Solved

I have hard drive locked by Ransomware. How can I safely pull off a file to examine?

Posted on 2016-08-05
6
133 Views
Last Modified: 2016-08-10
The user was infected with Ransomware. I had them take out their hard drive.  The computer was running Windows XP.
I've been advised by the experts here to submit a locked file to determine the extent of the locking.

How should I attach this drive?  I have Macs, Parallels Virtual Machine running on a Mac, Windows 7, Windows 10, Parted Magic Repair USB that I can operate a PC with.

Thanks.
0
Comment
Question by:computerlarry
6 Comments
 
LVL 23

Assisted Solution

by:NVIT
NVIT earned 125 total points
ID: 41745037
As long as the drive is attached as a secondary, i.e. non-boot drive, to a different, clean system, it should be fine.
0
 

Author Comment

by:computerlarry
ID: 41745038
Can you suggest a site where I could submit some files for analysis?
0
 
LVL 23

Assisted Solution

by:NVIT
NVIT earned 125 total points
ID: 41745040
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 61

Accepted Solution

by:
btan earned 250 total points
ID: 41745083
I suggest idransomware to identify the Ransomware
https://id-ransomware.malwarehunterteam.com/index.php
Or Crypto Sheriff
https://www.nomoreransom.org/crypto-sheriff.php

Just to share it is important for HDD forensic, if it specifically for investigation purpose chain of custody is critical hence there is need to make sure no major configuration changes to the HDD system as these may also result in degradation of the integrity of the evidence on the hard-disk. So if the machine is running live, not shut down, you can hibernate the system (as the affected user) before removing the HDD from the system. Most of the time, a forensic image should be taken before any analysis is done to preserve the integrity of the evidence. Some even connect write blocker to safeguard the original HDD or otherwise most will work on the cloned HDD image. These are possible provided that the HDD is not disk encrypted (esp not binded to your motherboard) otherwise you need to decrypt the HDD.
0
 
LVL 26

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 125 total points
ID: 41745744
I second and endorse what btan said. it was what I would suggest as well.
0
 

Expert Comment

by:Christopher Most
ID: 41751284
Did you have antivirus running on the machine?  If so I would contact them.  I have a friend who was running McAfee and they remotely logged in, cleaned the machine, moved the files to another area and once they can figure it out say they will be able to get the files back.

I have heard it is best to just pay the ransom if you need the files but everybody hates to do that.  I never knew that the AV companies could do this.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
A Bare Metal Image backup allows for the restore of an entire system to a similar or dissimilar hardware. They are highly useful for migrations and disaster recovery. Bare Metal Image backups support Full and Incremental backups. Differential backup…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now