I managed to repair ransomware encrypted photos

[Joep]

This specific ransomware (STOP) does encrypt the first 150 KB of the file. That leaves room for repair: 150 KB means the JPEG header is corrupt + some 150 KB of actual image data. Since the original photo is 6 MB+ there is plenty of data left.

I add a valid header to the file and basically remove the encrypted data.

This is hardly ideal as each photo needs to be repaired manually. Takes me about 10 minutes per photo on average.

Note that some variants of stop can be decrypted under certain conditions.

 

[Larry Sabo]

Good work, as usual, @Joep!

 

[Sky-Knight]

That's pretty amazing actually, and I suppose if you want to be fast with a crypto... only locking up the file headers would be the way to do it.

 

[Larry Sabo]

This is hardly ideal as each photo needs to be repaired manually.

Too bad it's not possible to capture the repair actions as a script and then apply it to other damaged files and hope for a happy outcome.

 

[Joep]

Yes, indeed. I have been pondering on this. I could automate to almost right as in this case size of encrypted area is knows. I could even make it make educated guesses about encrypted <> non encrypted, JPEG <> non JPEG. But in the end it will always need fine tuning and the human eye to determine if it good enough. May still be worth the effort because it will probably make it easier to determine if it's a photo you want to spend more time on or not. This all isn't in there because I never had ransomware / encrypted files in mind with this. I stumbled on it by accident.

Edit: Nah .. It's different for each photo. Due to how JPEG is encoded (each MCU depends on previous) this isn't really viable. If you look for example at the various stages, where the picture is hardly visible or recognizable, it may very well be that as far as the decoder is concerned it's a valid JPEG. Only exception would be JPEGs with restart markers. Although I do see that more and more as default in higher end cameras like DSLR's it is still far from common.

 

[Sky-Knight]

Yeah, anything raster is going to boil down to pixel coordinates and color codes. But, given a near infinite combination possible to create any image imaginable, from just noise all the way to a portrait... how does a computer determine this is "fixed"?

It might be possible with some heavy machine learning, but this is almost AI territory to get that answer.

 

[Joep]

Too bad it's not possible to capture the repair actions as a script and then apply it to other damaged files and hope for a happy outcome.

And it still was a very useful comment and I thank you for it. As it needs to save a reload a file a couple of times sometimes, I decided to automate that. It was your suggestion that made me look at things and ask can it be done automatically.

 

[Joep]

Several more since that, also with other extensions. Upcoming weekend I'll probably have updated version which can do TIFF based RAW (CR2, NEF, DNG etc.) too. Encryption of RAW files extends into the embedded JPEG in most cases so that's corrupted too.

I also came across this weird case. I am dropping it here not to brag but so you know that sometimes it is possible to recover data even if big names do not succeed. I show how Recuva fails (which is what user was using) but also R-Studio. I also tried UFS Explorer, ReclaiMe, MyPhoto Recovery, PhotoRec and even Adroit Photo Recovery.

Difficultly was that user managed to AND corrupt individual files (headers) AND formatted the thumb-drive removing most of the meta data pointing to RAW photos (Canon .CR2). If ONE of those 2 is an issue you can either use file system based or carving depending on the case. In this case both type tools fail.

I decided it should be possible to recover at least the full resolution JPEG's, to carve those since of course the file system does not point at these at all. From a carving point of view the problem is what these aren't cluster/sector aligned which means you have to go through an entire sector hunting for magic bytes. Additional problem is that if you do that you're almost guaranteed to run into lots of false positives.

This video shows how I use a modified version of JpegDigger which manages to:

- Recover the full res embedded JPEGs,
- Avoid false positives,
- And this while maintaining reasonable speed

 

[manicagames]

Nice to hear, thanks!

 

[Joep]

Turns out Nikon NEF is easier

 

[Joep]

Now working on small tool to repair some more file types affected by STOP/DJVU variants. Currently only MP3 and WAV supported. WAV support only able to test against one case. Repaired thousands of MP3 files already. Soon hope to ad mov, qt, mp4, m4v, m4a, m4p, m4b, m4r, k3g, skm, 3gp, 3g2 provided moov atom is stored at end of file. A reference file is required except for MP3.

To repair a file affected by this ransomware, encrypted portion is deleted, so some data inside the file is lost. Download URL is in description of video.

 

[Joep]

K. Got something now.