News that decryption keys are not particularly forthcoming to victims who paid the WannaCry ransomware has resulted in very simple list of options for those affected – restore your data.
However, for those who are unable to do so the reality is considerably more stark – namely lose your data. It is for this reason we are happy to share details of technique that we have used to recover files, with mixed results.
Please note that this technique is provided as is, we accept no responsibility if things don't go as expected. In our testing we have had some cases where the recovery did an almost full recovery and others in which it was near zero. The number of variables are too exhaustive to list, but if a backup isn't going to work it's a much better option than saying goodbye to your data.
File Carving for File Recovery
With forensic experience in the team, one of the approaches we researched was how the WannaCry ransomware's file-handling and encryption would take place. Would files be copied, encrypted and then original file deleted or was there a different mechanism happening?
‘File Carving' or sometimes simply carving, is the process of extracting a collection of data from a larger data set. Data carving techniques frequently occur during a digital investigation when the unallocated file system space is analysed to extract files. The files are ‘carved' from the unallocated space using file type-specific header and footer values.
There is a big difference between file recovery techniques and carving. File recovery techniques make use of the file system information that remains after deletion of a file. By using this information, many files can be recovered. For this technique to work, the file system information needs to be correct. If not, the files can't be recovered. If a system is formatted, the file recovery techniques will not work either.
Carving deals with the raw data on the media and doesn't use the file system structure during its process. A file system (such as FAT16, FAT32, NTFS, EXT, etc.) is a structure for storing and organising computer files and the data they contain. Although carving doesn't care about which file system is used to store the files, it could be very helpful to understand how a specific file system works. In the FAT file system for example, when a file is deleted, the file's directory entry is changed to show that the file is no longer needed (unallocated). The first character of the filename is replaced with a ‘marker', but the file data itself is left unchanged. Until it's overwritten, the data is still present.
Investigating the code, we noticed that once the encrypted file has been written, a new set of WriteFile operations *against the original file* are executed. These operations overwrite the original file with pretty much flat data to prevent recovery and FlushBuffersFile is invoked. While monitoring the ransomware encrypting, we observed on certain Operating Systems that the original file was still existing besides the encrypted file and later the original file was removed.
In the above screenshot, we notice the pictures of Amsterdam being encrypted on our test setup in the lab with a Windows 7 32 bits machine.
Using the recovery tool “PhotoRec” on the infected host, executing from an USB stick with write protection, we started to hunt the free-space of the disk for the original JPG files.
Note, when connecting an USB stick that the ransomware could be still active and will search and encrypt the extensions it supports, hence our usage of a write-protected USB-stick.
By using a ‘whitelisted' area by the ransomware, for example we created the directory C:\Windows\Dump, for storing our recovered files.
PhotoRec contains a plethora of file-extentions to carve for, but to speed up our process, one can select in the menu which file-types to hunt for. While selecting the partition you want to carve, at the bottom of the menu, one can find the menu option ‘File Options'. This is the menu where to select which files you want to search for.
For a full overview of supported files, please visit this link: (http://www.cgsecurity.org/wiki/File_Formats_Recovered_By_PhotoRec)
After a few minutes, we investigated our carving results and discovered we were able to recover our ‘original' files from the disk's free-space.
Disclaimer: Using carving tools like PhotoRec, one should be aware of the risks that these techniques might involve and they are at their own risk.
Another decision has to be made before starting the recovery process. Do we kill the ransomware first or not? In case the ransomware is removed from the system, if recovery is unsuccessful, one could copy the encrypted files to another disk in the hope for a decryption possibility in the near future. If the ransomware is removed and the process failed to recover files, it might not be possible to decrypt anymore, since re-infection might create new key. In case the ransomware is not removed, it would hinder the operation a bit, but we discovered if we create a folder called “Windows” on our USB-stick and point PhotoRec to this folder as the recovery dump – the ransomware will not touch that folder since the $Drive\Windows folder is whitelisted by it.
We simply didn't have enough bandwidth to verify every Operating Systems impacted by the MS17-110 update, but are more than welcome to feedback from the info-sec and Law Enforcement community.
In some cases, the Volume Shadow Copies were not deleted, hence we could carve the original files out of them. One of the reasons for not having the shadowcopies deleted was that we didn't open up the ‘@WanaDecryptor@' with UAC rights, a finding that was also observed by ENISA.
In case the volume shadow copies are still present on the system, files could be recovered from them. You can verify this by opening a command prompt (as administrator) and type the following command:
‘vssadmin list shadows'
This will list your shadow copies available. Once the ransomware is removed from the system, one could restore from these copies or use third-party tooling to browse the shadow-copy files and retrieve individual files from them.
Since we had mixed results with different platforms, one could at least try to recover the files if no backup is available. Although the impact of this ransomware was at an unprecedented scale, we are encouraged by the lack of payments made to the criminals. Whilst we will do everything we can to combat ransomware, we cannot do this alone and need each of you to follow the prevention advice in No More Ransom, but also let the criminals know that we will not pay.
By Christiaan Beek, Charles McFarland, Raj Samani