Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

I have hard drive locked by Ransomware. How can I safely pull off a file to examine?

Posted on 2016-08-05
6
Medium Priority
?
193 Views
Last Modified: 2016-08-10
The user was infected with Ransomware. I had them take out their hard drive.  The computer was running Windows XP.
I've been advised by the experts here to submit a locked file to determine the extent of the locking.

How should I attach this drive?  I have Macs, Parallels Virtual Machine running on a Mac, Windows 7, Windows 10, Parted Magic Repair USB that I can operate a PC with.

Thanks.
0
Comment
Question by:computerlarry
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 25

Assisted Solution

by:NVIT
NVIT earned 500 total points
ID: 41745037
As long as the drive is attached as a secondary, i.e. non-boot drive, to a different, clean system, it should be fine.
0
 

Author Comment

by:computerlarry
ID: 41745038
Can you suggest a site where I could submit some files for analysis?
0
 
LVL 25

Assisted Solution

by:NVIT
NVIT earned 500 total points
ID: 41745040
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 65

Accepted Solution

by:
btan earned 1000 total points
ID: 41745083
I suggest idransomware to identify the Ransomware
https://id-ransomware.malwarehunterteam.com/index.php
Or Crypto Sheriff
https://www.nomoreransom.org/crypto-sheriff.php

Just to share it is important for HDD forensic, if it specifically for investigation purpose chain of custody is critical hence there is need to make sure no major configuration changes to the HDD system as these may also result in degradation of the integrity of the evidence on the hard-disk. So if the machine is running live, not shut down, you can hibernate the system (as the affected user) before removing the HDD from the system. Most of the time, a forensic image should be taken before any analysis is done to preserve the integrity of the evidence. Some even connect write blocker to safeguard the original HDD or otherwise most will work on the cloned HDD image. These are possible provided that the HDD is not disk encrypted (esp not binded to your motherboard) otherwise you need to decrypt the HDD.
0
 
LVL 30

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 500 total points
ID: 41745744
I second and endorse what btan said. it was what I would suggest as well.
0
 

Expert Comment

by:Christopher Most
ID: 41751284
Did you have antivirus running on the machine?  If so I would contact them.  I have a friend who was running McAfee and they remotely logged in, cleaned the machine, moved the files to another area and once they can figure it out say they will be able to get the files back.

I have heard it is best to just pay the ransom if you need the files but everybody hates to do that.  I never knew that the AV companies could do this.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Curious about the latest ransomware attack? Check out our timeline of events surrounding the spread of this new virus along with tips on how to mitigate the damage.
IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question