The Zepto Ransomware, a variant of the Locky Ransomware has been causing all sorts of havoc. The question is “Can Zepto ransomware encrypted data be recovered or repaired?”
The short answer is no; there is present no known method (or technology) available to decrypt, repair or recover files encrypted by Zepto Ransomware without access to the decryption key.
Zepto uses an extremely high level 2048 bit encryption as well as a varying algorithm to encrypt the files and cannot be decrypted using a fixed pattern or algorithm.
Before it encrypts the data, it also destroys any possible back doors, including shadow copy backups of the files making recovery impossible. It also works through an encrypted connection and does not store a copy of the key on the local machine.
Earlier versions of the virus did store a copy that was deleted afterward making it possible to recover the key in some cases. The algorithm was also far less complicated, and shadow copies of the files could also be recovered in many cases.
These guys obviously read the online solutions having now improved the malware and closed all backdoors making it impossible to recover and/or decrypt the affected data.
There is, unfortunately, nothing that we can do until these criminals are caught and the decryption keys are made available.
A group of hackers known as "The Shadow Brokers" claim to have stolen hacking tools (exploits) from another group of hackers called the "Equation Group" who are believed to have ties to the US National Security Agency (NSA).
The stolen data are now on auction to the highest bidder advertised via posts on a number of websites including Twitter, GitHub, Tumblr, Reddit, and Imgur.
A sample of the stolen tools and exploits have been released pending the outcome of the auction where the winner will apparently gain full access to the data.
The hacking tools could potentially include exploits for gaining root level access to networks, routers, and hard disk drives.
JTAG is an abbreviation for Joint Test Action Group technology. The technology was developed in the 1980s to overcome physical access issues to the pins on programmable chips for circuit testing purposes. Today, it is however predominantly used for programming, debugging and in our case, extracting data from faulty devices.
See the illustration below for a simplified explanation of the process:
June 2016 New data recovery and forensic capabilities added to our mobile device data recovery service - Now supporting 19,776 devices and 1,729 applications, these include:
Physical extraction while bypassing user lock for twenty-two Samsung Galaxy devices including the Samsung Galaxy S6, S6 Edge and Note 5.
A new and unique extraction method that allows physical extraction for more than hundred and forty LG models, with twenty-two new devices that were not previously supported including the LG MS330 and VS880.
A unique capability to disable the user lock for hundred and thirty-seven Samsung devices.
Physical extraction while bypassing user lock and decoding for nineteen Huawei devices.
Disable user lock support for seventeen LG Android devices, including the LG G5.
Physical extraction while bypassing user lock and decoding for three Nokia 105 devices, including RM-1133, RM-1134, and RM-1135.
New applications for iOS and Android devices - Don’t Touch This (iOS), HereMaps (Android), HideSMS (Android), Hot or Not, Kakao Story, Mappy (Android), Meet24, MeetMe, Nike+ Running, Scruff (Android), SpringPad FlipNote (iOS) and TextMe and 183 updated application versions.
Summary of our mobile device data recovery capabilities:
Some of the questions that you should ask before attempting a D.I.Y. recovery or sending the drive to an unqualified third party for data recovery:
Are you willing to play around with a faulty drive and possibly ruin any chance of recovering the data?
How much do you (or your customer) stand to lose if the data is not recoverable vs the cost of having the data recovered by a professional data recovery company?
The value of your (or your customers) data will ultimately determine your next course of action.
Hard drives are a lot more complex than what many people think. They are a combination of mechanical, magnetic, electronic and electrical components interfacing with the on-board software programming (or firmware) of the drive and the printed circuit board (PCB) - In essence a computer within a computer. Every-one of these components have to be in a working condition in order for a hard drive to function. Potential data loss is caused when one or more of these components fail. Data recovery in essence is a reversal (or the repairing) of the failed hardware and software components to a point where the lost data can again be accessed..
2. Do not leave the drive powered-on.
A knocking (or noisy) head-stack will cause (more) physical damage to the platters and/or magnetic field if left knocking possible making the drive unrecoverable or only partially recoverable.
3. Do not to open the drive.
Hard drives are manufactured in a Class 100 cleanroom as they are extremely sensitive to airborne contamination. Opening a drive outside of a clean room environment will contaminate the drive possibly leaving the drive unrecoverable.
4. Do not replace the PCB (printed circuit board).
There was a time when you could swap the PCB on (between most drives) within a model range. The programming (firmware) on most modern hard drives are however unique for each drive. Changing the PCB may alter the programming on the drive and/or PCB possibly leaving the drive unrecoverable or making recovery extremely difficult.
