Ransomware - Can encrypted files be restored?

Discussion in 'malware problems & news' started by jdd58, Apr 2, 2011.

Thread Status:
Not open for further replies.
  1. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    512
    Location:
    Arizona
    Today I came across a co-workers PC that has its docs and pictures encrypted by malware. Once the deed has been done is it possible to recover the files? This is a Windows 7 Home machine. Also I believe the MBR may have been overwritten.
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    53,221
    Location:
    Texas
    Not likely. Hopefully, system backups were made.
     
  3. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    512
    Location:
    Arizona
    Thanks for the reply. Some backups were made on an external usb drive but not all. Lesson to be learned here.
     
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,692
    Hi jdd58

    Is this co-workers PC a work one, or their own at home ? If it's a work one then the IT etc dept should be dealing with it. If it's actually their own home one, then as ronjor mentions i'm afraid at the moment it's probably not possible.

    As Securelist suggests you don't use it, but it's their call, you could try this.

    I would disconnect the HD and connect it to another comp, and try to retrieve as much stuff as possible over to the other comp. And then go about properly securing that and ALL future comps, and put the whole thing down as a major learning exercise.
     
  5. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    512
    Location:
    Arizona
    It is a personal laptop, not a company pc that was hijacked. It will boot to windows normally. Not sure now if the the mbr is corrupted but I am unable to restore the pc to the original state through the restore partition. The partition is visible in the disk management console but it has no name or assigned drive letter. The only option available when I right click on the partition is to delete the partition, all other options are grayed out. I'm not sure how to restore access to this partition.
     
  6. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,394
    Would a bootable Partition Management program like the Partition Wizard bootable CD or GParted in one of the Linux Distros be able to do anything to correct your problem?
     
  7. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,394
  8. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    512
    Location:
    Arizona
    Scanned with SAS portable, found 9 trojans. Then Norton Power eraser and did rootkit scan, clean. Dr. Web CureIt, clean. Kaspersky tdss killer, clean. Malware Bytes, clean.

    I think the infection has been dealt with. I am just unsure how the Toshiba restore partition works. Do I have to create restore DVDs or will it restore directly from the hard drive recovery partition? So far I only see an option to feed it DVDs and no recovery options from the hard drive.
     
  9. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,394
  10. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    512
    Location:
    Arizona
    OK, I had been using a Win 7 repair cd to boot from. I would get to the option "Toshiba HDD Recovery" where it only gave me the option to feed it DVDs.

    Using the F8 key at bootup allowed me to log in and recover from the recovery partition.

    Thanks for your help. The PC is restoring as I type this.
     
  11. monkeybutt

    monkeybutt Registered Member

    Joined:
    May 18, 2009
    Posts:
    126
    Probably the best I've seen so far, it's a real life saver. If it was as fast as Hitman this would be nice.

    I've cleaned 3 laptops this week, and only one had to be restored.
     
Thread Status:
Not open for further replies.