Can ransomware locked files be reversed with bit comparison to prior copy of a file?

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
W

wildpig1234

Well-Known Member
Aug 22, 2016
2,242
491
83
49
Quick question for anyone with any good knowledge regarding ransomware or if they can point me in a forum to post my question:

I was hit with a ransomware, I notice that my HDD with 2TB files encrypted. I notice that many large files like the the hundreds MB to several GB has the same date/time stamp. Which make me think that the ransomware i got hit with likely make only small changes to the most critical portion(s) of the file? I am thinking it has to be some very small quick critical changes because how else it could encrypt a whole directory with many many GB size files within a very short time rather actually making extensive changes to the whole file which would require much more time for GB size files?

I do have good prior copy of several files that was encrypted. So I am wondering if it's possible that a bit analysis of the good copy compared to the encrypted copy can shed some light on if it's possible to reverse the encryption somehow? Or maybe i am too naive? lol...
 
I

i386

Well-Known Member
Mar 18, 2016
4,247
1,547
113
34
Germany
The timestamp of a file is usually meta data and not really part of the file itself. WIth ntfs for example it's possible to deactivate it (you gain a little bit of performance but it could cause a lot of problems with backup and other software).

My guess is that modern ransomware either encrypts important metadata (fast) or encrypts the data over longer times (slow and less suspicious).

Personally I have always nuked pcs & laptops from friends who got this kind of stuff (yes, all storage devices not just the os to make sure nothing is left!)
I don't think it's possible to "reverse" the encryption: if you comapre the encrypted and the original file you will see the difference but you still don't know how the difference was computed.
 
R

RageBone

Active Member
Jul 11, 2017
617
159
43
so, from the few videos i watched on cryptology on youtube, for instance from computerphile, i can say that it is possible to reverse the key from encrypted content that you know or can guess the clear version off.

But that is only rudimentary knowledge that might not be applicable here.
I think it depends a bit on what encryption algorithm was used, the length of the key, and how close and large the Files are to each other.
Additionally, i think it is possible to have one master key and generate individual keys for each file which would make this mute since each file could have a different key.
Again, it really depends on how the files were encrypted in the first place.
 
Last edited:
N

NablaSquaredG

Layer 1 Magician
Aug 17, 2020
1,347
820
113
wildpig1234 said:
I do have good prior copy of several files that was encrypted. So I am wondering if it's possible that a bit analysis of the good copy compared to the encrypted copy can shed some light on if it's possible to reverse the encryption somehow? Or maybe i am too naive? lol...
Click to expand...
That depends.

You could start with comparing the encrypted and original file (obviously, the content before the encryption should be identical) and check whether the entire file was encrypted or just a portion of it
 
W

wildpig1234

Well-Known Member
Aug 22, 2016
2,242
491
83
49
NablaSquaredG said:
That depends.

You could start with comparing the encrypted and original file (obviously, the content before the encryption should be identical) and check whether the entire file was encrypted or just a portion of it
Click to expand...
I guess that is a good starting point just to see 1. how much change was really made to the file 2. if the changes are consistently in one area
The size of the data that was locked down was about 2.5TB consisting of several tens of thousands of files. I know that there are ransomware that actually copy files to a new encrypted file and remove the old one and try to clear the file record and rewriting over the old space so to make it hard for you to recover, But i believe that most ransomware likely don't do that because that is way too intensive and take too much time and system resource and more likely to arouse suspicious. So I am guessing that they make encrypted changes to whatever the fastest smallest change they can to prevent you from being able to access the file and open it in a regular way?

Thanks for the reply. I will do some testing soon....
 
W

wildpig1234

Well-Known Member
Aug 22, 2016
2,242
491
83
49
So it looks like to me what it does is that it only encrypt part of the file but it actually does change a fair amount of the file. I checked out a txt file and a large portion of the txt file is readable with a large portion of the beginning and the end seems encrypted? Or maybe just plain deleted and fill with giberrish for all i know...lol..

Seems like i am able to play back a portion of an encrypted mp3 file but the mp4 files wont play at all.

I notice that all the supposedly encrypted files are larger than the original files. each file has the same 8685218C-3262 so i guess that is what would be part of the key?

Here's a zip file containing both the original txt and encrypted txt file:

mega.nz

1.45 MB file on MEGA

mega.nz mega.nz

Let me know what you think
 
You must log in or register to reply here.
Top Bottom