guide you further.

Do not plug it into a windows machine as you may infect that, its very rare windows issues are transfered to linux

1 Like

Sure, will check and reply…

1 Like

The surely working method is to restore the files from backup.

3 Likes

I am more than sceptic about those. Won’t those contain just another malware?
I’d only run such a tool in a VM on a sample of the encrypted dataset.
If it really works… decrypt the whole dataset, but would not let it run outside of the VM.
I’m kind of paranoid with something that promises way too much.

4 Likes

But I don’t have the backup of the photos.

1 Like

I think the ones on no more ransom are good, aren’t McAfee and Kapersky partners of it?

1 Like

What do you mean? How can I run it inside linux then?

1 Like

Sad thing… your drive could have break too…

I had no idea. Had a quick (random) look at it, I saw guides mentioning Avast, as well as Kaspersky… maybe you’re right, and thos are harmless.

I think these decrypters are for Windows (again, did not check).
I’d install a Windows instance into a VM (Virtualbox maybe), copy the disk (just a file on the host machine) to a safe place and install / make run the decrypter in that VM.
After shutting down the VM you can just copy the “disk” back overwriting in its original place (restoring snapshot :wink: ), and go on with the next decrypter.

If the decrypter has some “side effect” - after all who cares? It can harm just a disposable virtual machine.

Edit:

I read this article some time ago, and as I use Seafile, and store all my precious data in it, I felt, and still feel safe of such ransomware attacks.
Not to mention, my daily driven system is Debian, historically I booted Windows on bare metal in april of 2019 the last time.

Having a backup of precios data is vital anyway.

4 Likes

Thanks, will try.

2 Likes

The removal tools written about are for windows, best bet is hook up to a linux box and try then identify what what does not work

1 Like

Yep…
Actually im having a test on sunday and am a bit busy on monday…

So will try on tuesday and tell you the details!..

Cheers!

2 Likes

An update!

Okay, so I connected the HDD using the SATA to USB connector to my linux pc.
I check the files and all of them are encrypted with some ‘.usam’ extension.
Acc to the searches i did on google…its a type of STOP DJVU ransomware ( pls correct me if im wrong )

Moreover, i remembered that when the laptop was originally infected, removing the extension of .usam made the files readable…but the virus soon infected them again.

I tried the same on this linux machine, i can rename the files, but they are not readable.

I saw a yt video, in that vid, the video maker is instructing to just rename the files and then use the photorec tool for making them readable. The man is showing it on a windows machine and he is using qphotorec gui on windows…although photorec gui is not available on linux.

Moreover, I tried using the cli photorec on linux, but its telling me to select an entire partition…
Currently, I hv just copied a few files from the drive to my linux machine, so that I can first try the different methods and then attempt them on the main drive.

So please help in recovering the copied files first…and then i’l do it on the main drive.

Thank you very much in advance!
Cheers!

Link for the video: