Ransomware resides within & encrypt files from the infected system,there is no infected file like in case of virus.In case of ransomware there are only 2 types of files:encrypted & non-encrypted.So if a file backup is taken before encryption of files then they are the same files before ransomware infected the system.
Wanna Cry Ransome Cyber Attack
- Thread starter Sarvesh
- Start date
OP
Sarvesh
Journeyman
Yes Ransomware is basically a malicious tool (software) which upon execution encrypts files & deletes the originals.
Paying ransom did not help anyone.
Instead you can use a data recovery software to recover / undelete some files from the hard disk if stuck in such situation.
Paying ransom did not help anyone.
Instead you can use a data recovery software to recover / undelete some files from the hard disk if stuck in such situation.
Actually many people did & continue to get their files decrypted after paying ransom,that is the basic premise of ransom.Only if people get what they want,will the ransom threat work.That is why USA has no negotiation policy with terrorists regarding hostage situation because that will encourage terrorists to take even more hostages in future.
As for backup,if they were taken before ransomware encrypt files then it is fine but if a system is still infected with ransomware & you connect your external hdd containing backup to it then backup files will also start getting encrypted.
As for backup,if they were taken before ransomware encrypt files then it is fine but if a system is still infected with ransomware & you connect your external hdd containing backup to it then backup files will also start getting encrypted.
OP
Sarvesh
Journeyman
There is no official confirmation of any success yet.
Read the following:
Paying the WannaCry ransom will probably get you nothing. Here's why.
Should you pay the WannaCry ransom? - BBC News
The Ransomware Hackers Made Some Real Amateur Mistakes
Can files locked by WannaCry be decrypted: A technical analysis
My reply was not meant specifically for wannacry but all ransomware in general.As I said ransomware success depends on giving people what they want without which it is useless as a ransomware.Maybe wannacry messed up with payment system but ransomware in general have a good payment system which was also mentioned in some links posted above.
billubakra
Conversation Architect
This is a good read. Covers everything from Digital India to the greatest tech genius in the world Mr. Fadiaaaaaaaaa
WannaCry cyber-attack: Bad that India is crying, but more scary is govt response
WannaCry cyber-attack: Bad that India is crying, but more scary is govt response
maheshn
Journeyman
360 Total Security *claims* to have a decryption tool shown on their homepage at 360 Total Security: Free Antivirus Protection | Virus Scan & Removal for Windows, Mac and Android
Seems to be a beginning.....
OP
Sarvesh
Journeyman
NO decryption tool yet...... it is recovery tool
Read their blog at Biggest Ransomware Attack Ever - Tips to stay safe from WannaCry ransomware
It is clearly mentioned - "There is no decryption tool for the WannaCry ransomware at this moment. If you are unluckily infected, in the worst case you may have to pay the attackers to save your data. We don’t suggest this unsavory approach; instead, you can cut off the Internet connection immediately and turn to security experts or wait for the decryption tool. To prevent this from happening, install the security patches and back up all important files NOW to protect yourself."
Some of the Ransomware removal tools available:
What is Ransomware? | Free Ransomware Removal Tools | Avast
Kaspersky Anti-Ransomware Tool for Business
Free Ransomware Decryption Tools | Unlock Your Files | AVG
Anti Ransomware Tool
Last edited:
billubakra
Conversation Architect
Sorry if this is a dumb question, the machines are locked by ransomware fine but can't we boot say via Ubuntu or HBCD to recover files?
Files are there but encrypted,even if you recover them they are of no use because data inside them is scrambled/gibberish because of encryption.You have to decrypt the files to make them meaningful again which requires the decryption key for which money was being asked.
OP
Sarvesh
Journeyman
The files on desktop & My Documents are encrypted and originals are deleted & thoroughly overwritten, so cannot be recovered. But the files on the other drives / partitions are encrypted and originals are simply deleted, so can be recovered using any undelete or recovery tool in case of Wanna Cry Ransomware.
Reference for technical details :
Can files locked by WannaCry be decrypted: A technical analysis
It is not so simple,a fundamental principle of file recovery is avoidance of any write operation on the affected disk & all ransomware create new files on disk resulting in lots of write operations on disk.In short success rate will vary greatly from system to system depending on how much % free space was there on the disk,state of fragmentation etc.
OP
Sarvesh
Journeyman
Yes you are right success rate will depend on the free space & also the shadow copy created by Windows.
Many ransomware first delete shadow copies though.
bssunilreddy
Chosen of the Omnissiah
Tool can decrypt some files in Wanna Cry ransomware attack
OP
Sarvesh
Journeyman
Tool for decrypting Wanna Cry Ransomware files.
The WannaKiwi decryption tool works in Windows XP, 2003 and 7 computers that have not been rebooted.
GitHub - gentilkiwi/wanakiwi: Automated wanadecrypt with key recovery if lucky
Readme link
wanakiwi/README.md at master · gentilkiwi/wanakiwi · GitHub
The WannaKiwi decryption tool works in Windows XP, 2003 and 7 computers that have not been rebooted.
GitHub - gentilkiwi/wanakiwi: Automated wanadecrypt with key recovery if lucky
Readme link
wanakiwi/README.md at master · gentilkiwi/wanakiwi · GitHub
Last edited: