Solved

I have hard drive locked by Ransomware. How can I safely pull off a file to examine?

Posted on 2016-08-05
6
144 Views
Last Modified: 2016-08-10
The user was infected with Ransomware. I had them take out their hard drive.  The computer was running Windows XP.
I've been advised by the experts here to submit a locked file to determine the extent of the locking.

How should I attach this drive?  I have Macs, Parallels Virtual Machine running on a Mac, Windows 7, Windows 10, Parted Magic Repair USB that I can operate a PC with.

Thanks.
0
Comment
Question by:computerlarry
6 Comments
 
LVL 24

Assisted Solution

by:NVIT
NVIT earned 125 total points
ID: 41745037
As long as the drive is attached as a secondary, i.e. non-boot drive, to a different, clean system, it should be fine.
0
 

Author Comment

by:computerlarry
ID: 41745038
Can you suggest a site where I could submit some files for analysis?
0
 
LVL 24

Assisted Solution

by:NVIT
NVIT earned 125 total points
ID: 41745040
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 62

Accepted Solution

by:
btan earned 250 total points
ID: 41745083
I suggest idransomware to identify the Ransomware
https://id-ransomware.malwarehunterteam.com/index.php
Or Crypto Sheriff
https://www.nomoreransom.org/crypto-sheriff.php

Just to share it is important for HDD forensic, if it specifically for investigation purpose chain of custody is critical hence there is need to make sure no major configuration changes to the HDD system as these may also result in degradation of the integrity of the evidence on the hard-disk. So if the machine is running live, not shut down, you can hibernate the system (as the affected user) before removing the HDD from the system. Most of the time, a forensic image should be taken before any analysis is done to preserve the integrity of the evidence. Some even connect write blocker to safeguard the original HDD or otherwise most will work on the cloned HDD image. These are possible provided that the HDD is not disk encrypted (esp not binded to your motherboard) otherwise you need to decrypt the HDD.
0
 
LVL 27

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 125 total points
ID: 41745744
I second and endorse what btan said. it was what I would suggest as well.
0
 

Expert Comment

by:Christopher Most
ID: 41751284
Did you have antivirus running on the machine?  If so I would contact them.  I have a friend who was running McAfee and they remotely logged in, cleaned the machine, moved the files to another area and once they can figure it out say they will be able to get the files back.

I have heard it is best to just pay the ransom if you need the files but everybody hates to do that.  I never knew that the AV companies could do this.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
When you try to extract and to view the contents of a Microsoft Update Standalone Package (MSU) for Windows Vista, you cannot extract the files from the MSU. Here we are going to explain how to extract those hotfix details without using any third pa…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question