Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

A Story of Data Loss and What Could Have Been

Why I harp, harass, cajole, and harp some more.

by

I repaired a friend's machine's hard disk failure only to discover something much, much worse.
A computer desk with an open laptop showing an error message related to ransomware (CryptoWall), a few external hard drives, and a person looking distressed. In the background, you can see a family photo frame, and the overall scene should convey a sense of data loss and urgency.
(Image: DALL-E 3)

Some years ago I posted this on Facebook:

Just had to break the news to a friend that the photos on the hard drive that failed — the contents of which we WERE able to recover, thanks to some hard disk utilities — turned out to be encrypted by ransomware (CryptoWall), and we had no way to decrypt them. And no, they didn’t have a recent backup. (And yes, there were some VERY important photos on there. I’m hoping they’ll recover some at least from friends and family with whom they shared ’em.)

This is why, folks. This is why I harp and harp and harp on backing up. Seriously. Sh*t happens. Sometimes it’s benign, and sometimes it’s downright heartbreaking. PLEASE back up.

I want to share what happened and explain how this could have been close to a non-event.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

A story of data loss

After repairing a friend’s hard disk failure, I discovered files on it were encrypted by CryptoWall ransomware. Despite recovering the drive contents, decryption was impossible, and there were no backups. Regular backups are critical to avoid data loss and heartache.

Hard drive failure

I got a call from a friend standing at a local office supply store’s computer service desk. He was a tad befuddled at the terms and dollar amounts the technician was throwing at him.

  • The hard drive had had some kind of physical failure — probably a bad sector or area.
  • The technicians had installed a replacement hard drive into my friend’s computer.
  • The technicians were unable to back up the faulty drive with their normal tools.
  • The faulty drive contained important information my friend wanted to recover.
  • The next step for this particular computer service organization was to send it out to data recovery; costs were quoted from $200 to $1600.

My friend’s question was simple: did he need this, or was he being taken for a ride? He put the technician on the phone.

The bottom line was that, no, he probably wasn’t being taken for a ride, and that yes, the situation was serious. They’d just gone beyond what the in-store technician could do; hence the need to send it out.

He brought the machine to me instead.

Hard-drive recovery

At the time, my go-to tool of choice for bad sectors on a hard drive was SpinRite, so that’s where I started. I hooked the faulty drive up to one of my spare systems and let it work.

Unfortunately, SpinRite hasn’t been updated in years — which is really sad, as it’s a great tool when it works. It didn’t work for me in this case. Be it the BIOS on the machine, the SATA interface, or the sheer size of the one-terabyte drive, SpinRite would only go so far before crashing.

I Googled SpinRite alternatives, and while there weren’t any, I came up with something close: MHDD.

MHDD’s basic difference from SpinRite is that when it finds a bad sector, it “remaps” it, taking it out of use and replacing it with one of the spare sectors that hard disks have for exactly this purpose. Note, however, that it doesn’t recover the data in that bad sector. SpinRite will first work long and hard, if need be, to recover the data in that sector, often recovering and repairing it, so no remap is needed.

I let MHDD do its thing, after which I could use Macrium Reflect to take a complete image backup of the faulty drive and restore that image to the replacement drive in my friend’s machine.

All seemed well, and I sent the machine home.

Later that day, I got an email. My friend wanted to know why he couldn’t open his pictures.

Cryptowall

When he tried to open an image, my friend got an error message.

Photo Gallery Fail
Photo Gallery’s failure message. Click for larger image. (Screenshot: askleo.com)

Since I’d kept a copy of the backup image “just in case”,1 I restored it to a hastily created partition on one of my own machines and started looking around.

What I found was not pretty.

The images weren’t images anymore. They had the same names and the “.jpg” extension, but their contents didn’t look like jpg image data at all. In fact, the contents looked more like random data. Almost as if the files had been… encrypted.

And then I found this:

CryptoWall
CryptoWall’s ransom message. Click for larger image. (Screenshot: askleo.com)

At some point, this machine had become infected with the CryptoWall ransomware: software that encrypts all your important files and then displays a ransom note instructing you how to pay to get the decryption key to access your files again.

My friend had never seen that ransom note. That means either the encryption process hadn’t been completed when he’d last turned off the machine, or the virus had attached itself to the machine while at the service center. (Timestamps on the files showed that the malware had arrived prior to the service center touching the machine.)

Either way:

  • The encryption appeared to be unrelated to the hard disk failure. (It’s possible that the encryption process caused the hard disk to stumble into a previously unused bad sector, but there was no real direct cause and effect at play here.)
  • The hard disk recovery was a success, but the prognosis for this new situation was even worse.

Related


How to Avoid Ransomware

 Avoid ransomware the same way you avoid any malware. A full backup will save you not only from ransomware, but from a host of other problems as well.

Recovery efforts

BleepingComputer.com has a good page on CryptoWall, including common approaches to recovery. Unfortunately, none of them worked2.

