Pierluigi Paganini November 15, 2016

In this guide, we will explain how to recover encrypted files focusing on the Data-Locker Ransomware that targets the Windows operating system.

Why my system asks me to pay?

A ransomware is a computer malware that limits the access of a system and ask for a ransom in order to remove that restriction.
The restriction applied to the system can change in the time and can be realized in various ways.
Based on the restriction applied on the system we can recognize two kinds of ransomware based on their behaviors:

• Pc-Locker Ransomware:
  They block the system showing a ransom page on the computer desktop where they intimidate the victim with a message and ask him to pay a ransom in order to unlock the machine.
• Data-Locker Ransomware:
  They encrypt a large amount of user data avoiding the encryption of the system files (in order to let the machine working) and then ask a ransom to unlock those files.

The main goal of the ransomware is to extort money from their victims using some technique (locking system, encrypting files) that can target different devices (desktop, laptop, tablet, smart watch, smart tv, smartphones) and different operating system (Windows, Linux, Os X).

When you get infected by a ransomware?
Anytime your system asks you to pay. As we said the main goal of the ransomware is to get money from their victims so the first action the ransomware does after an infection is to show a window containing the instructions (the ransom note) to make a payment trough a cryptocurrency, such as bitcoin.
It will never exist a ransomware that infects your system and will remain stealthy.

In this guide we will focus on the Data-Locker Ransomware that target the Windows operating system.

There are a lot of types of ransomware and every type, known as a family, act in a different way so there isn’t a general and always working methodology to recover your data.

Once you get infected by a ransomware you have to follow those steps if you want to restore your files and your system:

1. Unlock the screen and bypass the screen lock of the ransomware;
2. Restore/Decrypt the files;
3. Disinfection and removal of the ransomware persistence files.

Note that guide aims just to recover your encrypted files and not for the removal and disinfection of your machine.
We strongly recommend, once you recovered your files, to save them on an external drive and remove the ransomware from the system (or format the drive), because sometimes it could happen that ransomware trigger again its activity and encrypt all of your files recovered.
Some modern ransomware combines the technique of data-locker ransomware and pc-locker ransomware so you need to unlock the screen and bypass the screen lock of the ransomware before you start to recover your encrypted files.
In that case, we recommend runnig the operating system in safe boot with networking before you start to follow our methods to recover your files.
This avoids also to fight against some mechanism where the ransomware would delete the files after an amount of time.

The following methods we are explaining aren’t a way to fight this threat, the best way to fight ransomware are frequent backup and prevention.
That means if you get infected by a ransomware it’s already “late” and, also if a lot of researchers are fighting this threat developing ad-hoc decryption tool, there are some ransomware family really hard to deal with.

METHOD 1: Identification and Decryption Tool

If you get infected by a ransomware and you want to ask for helping other users (i.e. Forums, IRC, email…) or you want to check if some security firms have developed a decryption tool for that specific ransomware you have to recognize the family name of the ransomware.

Thanks to the malwarehunterteam, they set up a free web service that lets you host an infected file (or ransom note) and it will detect the ransomware family name and, in some cases, it will guide you to decrypt your files of that family.

ID Ransomware

Following a step-by-step real case of using this method to decrypt files from ransomware Teslacrypt 4.0

As we can see from the above image the id-ransomware home page allow you to upload a ransom note or a sample encrypted file for the family recognition.
In the case of Teslacrypt 4.0 we will use a ransom note because that family doesn’t add an extension to encrypted files so it would be more difficult to detect the family if we try to identify it by the encrypted file.
We strongly recommend to don’t upload huge files because the recognition doesn’t improve with the size of a file, that means it would be just a waste of resources.

Once the upload is completed, you have the result with the family name spotted by id-ransomware that matched the pattern matching of the ransom note uploaded.
In that case, Teslacrypt 4.0 is recoverable and they provide us a link that explains how to decrypt the files and which tools use.

We download the tool to decrypt our files developed by BloodDolly and we first need to set the key used by the ransomware to encrypt our files.

We need to do this because this is a multi purpose decryption tool for all the Teslacrypt versions (1 to 4).
Selecting the extension appended to the encrypted files by the ransomware will allow the tool to set the master key automatically.
In our case (Teslacrypt v 4) we will select the last one <as original> because that ransomware left unchanged the extension of our encrypted files.

Once we set up the key we can start to recover our files.
In our case, that tool decrypts the 100% of our files, as we can see in the following picture.

We also recommend to give Google a chance digiting “ <ransomware_family_name> decryption tool “ and look around if there is a decryption tool developed and not spotted by id-ransomware (rarely).

METHOD 2: Recover from shadow copies

The shadow copies service is a set of COM interfaces that implements a framework to allow volume backups to be performed while applications on a system continue to write to the volumes.
For example, when we took a restore point we are also saving a volume backup (containing the shadow copies) and we can restore files from that backup.
This is a built-in feature of all windows operating systems starting from win XP so, most probably, you have your shadow copies and you don’t know about it.

We will use a free tool that allows us to inspect in our shadow copies, this tool is called shadow explorer and you can download here.
Note that if you have Windows XP you have to download the old version of this tool.
If you renamed the vssadmin.exe utility for security reason, you must rename it and let it work normally if you want that tool will run correctly.

Following a step-by-step real case of using this method to restore files from ransomware Jigsaw.

