17-06-2025
Fight against ransomware with data recovery technologies
Nowadays, ransomware attacks are becoming more and more frequent. In many cases, the hacker utilizes ransomware to encrypt your important data, and then asks for some money in exchange for decrypting that data. But there is no guarantee that the hacker will decrypt the data after receiving your money.
Instead, we can utilize advanced data recovery technologies to fight against the ransomware attacks.
WHY DATA RECOVERY WORKS
There are several reasons why data recovery works, as below:
1. Original Data May Still Exist
When ransomware encrypts an important file and deletes the original one, the data of the original file may still exist on the hard drive. In such a case, we can use a raw level data recovery tool to scan the whole hard drive to recover these unencrypted data. This is called file carving technology. Some tools can even target a specific file type and size, which improves the accuracy and reduces the time.
2. Parts Of The Data May Not Be Encrypted
The purpose of ransomware is to make a file unusable so that you feel compelled to pay the hacker. In modern computer systems, there are many huge files. For example, SQL Server MDF files are normally several GBs, and some can even reach hundreds of GBs. In such a case, ransomware may not encrypt the whole file, but only the file header, because:
Encrypting a huge file will consume a lot of time and a lot of system resources, which will increase the chances of being detected.
The long encryption process may be aborted due to various reasons, making the encryption fail.
Just like a human head, a file header normally contains the most important metadata of the whole file, so encrypting the file header can easily render the entire file unusable.
Moreover, even if the ransomware chooses to encrypt the whole huge file, the encryption is performed block by block and may be aborted in the half-way, leaving some blocks of the file unencrypted. In such a case, we can also utilize file-level recovery tools to recover data from these blocks.
There may be other copies or versions of the original file that still exist, such as:
The offline or cloud backup
Windows Volume Shadow Copy
MacOS Time Machine
Linux/Unix ZFS/Btrfs/LVM snapshots
Temporary files generated when operating on the original file.
Log file
In some cases, we can restore the original file directly, such as from a cloud backup. For other cases, we need to use specialized tools to recover the data. For example, if there is a temporary file for an encrypted PST file, then we can use the Outlook file recovery tool to recover data from the temporary file. If there is a log file for an encrypted SQL Server database file, we can use it to reconstruct the data.
4. Key May Be Available
In many cases, we can get the key to decrypt the encrypted data not from the hacker, but from other sources.
If an active ransomware process is detected, then we can perform a memory dump and utilize the memory forensics technology to exact the key.
Some ransomware may not erase the key in the memory after the encryption. In such a case, if the corresponding memory block is not overwritten, we can also utilize the memory forensics technology to obtain the key.
Some ransomware will not remove the temporary file containing the key. Therefore, we can recover it from the file.
Some ransomware will hardcode the keys in their own executable files.
Some will put the keys in system registry.
The system log files or snapshots may also contain the keys.
For all these cases, the keys may be stored in plain text or encrypted with some algorithms. For the latter case, normally we can utilize the reverse engineering technology to decode them.
As we can see in this article, there are many data recovery technologies that can deal with the ransomware. Therefore, ransomware attacks may not necessarily be disastrous. When they do occur, you can consult a data recovery specialist to get the best strategy.
