Discussion:
archlinux ext4 recovery file versioning
(too old to reply)
Maykel Franco via arch-general
2017-04-17 18:31:35 UTC
Permalink
Raw Message
Hi, I have a server in archlinux with samba. I have windows client in my
house with mapped folder but a Trojan has entered and encrypted all files
included server archlinux...

Archlinux has formated with ext4.

Would it be possible to recover unencrypted files?
Alex Theotokatos via arch-general
2017-04-17 20:08:54 UTC
Permalink
Raw Message
Post by Maykel Franco via arch-general
Hi, I have a server in archlinux with samba. I have windows client in my
house with mapped folder but a Trojan has entered and encrypted all files
included server archlinux...
Archlinux has formated with ext4.
Would it be possible to recover unencrypted files?
Maybe testdisk with photorec might help. Good luck...
Maykel Franco via arch-general
2017-04-17 20:12:15 UTC
Permalink
Raw Message
El 17 abr. 2017 10:09 p. m., "Alex Theotokatos via arch-general" <
Post by Maykel Franco via arch-general
Hi, I have a server in archlinux with samba. I have windows client in my
house with mapped folder but a Trojan has entered and encrypted all files
included server archlinux...
Archlinux has formated with ext4.
Would it be possible to recover unencrypted files?
Maybe testdisk with photorec might help. Good luck...



With testisk os posible recovery original files without encrypt?
Alex Theotokatos via arch-general
2017-04-17 20:16:25 UTC
Permalink
Raw Message
Post by Maykel Franco via arch-general
El 17 abr. 2017 10:09 p. m., "Alex Theotokatos via arch-general" <
Post by Maykel Franco via arch-general
Hi, I have a server in archlinux with samba. I have windows client in my
house with mapped folder but a Trojan has entered and encrypted all files
included server archlinux...
Archlinux has formated with ext4.
Would it be possible to recover unencrypted files?
Maybe testdisk with photorec might help. Good luck...
With testisk os posible recovery original files without encrypt?
It will not unlock the encrypted files, but photorec will swap all the
disk and can recover some files that 'theoretically' was deleted or tmp
files.
Maybe, during encryption the files moved on some parental folder and
then deleted. i think photorec might help here.
You can start with testdisk and see what is deleted and not.
Kyle McNally via arch-general
2017-04-19 14:20:53 UTC
Permalink
Raw Message
Post by Maykel Franco via arch-general
El 17 abr. 2017 10:09 p. m., "Alex Theotokatos via arch-general" <
Post by Maykel Franco via arch-general
Hi, I have a server in archlinux with samba. I have windows client in
my house with mapped folder but a Trojan has entered and encrypted
all files included server archlinux...
Archlinux has formated with ext4.
Would it be possible to recover unencrypted files?
Maybe testdisk with photorec might help. Good luck...
With testisk os posible recovery original files without encrypt?
It will not unlock the encrypted files, but photorec will swap all the disk and can recover some files that 'theoretically' was deleted or tmp files.
Maybe, during encryption the files moved on some parental folder and then deleted. i think photorec might help here.
You can start with testdisk and see what is deleted and not.
You can try this site
https://www.nomoreransom.org/

It might help you decrypt the files. File recovery most likely won't help. (Unless you can 'recover' from a cloud based backup!)
Kai-Chun Ning via arch-general
2017-04-19 14:55:18 UTC
Permalink
Raw Message
Post by Kyle McNally via arch-general
Post by Maykel Franco via arch-general
El 17 abr. 2017 10:09 p. m., "Alex Theotokatos via arch-general" <
Post by Maykel Franco via arch-general
Hi, I have a server in archlinux with samba. I have windows client in
my house with mapped folder but a Trojan has entered and encrypted
all files included server archlinux...
Archlinux has formated with ext4.
Would it be possible to recover unencrypted files?
Maybe testdisk with photorec might help. Good luck...
With testisk os posible recovery original files without encrypt?
It will not unlock the encrypted files, but photorec will swap all the disk and can recover some files that 'theoretically' was deleted or tmp files.
Maybe, during encryption the files moved on some parental folder and then deleted. i think photorec might help here.
You can start with testdisk and see what is deleted and not.
You can try this site
https://www.nomoreransom.org/
It might help you decrypt the files. File recovery most likely won't help. (Unless you can 'recover' from a cloud based backup!)
Hi,

Did the trojen infect the server? Were you able to isolate the
malicious executable?
--
Kind regards,

Kai-Chun
Guus Snijders via arch-general
2017-04-19 16:39:12 UTC
Permalink
Raw Message
Op 19 apr. 2017 16:21 schreef "Kyle McNally via arch-general" <
Post by Maykel Franco via arch-general
El 17 abr. 2017 10:09 p. m., "Alex Theotokatos via arch-general" <
Post by Maykel Franco via arch-general
Hi, I have a server in archlinux with samba. I have windows client in
my house with mapped folder but a Trojan has entered and encrypted
all files included server archlinux...
[...]
Maybe, during encryption the files moved on some parental folder and then
deleted. i think photorec might help here.
You can start with testdisk and see what is deleted and not.
You can try this site
https://www.nomoreransom.org/

It might help you decrypt the files. File recovery most likely won't help.
(Unless you can 'recover' from a cloud based backup!)


Actually, filerecovery (lowlevel) works very nice with most
ransomware-infections. Especially since (in this case), the files were on
another pc.
There are some gotchas though, like used diskspace and time consumption.
If those are not an issue, or acceptable; i've had great results with
photorec on some sample machines.

Wrt backup: since the server itself wasn't involved, all local backups
should be fine. Unless those were on a writable share, of course.



Mvg, Guus Snijders

Loading...