As most ransomware STOP/DJVU encrypts files to make them inaccessible. After you pay the ransom (in bitcoins), the attackers send the tools and information needed to decrypt your files and make them accessible again. The encryption is very hard to ‘break’ but ransomware researcher every now and then have success creating decryption software. Some time… Read More »
Restart markers make the difference This YouTube channel by my friend and colleague Nguyễn Vũ Hà has many great examples of JPEG-Repair being used to repair STOP/DJVU ransomware affected files. This video in particular is a great showcase on how JPEG restart markers prevent corruption propagating through the JPEG image stream. As you can see… Read More »
This article shows repair of JPEGs that fell victim of ransomware. This particular ransomware only encrypts part of the file. Due to this the JPEG header and some 150 KB of JPEG data are lost. Using a reference file and weeding encrypted data we can repair the photo.
This is not a blogpost on the inner workings of this ransomeware. I am purely interested in discussing the recover-ability of your data. The Petya or NotPetya ransomware appears to do three things to prevent you access from your data: It encrypts the MBR Individual files files are encrypted Then it encrypts the Master File… Read More »
As a result of my ransomware research I’m now following a bunch of ‘tweeters’ that work in the field of cyber security. One tweet pointed me at this list of ransomware decryption tools. Seen this list is a big mess, I cleaned it up and make it available here. In the first column the name of… Read More »
I just noticed a couple of tweets where file recovery software developers such as iCare and Easeus went as far as: “Save $300 in your pocket and don’t pay the ransom to decrypt files!”. For a moment I was under the impression, that they already figured out how to decrypt the hostage files. But that’s… Read More »