Recovery from encrypting ransomware

[Haole Boy]

Aloha everyone. One of my customers got hit with encrypting ransomeware. She's decided to not pay the ransom. She had an external USB drive with backups on it, but it got encrypted too. Installed shadow explorer and surprisingly it looks like there are several backup sets that did not get encrypted.

So, here's my question: I believe the backup sets were created by Windows backup (will verify this later today when I go over there). I don't think there is an image backup, so these are just backed up files. I know I can run the restore job for each backup set (starting with the oldest one), but is there a more efficient way to go through these backup sets and just do one restore job with the latest version of each file?

This is a Windows 7 x64 machine.

Mahalo!

Harry Z.

 

[FremontPC]

Did you check to see if you can access the files/folders with the "Restore Previous Version" function? Shadow Explorer uses Windows VSS to make copies of changed files (if it's set to do so).

I'd suggest making a sector-by-sector disk image of the original disk before you go any further, just in case something goes awry with recovery. You shouldn't install anything at all on the original disk and any recovery should be to an external disk.

 

[Haole Boy]

Aloha FremontPC. Mahalo for the response. I will, of course, make a complete disk backup before doing anything.

I think I'll create a new user on this machine so that when the restore(s) are done she knows that what she sees is what she can access.

However, I'd still like an answer to the question if there is a way to aggregate the 10 - 15 backup sets so that I can do a single restore instead of running restore 10 - 15 times.

Harry Z.

 

[FremontPC]

Harry, I believe what you're seeing is the state of her folders on the date you've chosen in Shadow Explorer, so you should be able to pick the most recent date and export the individual folders she's interested in. The earlier dates are just the state of those folders on that day, so no need to export again as you'll just be getting older copies of the same files (plus those that she manually deleted after the date that you chose). No need to go through each set.

To check this, I fired up Shadow Explorer and chose 4/22/16, the most recent point it offered. I navigated to my Documents folder and exported the results to another drive. The exported contents were the same as my today's contents of that same folder, because I haven't saved anything new in that folder since the 22nd.

 

[Haole Boy]

Now that I have the machine back at my place I'm looking at the shadow copies of the external drive. Luckily for my customer the shadow copies include the backup sets that were on the drive at that point in time. When I originally looked at the backup sets via Shadow Explorer I assumed (yes, that word bit me in the ass again) that the backup sets were incremental backups. But each one appears to contain a full copy of the Documents folder, so I only have to restore the most recent one. The newest one is about 8 months old, but at least I can recover some of her data.

This is kinda surprising as everything I've read about this particular strain of encrypting ransomeware is that it deletes all the shadow copies on all drives it can find. This external drive was connected at the time of the infection, so I don't know why there are still some shadow copies on the drive.

Mahalo for your assistance!

Harry Z.

 

[FremontPC]

Yeah, it varies from the one to the other type of ransomeware. Some are too lazy to put in the extra effort to delete the shadow copies, thank god. Did you check for shadow copies on the C drive too?

You can try using an undelete program to see if you can find newer files on the main drive, may work, may not.

 

[Haole Boy]

Just to "close the loop" on this one.

• Created a new user as the target for the recovery
• Left the old user in place, but disabled the logon (just in case there is ever a decrypt program available)
• I used Shadow Explorer to export the shadow copy data from the external drive to the C: drive.
  
• Looking at the exported data, I found a Windows image directory with a .vhd file inside
• Mounted the vhd file
• Used Fab's Autobackup to transfer the (unencrypted) files from the virtual drive to the new user profile

While the data I recovered is from July of last year, the customer is (relatively) happy to have some of their data back.

Mahalo, FremontPC for your suggestions and comments.

Harry Z.

 

[FremontPC]

You're quite welcome, Harry. Keep an eye on Bleeping Computer for more news about the particular variant your customer ran into, that's one of the first places news about new decrypters shows up.

 

[Haole Boy]

To close the loop (again)....

This was a TeslaCrypt infection. Customer finally had the time for me to work on it. Used the ESET TeslaCrypt Decryptor (link) to decrypt all the files in the old (disabled) user profile and the public profile. Then used Fab's autobackup to transfer the decrypted files to the (new) active user profile. Set the option to keep the newest file when the file already existed. There will probably be a little cleanup work on the files that already existed to make sure that the customer has all their old data plus anything they've updated since I recovered the files from the Shadow Copy on the external drive.