Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Ransomware and restorpoints

  • Please log in to reply
1 reply to this topic

#1 peernilsen


  • Members
  • 2 posts

Posted 14 May 2016 - 12:51 PM

Hope this question is not beside the topic.


I've encountered different ransomware on different occasions for my clients. Sometimes able to get files back using shadow explorer, sometimes by paying :-( and on 2 seperate accounts using rescueprograms to restore the deleted original files (at least some) - and at last of course let it all go ....


With a client computer last week I tried something new, to restore the shadow volum copies from "System Volum Information" - using GetDataBack - for those who know the program it also tells about the state of the file (damaged/partly damaged/fine/. I found 4-5 points, 2 which where "fine"- saved for the time being on USB-HD. Tried to copy one large one, predating the infection back to SVI and run Shadow Explorer (and system restore) without finding it. Does anyone know if it is at all possible to open/extract anything from such file outside it's normal environment?


There where also other files residing in SVI, maybe one or more if this files are necessary - logfiles/db-files - for System Restore to be able to "spot" the shadow copy.


Would be glad if any takers could point me in the right direction.


Kind regards


Edited by peernilsen, 14 May 2016 - 12:51 PM.

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,954 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:01 AM

Posted 14 May 2016 - 07:38 PM

Most crypto malware typically delete all shadow copy snapshots (created if System Restore was enabled) with vssadmin.exe so that you cannot restore your files from before they had been encrypted using native Windows Previous Versions or a program like Shadow Explorer...but it never hurts to try in case the infection did not do what it was supposed to do. It is not uncommon for these infections to sometimes fail to properly delete Shadow Volume Copies.

In some cases the use of file recovery software such as R-Studio or Photorec may be helpful to recover some of your original files but there is no guarantee that will work.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users