Making complex data simple and compelling
From digital device to digital evidence
Unlock your vehicle's digital evidence potential
Forensic Analysis and Enhancement
Investigating and analyzing financial records
Gain access to the online accounts of deceased loved ones
Clear, precise evidence for a messy world
Expert reports to suit your specific needs
We can locate people anywhere
Stop worrying and learn the truth
Prevent, Detect, Respond To Cyberattacks
First response is crucial. Every minute counts.
The first response is critical to reduce liability
Detection & Removing Spyware Services
Reduce your electronic risk from digital transmittals
Stop criminals in their tracks
Don’t let criminals destroy your life
Find out who you are really talking to
Experienced, Confidential Services
Swift, professional incident response
Complicated cases require compelling digital facts
Find, recover and document digital evidence
Bring solid evidence before a judge
Cases can be investigated using Social Media
Divorce, custody battles, and other
Win the most important battle of your life
Everything you need
Effective Expert Witness in Court
Evidence shows who is telling the truth
Subpoena power yields strong evidence
Digital evidence can build a strong defense
The problem of data recovery after ransomware that encrypts files has increased, with more and more cases recently. Help in these cases is not a trivial task.
Let’s consider some sides of this problem. Ransomware usually encrypts the most-used data such as photos, videos, office files, databases, etс. Ransomwares can give different extensions to encrypted data; they are considered as a same mechanism that uses similar algorithms.
Files are encrypted with cryptographic algorithms. Keys consists of a public key and a private key. The public key is generated on the victim’s PC, while the private key is kept in secret and only the fraud perpetrator knows it. The combination of public key with private key is special for each case. It’s impossible to decrypt data without a private key. Solutions offered by well-known anti-virus developers are likely to focus on selection of the private part of the key, by brute force or special heuristic analysis.
We haven’t faced a practical experience of payment to obtain decoder software, but our customers state they had such experiences. Let’s drop the moral side of this problem, such as whether to pay or not to pay. It’s obvious there’s no need to encourage malicious users, but everyone has their own view as to the importance of data.
However, there have been cases of partial decryption of files. Each case was special. Success is possible only if ransomware encrypts not a whole file, but only part. Such an attitude from the hacker has a logical explanation. As data volume increases, time to encrypt files increases, so the risk to be discovered increases as well. That’s why we think only an important part of the data is encrypted, rather than all of it.
Here’s a practical case. A ransomware encrypted the beginning of the file, some fragments in small size in the body of the file and added its technical information at the end of the file. We faced some tasks on this step:
The solution with end of the file was simple.
It was more complicated with the header because it’s often special. It’s possible to replace it with another one with little change from a similar correct file. In our case, the file headers were changed using XOR and modifying some bytes.
We couldn’t find the solution with encrypted areas in the file. The private part of the key is unknown, data is unique so it’s impossible to match it. We made the software that automates the process of correcting the beginning of the file and end of the file.
We got correct video with some artifacts and correct or partly correct office files. The main fail was with JPEG files. Information was compressed so even little damage leads to the damage of the whole file.
We made the next algorithm. Considering the location of encrypted data is known, we can define the line in the photo where there’s a damaged fragment and replace it with the previous line or the next one.
The substitution usually was invisible, but sometimes we got curious photos. Such approach let us recover some photos to an acceptable level.
Need to admit there’s one more approach of data recovery. It’s a search among the deleted files and analysis of free space.
Let’s draw the conclusion. If a ransomware encrypted your files, it’s not always a “sentence.”
Just don’t give up!
Andrey Fedorov is co-owner of 512 BYTE company, specialist in data recovery, software development for data recovery and forensic analysis. He has more than 15 years of experience in this field.
Is it always possible to decrypt data? What do you do if you can’t decrypt it?
Save my name, email, and website in this browser for the next time I comment.
Speak to a Specialist Now