The main window of shadow explorer allows us to choose the drive, we want to explore the shadow copies and the date of the shadow copies we want to consult, because it can be there are more than 1 snapshot of the volume back-up (i.e. 2 or more restore point).

Once you identify the data you want to recover you can right-click on the folder and you can export the files.

In our case, we recovered 100% of our files as we can see in the above picture because Jigsaw ransomware doesn’t delete the shadow copies.
This method is really effective not on the host infected directly by the ransomware because most ransomware delete shadow copies through vssadmin tool.
It’s really effective when ransomware spread over the network encrypting the files on all host linked to the local network and it can’t access to operating system functionalities like vssadmin utility.
So we have still the shadow copies alive on all the machine hit by ransomware indirectly.

We strongly recommend disabling vssadmin.exe service to prevent the ransomware deleting the shadow copies of windows that, in most cases, let the victim restore the files encrypted on the operating system hard drive.

METHOD 3: Data recovery tool

Data recovery is, simply, the salvaging and repair of data that has been lost.
Of course, data recovery won’t always be possible; sometimes a system can be too corrupted or damaged to get much of the data back.

In this guide we won’t cover the techniques used by data recovery tools to restore data, what we have to know is  that the success of files recovering depends on a lot of variables (like operating system partitioning, priority on file overwriting, drive space handling …). If you want to have more information you can check this.

There are a lot of data recovery tools available on the web, you can check a list here.
In this guide, we will use a free data recovery tool called Recuva.

Following a step-by-step real case of using this method to restore files from ransomware Locky.Odin.

We strongly recommend to install Recuva on an external USB drive instead of installing it on your OS drive to increase the probability to recover your files.

Once installed, it will be prompted a wizard for a scan, we recommend to close it in order to set the following options for the scanning phase:

We recommend to set those options because by default they are not enabled.
Activating “Restore folder structure” will allow us to keep the directory tree structure and permit us to infer the name of all our encrypted files.

Then we can run our scan on the desired drive and wait for it:

When Recuva will finish scanning all the deleted files, it will prompt a window where you have all possible recoverable files.
Of course, not all the files can be recovered.
On the “State” tab we can realize if we can recover that file.
The “partly recoverable” files are that file that cannot be whole recovered, for example a txt file would contain half text recovered and other half corrupted.

On the “Comment” tab we can recognize the encrypted renamed files with the original name files.
In this way, also if we can’t recover the file, we can recover the filename.
We can check all the files we want to recover and decide where to export.

In the right corner we have the “switch to advanced mode” button that let us apply filters, based on the path of the files, on our recoverable files.
So we will apply the following filters:
C:\Personal_Data, C:\Users\Administrator\Personal_Data, C:\Users\Administrator\Desktop\Personal_Data
and we will check all the files we want to export.

We strongly recommend exporting all the data on an external drive in order to have more probability to recover more data.

On a total of 3002 files we have 915 files fully recovered that means the 30% and we considered just the fully recovered files.

This method is also useful for recovering the name and the path of the files encrypted because some ransomware rename our files in a random digits name and we can’t even recognize which file we lost.

OUR TEST

So how much effective are our methods?
We decided to group up a set of ransomware samples (the most recent families) and run them in our virtual machine in order to test the % recovered files of our methods.

To evaluate the recovering rate of each method for each ransomware we will use a folder (Personal_Data) containing 1000 elements (containing pdf, jpg, ppt, txt, doc, xls), placed in 3 different locations on the system:

• C:\Personal_Data
• C:\Users\Administrator\Personal_Data
• C:\Users\Administrator\Desktop\Personal_Data

Then we will try to recover our files using our methods. We will calculate the % rate of successfully recovered files for each folder and we will execute this try running the ransomware 3 different times in different system states, in the end we will report an average of the % rate of recovered files.
For our test we will use the following samples of ransomware:

• Cerber v.1 md5: 9a7f87c91bf7e602055a5503e80e2313
• Jigsaw md5: 2773e3dc59472296cb0024ba7715a64e
• TeslaCrypt v.4 md5: 0265f31968e56500218d87b3a97fa5d5
• CryptXXX v.2             md5: 19127d5f095707b6f3b6b027d7704743
• Bart md5: d9fe38122bb08d96ef0de61076aa4945
• CryptXXX v.4 md5:  631c36f93b0fc53b8c7be269b02676d0
• Bart v.2                         md5: 4741852c23364619257c705aca9b1be3
• Satana Ransomware md5: 46bfd4f1d581d7c0121d2b19a005d3df
• Odin md5: 01f7db952b1b17d0a090b09018896105
• Crypt888 md5: 86c85bd08dfac63df65eaeae82ed14f7

REFERENCES

• http://www.iswatlab.eu/wp-content/uploads/2015/09/Technical_Report_Ransomware.pdf
• https://id-ransomware.malwarehunterteam.com/
• http://www.malware-traffic-analysis.net/
• http://www.shadowexplorer.com/downloads.html
• https://www.piriform.com/recuva
• http://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/
• http://www.makeuseof.com/tag/data-recovery-work/

Written by the IT Security Expert Antonio Cocomazzi

Antonio Cocomazzi is an IT Security Expert specialized in the malware analysis field. Young and recently graduated, he conducts a 6 months research focused on Ransomware giving a full characterization of the recent families defining a new methodology for dissecting this kind of malware.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – malware)