?
Solved

I have hard drive locked by Ransomware. How can I safely pull off a file to examine?

Posted on 2016-08-05
6
Medium Priority
?
188 Views
Last Modified: 2016-08-10
The user was infected with Ransomware. I had them take out their hard drive.  The computer was running Windows XP.
I've been advised by the experts here to submit a locked file to determine the extent of the locking.

How should I attach this drive?  I have Macs, Parallels Virtual Machine running on a Mac, Windows 7, Windows 10, Parted Magic Repair USB that I can operate a PC with.

Thanks.
0
Comment
Question by:computerlarry
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 25

Assisted Solution

by:NVIT
NVIT earned 500 total points
ID: 41745037
As long as the drive is attached as a secondary, i.e. non-boot drive, to a different, clean system, it should be fine.
0
 

Author Comment

by:computerlarry
ID: 41745038
Can you suggest a site where I could submit some files for analysis?
0
 
LVL 25

Assisted Solution

by:NVIT
NVIT earned 500 total points
ID: 41745040
0
Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

 
LVL 64

Accepted Solution

by:
btan earned 1000 total points
ID: 41745083
I suggest idransomware to identify the Ransomware
https://id-ransomware.malwarehunterteam.com/index.php
Or Crypto Sheriff
https://www.nomoreransom.org/crypto-sheriff.php

Just to share it is important for HDD forensic, if it specifically for investigation purpose chain of custody is critical hence there is need to make sure no major configuration changes to the HDD system as these may also result in degradation of the integrity of the evidence on the hard-disk. So if the machine is running live, not shut down, you can hibernate the system (as the affected user) before removing the HDD from the system. Most of the time, a forensic image should be taken before any analysis is done to preserve the integrity of the evidence. Some even connect write blocker to safeguard the original HDD or otherwise most will work on the cloned HDD image. These are possible provided that the HDD is not disk encrypted (esp not binded to your motherboard) otherwise you need to decrypt the HDD.
0
 
LVL 29

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 500 total points
ID: 41745744
I second and endorse what btan said. it was what I would suggest as well.
0
 

Expert Comment

by:Christopher Most
ID: 41751284
Did you have antivirus running on the machine?  If so I would contact them.  I have a friend who was running McAfee and they remotely logged in, cleaned the machine, moved the files to another area and once they can figure it out say they will be able to get the files back.

I have heard it is best to just pay the ransom if you need the files but everybody hates to do that.  I never knew that the AV companies could do this.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Configuring Remote Assistance for use with SCCM
In this post we will be converting StringData saved within a text file into a hash table. This can be further used in a PowerShell script for replacing settings that are dynamic in nature from environment to environment.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question