Ransomware is software that encrypts various files
on your system and then extorts you for money. There are many different
strains of it out in the wild and the simple fact is it makes a whole
lot of money for the authors and distributors. As in "Millions of
dollars" for very little effort. The concept behind the program is
simple - by using built-in encryption present in the system and via the
dark web and untraceable blockchain based currency (like Bitcoin) they
hold your data hostage unless you pay them money. I don't want to
re-hash what you can read all over the web, but that is a very brief
summary in case you didn't already know about ransomware. You can read
more at the article
My goal was to see how the ransomware worked after
the fact, tracing its actions back in time to see what it did and when
it did it, and by doing so possibly find something it didn't do right
which would let me get Q's files back from Crypto Hell. So this will be
technical, but hopefully not so deep that non-tech folks can follow
All the pictures are thumbnails - click for a
This was the user's desktop background. This file
also existed in every directory along with an HTML type instruction list
with more details. All the events take place on 1/30/2017.
Q said he was on a web site doing normal work stuff
and couldn't provide too many details. The evidence supports this -
something was downloaded into the system, detected as malware by the AV
software, moved to C:\QUARANTINE,
crashed Internet Explorer which restarted, a couple more files were
downloaded and also moved into
C:\QUARANTINE, and something called system.dll which was likely a
working "grappling hook" which proceeded to get the real ransomware
It is tough to say exactly what was downloaded or
how it got there. There are many tricks evil people use, here are a few
I found and saved over the years:
This is a fake Adobe Flash update - look at the URL
up top, clearly this is NOT from adobe!
This one is even better - using the real graphics
and stuff from Adobe, it looks even more real. Yet the URL still screams
out to the observant how this is not the flash update you are looking
I can show hundreds more examples of how the evil
people try to socially engineer you into clicking, but that would be an
article all to itself. If you want, ask me and if I see enough interest
I'll write it!
However it got in, it continued - we are only
seconds into the infection, still at 3:31 PM and the system immediately
started encrypting files on the external attached backup hard drive:
This continued for almost 30 minutes, finishing up
at 3:57 PM when the last bits of data Cerber wanted to encrypted were
3:57 PM: Immediately upon finishing encryption on
the external drive, it began encrypting the internal C: hard drive -
Client uses GP Accounting and there were years of documents in the GP
Documents directory, all now encrypted:
The system finished encrypting data files on the C:
drive at 4:20 PM:
Meanwhile, the ransomware was filling up the hard
drive - this causes the operating system to start deleting shadow copies
of important operating system as well as user data files for "previous
versions" to prevent their recovery:
Shadow copies were deleted to make room at 3:58 PM,
4:03, 4:06, 4:08, 4:12, 4:14 ... then at 4:16 PM, the system threw its
hands up and gave up making shadow copies because the disk was too full:
This is really quite smart of the evil cerber
people - previous versions of cerber didn't do this, so you could
recover your files from the 'previous versions' tab! Unfortunately, they
"fixed" this "problem" with this newer release of cerber. So beware of
this from sites claiming to be able to recover your files - they are
likely saying that about a previous version of cerber, not the current
If you have ever filled up your C: drive, you know
how much it impacts your system's performance. Q likely did a hard power
down to reboot the system as it wasn't very responsive, causing the
event logs about being powered on without a proper shutdown at 4:31 PM.
Here we can see that Q tried to fix this with
SuperAntiSpyware ... unfortunately, this isn't spyware and the data was
I received both Q's computer and the external hard
drive via FedEx and started looking at / documenting / researching
Cerber's ransomware to see what if anything I could do for Q's files.
The internet history was completely wiped out:
There were no previous versions of files as all the
shadow copy data was wiped out to make room when the disk was filling
Since they wrote over the entire not-used area of
the drive, all deleted files were also overwritten which eliminated the
chances of undeleting older versions and recovering that way.
Short of finding the encryption key magically
written to some place on the drive, chances are this data isn't coming
back. With a copy of the original ransomware, tools could be used to
watch what the system is doing during the infection and possibly detect
this event. Without knowing exactly where the ransomware came from or if
it is even still on the drive, I would be shooting completely in the
dark trying to find it.
Trying to pay
There are tons of examples of people that were
infected being screwed over and paying then not getting their files
back, or paying and the system that holds the encryption keys was taken
down by law enforcement so the keys don't even exist anymore, hospitals
being extorted and paying only to be held ransom for still more money,
... and on the flip side, there are also ransomware victims that are
getting their files back by paying the ransom. I'm not here in this
article advocating one way or another, just giving you some data and
pointers at the end to help you make up your mind.
