I recently wrote about a Ransomware attack called GPcode that encrypts files on the victim’s computer and then offers to sell them a decryption key to get them back.
According to Kaspersky Labs, When GPcode does it’s thing, it first creates a copy of the file it’s going to encrypt. Once that encryption is done, it deletes the original file. Here’s where the fix comes in. When a file is deleted, it isn’t really erased or destroyed unless and until something writes over that same spot on the disk where it was stored. This means that if you get to it soon enough, it’s possible to recover the original file that GPcode deleted.
There’s a free utility called PhotoRec that was originally developed to recover graphics files. It’s since been expanded and now can be used to recover a wide variety of files. It’s available as part of the latest version of the TestDisk package
If you suspect that you’ve been attacked by GPcode, Don’t reboot the computer, absolutely never pay the ransom by “buying” the attaker’s “decryptor” utility. Instead, get the PhotoRec utility and use it to recover the deleted original files.
This fix isn’t guaranteed, and it won’t always work, but it’s certainly worth trying.
Technorati Tags: Hackers, recover deleted files, GPcode, ransomware, Security, photorec, Kaspersky Labs, recover files
If you like A Peculiar Blog, Consider subscribing to my RSS feed
Interesting. I suppose you could also use this:
http://www.recuva.com/
OR if you want to get really deep supposedly there is also a way to recover the keys from memory, but I have no idea where to start with that. Any clues?
Shanes last blog post..Edit Any Webpage Directly From Your Browser