My car radio doesn’t work. I bought a bluetooth stereo a year ago but never got around to purchasing the adapter for the antenna. This means that I can’t listen to the radio at all during my commute to work or while traveling to various on-site engagements. Instead I listen to audiobooks and podcasts. One of my favorite podcasts is Security Now on the TWIT network.
Yesterday I was listening to episode 501 and heard some information that I thought might be useful and wanted to share.
As we are all aware there is a growing trend in ransomware. This is software that finds its way onto a computer and encrypts virtually any user created file it can find. The creators then charge the victim a few hundred dollars to get their files back. If you get hit by this it can be disastrous, especially if you wait too long to pay the ransom. They claim that there is no way to get your files back unless you pay the fee.
This may not be entirely accurate. A listener of Security Now wrote in to say that he ran a file carve over an image of an infected computer and was able to recover a large number of files. So it looks like the bad guys aren’t securely overwriting data after they’ve encrypted the file so the deleted original is still sitting in unallocated space.
This may change in coming weeks as the bad guys scramble to rectify this oversight but, in the mean time, there is some hope. There’s time to image the system and carve for files before making the decision about paying the ransom.
This isn’t the only way to combat this ransomware, however. A great post by Adam Kramer on the SANS Forensic Blog shows how to disrupt such ransomware using file handles in Windows. It is genius in its simplicity. Thanks Adam. If you want to read his article you can find it here.