I design/write applications, do database work, network security, database security, and do anything related, and so I was called when My friend got hit with 'crysis.6/dharma.onion' few weeks ago and it took me about 5 days to recover his data, hooray, not really, the guys who wrote the software for him didn't have the executable matching his database(lolwut, yes, me too), hey I got the db, data was intact, at least we could read it.
TL;DR For a friend, I did the math on paper and came up with a way to repair the files with minimal damage.
What I did afterwards:
And then wrote a small piece of software that could automate some of the steps; it was hardcoded for MSSQL database mdf files hit with dharma.
After receiving a lot of emails from a lot of people asking for help(100+ emails exchanged, who knew) and having to turn away some of them because of lack of time I decided I could write another program for a wider range of ransomware capable of doing a little more.
Some people are probably screaming in their mind right now that such software already exists, the answer is yes and no, the current software uses 'published'(crysis) or 'recovered' decryption keys, uses 'flaws'(rand(time()); lol) in the ransomware, or tries to recover keys from memory(wannacry).
What I have in mind is repairing specific types of files with valuable data in a case by case manner with user intervention using either older backups as a reference and/or doing educated guesses about the file structure.
What file types are windows people using these days? (sorry, I'm a linux guy)
First we need a database of files both not encrypted and encrypted with different malware and as much information about them as possible, like their path, their original content and such.
The project will be put on github with Affero-GPL license, I don't want to give anyone false hope but I'll do my best, not a single line of code has been written yet, because I need to study the files first.
Donations for when I release the software, since I can't have a signature yet: 36YxSK68nZKGzctwcuVWp5vBnV1PjsLuTk
Final request: As much as I love applause and approval, please don't post 'me too', 'yes, please', ...; We all know how we feel. Just post your samples here or PM them to me If they're confidential and you don't want them out in the open.
Edited by FastCode, 03 September 2017 - 12:58 PM.