So in the best interest of my client, I asked what
would it take for them to have a chance at getting their files back by
paying the ransom? As in 'How much?' ... so I followed the instructions
and tried to get to the web sites, but ALL of them were down:
Another path to the ransom payment site was via the
Tor browser and the "dark
web", details you can read about at the links. Evil people do this
so they can't be found.
I finally allowed the system to connect back to the
internet via an isolated network in case it was still actively trying to
infect other systems and connected to the evil extortionists to see how
much they wanted. The sequence of events is here:
How nice! They support multiple languages!
Clicking english, for strange reasons they wanted
me to prove that I wasn't a bot... so they had this captcha:
Over and over again, I kept picking and apparently
kept getting it wrong...
On and on this went... so many I stopped capturing
all the screens. This was beginning to look like a cruel joke or social
experiment in "How badly do they want their files? The more they click,
the more they want their files, the more we can charge them!"
(ransomware authors: If you use that idea, please
send me a commission check!)
Eventually I got here:
This went on in a lather-rinse-repeat cycle a few
more times before I gave up for the night.
Next day, tried again - more times than I care to
admit - and eventually got here:
And at long last:
I don't get it - are bots attacking the ransomware
sites? Why else would they need some complex captcha?
So for this week and this week only, you can have
your files back for the sale price of a bit over $604. Wait 4 days and
the price goes up to a bit over $1209.
Other paths traversed
This was just the analysis of what happened. I
poked at it with many other tools and many other searches, but nothing
If you search, you will find a whole lot of sites
that claim if you buy their product they can help you decrypt - but I'll
bet they can't. If encrypted data was that easy to crack, then the
ransomware business wouldn't be making millions of dollars weekly.
The best site I found with varous decryption tools
https://www.nomoreransom.org and they link to other anti-malware
companies that have developed tools for certain strains of ransomware.
If you are here because you got bit, then maybe they have a tool for
Another set of tools is
here at Trend Micro (full disclosure: I am a Trend Micro reseller /
partner, but I get nothing out of you going there to see if their tool
can decrypt your files!). They have a cerber decrypter but it doesn't
work on this latest version.
WARNING: There is a lot of click-bait out there!
There are also a lot of products that claim they will get your files
back if you send them money, but there is no reason to believe they can
unless they are connected to the original malware authors and have the
For the technically inclined, there is a deep dive
into the internals at the
malwarebytes blog (WARNING: Assembly language content! Do not read
unless you own a propeller beanie and are not shy about wearing it in
public!) but this is for the version 1 of the
Cerber tool - cerber 'red' is at least version 5. They stopped numbering
their malware in a publicly visible way.
The best option for recovery is restoring from a
This ransomware encrypted the externally connected
drive before attackig the internal drive. So if your backup is always
plugged in, it is going to be encrypted.
I've advocated and preached backups forever due to
the fragility of the data on hard drives since they were invented. Every
hard drive will fail someday, and it will try to take all your data with
it. The question is how will you recover that data?
Thus the backup.
In this case, due to some legal orders and a
company sale they had a copy of the hard drive as it existed in
September of 2016. So while a little over 4 months of files were lost,
they had everything from that point backwards. Plus everything in the
mail server (thus documents that had been sent or received via Email)
were all recoverable. Much of the accounting work could be pulled out of
So while a lot was encrypted, a good portion of it
came back - due to a disconnected backup.
Without that backup, this would have been a
situation where the only data recoverable was stuff sent to other user's
computers at various points of time.
Back up your data! If not everything, at least what
you hope to recover if your computer is stolen or catches fire.
Think about that for a minute - if your main
computer vanishes, what will you need in order to become whole again?
If your backup strategy
doesn't have something that will help you in that situation, then you
are going to find yourself helpless in the face of a ransomware
infection as well.
If you found this helpful (or not), please send me a brief email -- one line
will more than do. If I see people need, want, and / or use this kind of
information that will encourage me to keep creating this kind of content.
Whereas if I never hear from anyone, then why bother?
I can be reached at:
das (at-sign) dascomputerconsultants (dot) com
of CryptoWall from years back
analysis of CryptoWall 2.0
Popcash malvertising leading to Cryptowall infection
(C) 2017 DAS Computer Consultants,
LTD. All Rights Reserved.