5. Do not run ANY disk tool or utility.
D.I.Y. disk tools are designed to test working hard drives and re-allocate bad or suspect sectors. Running some of these tools on a failing drive may cause further damage to the platters and corrupt the firmware programming complicating or hampering data recovery attempts.
6. Do not try to write data to the drive.
Overwriting a sector on a hard drive is permanent and cannot be reversed. This is especially true when a drive is in a state of failure and you can possibly overwrite valuable data leaving that data unrecoverable.
7. Do not format the drive.
Formatting a failing hard drive may lead to permanent data loss or make recovery attempts extremely difficult.
8. Do not run a system restore disk.
Restore disks or system recovery programs are designed overwrite the current software installation. Running a restore or install disk may leave the drive unrecoverable or at best partially recoverable especially if run on a failing hard drive.
9. Do not bump, drop or knock the drive.
There was a time when hard drives used bearings that were prone to seizing. A bump in some cases did solve the bearing problem but you still ended-up with platter damage due to the heads making contact with the platters. Modern drives do not use bearings and the only end result will be platter damage and/or platter alignment issues leaving the drive unrecoverable or at best partially recoverable.
10. Do not put the drive a fridge.
This is an urban legend that may have worked on some early electronic devices. The idea was to try and overcome “dry joints” or bad solder connections by lowering the temperature causing the joints to contract making contact again. This may have worked for a short period until the device heated up causing the “dry joints” to expand breaking the connection again.
Modern PCB manufacturing techniques leaves little or no room for “dry joints”. Even if the PCB does suffer from a “dry joint” you will end up with unrecoverable platter damage (permanent data loss) due to the condensation that formed between the head and the platter should you switch on the drive.
The other problem is that water (condensation) conducts electricity and will therefor cause the PCB to short-circuit leading to damaged components. The drive will in most cases be unrecoverable if one of those components happens to be the firmware chip.
Losing data is possibly one of the most traumatic events that you can encounter. Give your, or your customers data, the best possible chance of being recovered by not making any rash decisions. You may only have one chance at recovering the data from a failed or failing drive.
Hard drive failure is typically associated with a clicking or noisy disk drive or the drive is no longer detected or the drive is slow to respond to read and write requests.
Was it the Y2K bug version 20.15-0708 that caused the New York Stock Exchange to be down for almost four hours, grounded flights at United Airlines for nearly two hours and brought the homepage down of the Wall Street Journal on 07 July 2015?
What is Ransomware? Ransomware is the universal name for any harmful program that takes your data captive and then demands a ransom "at gunpoint".
CTB Locker is currently the most prolific of these programs. Its modus operandi is to encrypt your documents and then demand that you pay a ransom in order to get the key from the attacker to decrypt your files and so gain access again.
Should I Pay To Have My Data Unlocked? Paying the attacker does not guarantee that you will receive the key. In some cases victims have had to pay the ransom 3 or 4 times over before receiving a key. Other victims receive no reply from the attacker after paying the ransom.
How do I get infected? Infections would typically happen via an unwanted email with an attachment claiming to come from a trusted source. By clicking on the attachment (PDF, ZIP etc.) you allow CTB Locker to run the encryption function. You will normally only realize this when it is too late as the encryption process runs in the background.
How can I protect myself?
- Backup your data on a regular basis – this is by far the most effective and reliable form of data protection. A backup is defined as having (at least) two current and verified copies of your data stored in separate locations away from your computer.
- Do not click on any attachment from a source that you are not 100% sure off - most of these emails (on the surface) appears to be from a legitimate source.
- Update your operating system, applications and anti-virus software on a daily basis.
Am I protected from Ransomware using an Anti-Virus program? No, most anti-virus programs will not prevent the attack and would only detect the virus after it has encrypted your files.
Can data be recovered after being encrypted with the CTB Locker? There is currently no known method to repair, recover or decrypt the files. Once the files are encrypted, they cannot be decrypted without the key.
CTB Locker uses an extremely high level 2048 bit varying algorithm to encrypt the files and cannot be decrypted using a fixed pattern or algorithm. In some cases data fragments of previously deleted and temporary files can be recovered using low level data recovery methods. The success rate is normally very low as the files are recovered outside of the normal data storage and naming structure without any filenames and are simply numbered in sequence.
What does this hold for the future of iOS device data recovery?
Apple announced that they are closing a serious security vulnerability in iOS8 devices. All data will now be encrypted and not just some of the data. Apple also had the ability to bypass the security for the rest of the data as was the case with Oscar Pistorius’ locked iPhone. The conundrum was that having a “backdoor” not only allowed lawful but also unlawful access.
No one will after the update be able access your data without your passcode according Apple.
What effect this will have on the recoverability of iPhone data in the future where the passcode (decryption data) is lost or missing is an open question for now?