Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

I have hard drive locked by Ransomware. How can I safely pull off a file to examine?

Posted on 2016-08-05
6
156 Views
Last Modified: 2016-08-10
The user was infected with Ransomware. I had them take out their hard drive.  The computer was running Windows XP.
I've been advised by the experts here to submit a locked file to determine the extent of the locking.

How should I attach this drive?  I have Macs, Parallels Virtual Machine running on a Mac, Windows 7, Windows 10, Parted Magic Repair USB that I can operate a PC with.

Thanks.
0
Comment
Question by:computerlarry
6 Comments
 
LVL 24

Assisted Solution

by:NVIT
NVIT earned 125 total points
ID: 41745037
As long as the drive is attached as a secondary, i.e. non-boot drive, to a different, clean system, it should be fine.
0
 

Author Comment

by:computerlarry
ID: 41745038
Can you suggest a site where I could submit some files for analysis?
0
 
LVL 24

Assisted Solution

by:NVIT
NVIT earned 125 total points
ID: 41745040
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 63

Accepted Solution

by:
btan earned 250 total points
ID: 41745083
I suggest idransomware to identify the Ransomware
https://id-ransomware.malwarehunterteam.com/index.php
Or Crypto Sheriff
https://www.nomoreransom.org/crypto-sheriff.php

Just to share it is important for HDD forensic, if it specifically for investigation purpose chain of custody is critical hence there is need to make sure no major configuration changes to the HDD system as these may also result in degradation of the integrity of the evidence on the hard-disk. So if the machine is running live, not shut down, you can hibernate the system (as the affected user) before removing the HDD from the system. Most of the time, a forensic image should be taken before any analysis is done to preserve the integrity of the evidence. Some even connect write blocker to safeguard the original HDD or otherwise most will work on the cloned HDD image. These are possible provided that the HDD is not disk encrypted (esp not binded to your motherboard) otherwise you need to decrypt the HDD.
0
 
LVL 27

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 125 total points
ID: 41745744
I second and endorse what btan said. it was what I would suggest as well.
0
 

Expert Comment

by:Christopher Most
ID: 41751284
Did you have antivirus running on the machine?  If so I would contact them.  I have a friend who was running McAfee and they remotely logged in, cleaned the machine, moved the files to another area and once they can figure it out say they will be able to get the files back.

I have heard it is best to just pay the ransom if you need the files but everybody hates to do that.  I never knew that the AV companies could do this.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
In this article, I will show you HOW TO: Perform a Physical to Virtual (P2V) Conversion the easy way from a computer backup (image).
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question