  • Restore from a backup: There was no recent backup. Some files were available on a months-old backup, but that didn’t help with recently created, updated (or encrypted) files.
  • File Recovery Software: The process of recovering the original drive to another drive invalidated anything that file recovery tools could use. (Though the original “failed” drive remains unaltered in my basement and may be used as a last resort at some point.)
  • Shadow Volume Copies: The process of recovering the drive to the new one invalidated anything that file recovery tools might use. The original drive may have the files, but the chances are slim since CryptoWall intentionally deletes them.
  • Restore DropBox Folders: Dropbox wasn’t being used.

In short, and as of this writing and update, we were SOL: severely out of luck. The files that were encrypted remain encrypted with little chance of direct recovery.

Which leads to the moral of this story.

What could have been

Bad stuff happens. It just does. You cannot avoid it all the time.

Hard disks die without notice or warning. In fact, they can die so suddenly and so completely that all data stored on them can be instantly and irretrievably lost forever. Nothing malicious is required — they just die. Most failures aren’t instantaneous or irretrievable, but they can be.

And, of course, malware happens. It shouldn’t. In a perfect world, we’d never invite it in, and if we did, our perfect anti-malware tools would protect us 100% of the time. Neither the world, our computer, our security software, nor even ourselves are perfect. Stuff happens, as it did to my friend in a double dose: ransomware and a failed hard drive.

You can’t avoid it.

But you can prepare for it.

This makes situations like my friend’s so frustrating. Here’s what could have been:

  • Hard disk dies.
  • Replace it.
  • Restore the previous day’s image backup.
  • Get on with your life.

And/or:

  • Machine is infected with malware; all files on it are encrypted and a ransom is demanded.
  • Restore the machine from the previous day’s backup.3
  • Get on with your life.
  • Learn from the experience: don’t repeat whatever caused the infection.

THIS IS WHY I harp and harp and harp on backing up.

It hurts me to see data loss — particularly important data like irreplaceable family photos, as was the case here.

Do this

If it’s in only one place, it’s not backed up. If that’s true for anything you consider even the slightest bit important, start backing up, please.

I don’t care how you do it or what tools you use (as long as they work, of course); just make sure you’re doing it.

Podcast audio

Play

Download (right-click, Save-As) (Duration: 12:14 — 11.3MB)

Subscribe: RSS

Related Video

Footnotes & References

1: I’m kinda paranoid that way. :-)

2: Still the case over 10 years later.

3: There’s a debate about whether the external drive should remain connected in case backups get encrypted. That’s a red herring, in my opinion. Having it connected and backups automated is significantly more important. There are several solutions. I discuss it here: Should I Disconnect My Backup Drive When I’m Not Backing Up?

21 comments on “A Story of Data Loss and What Could Have Been”

  1. Thanks for the article. Wow, as if guarding against the possibility of HDD hardware failure wasn’t worrisome enough. Is CryptoPrevent enough defense against these CryptoWall extortion rackets (apart from making backups, I mean)?

    Reply

  2. One thing I don’t think you mentioned is that shouldn’t you disconnect the backup drive after taking the backup? Isn’t malware smart enough to encrypt the backup drive as well as the primary drive if it is connected?

    Reply

  3. Sorry to hear about your friend’s hard disk issue. Fortunately, you were able to spare him the data recovery expense for repairing the bad sectors. As for the Cryptolocker/Cryptowall, he basically has two options: 1) Pay the ransom or 2) Wait it out. The servers for the first variant of Cryptolocker were eventually seized and the corresponding private keys (needed to decrypt) were publicly released for free. If I were your friend, I would keep the image you created until I was able to recover the encrypted data. Good luck.

    Reply

      • And the only way this will happen is if someone can infiltrate the place where these keys are stored on the bad guys end no? Short of that or a miracle people will be waiting a very long time.

        Reply

  5. Try: https://www.decryptcryptolocker.com :
    “FireEye and Fox-IT have partnered to provide free keys designed to unlock systems infected by CryptoLocker”.
    All you have to do is upload an affected file and “This portal will then email you a master decryption key along with a download link to our recovery program that can be used together with the master decryption key to repair all encrypted files on your system”.
    Hope you get your photos back!

    Reply

  8. I’ve taken Leo’s warnings and backup advice to heart. Using Macrium Reflect, I make a full image backup monthly and daily image backups. Macrium Reflect has a feature called Image Guard which only allows opening or viewing backup files through Macrium Reflect. I can’t use another program to do so.
    I use OneDrive and have my Documents, Music, and Pictures folders located in the OneDrive folder. OneDrive is set to keep copies of my files on my hard drive (Files on Demand is turned off) as well as on the Microsoft servers. When I started using Cryptomator to protect sensitive files in my OneDrive folder, I found out that OneDrive will raise alarms about the encryption process taking place and offers to help restore the files.
    Between Image Guard and OneDrive, I believe I’m covered in the event of a ransomware attack. I take extra steps to make an image backup of our computers on hard drives separate from the regular backup drives and copy my files to other external drives each month. All of those drives are kept in a safe location.
    I hope to not ever find myself in the situation Leo described and believe I won’t be with the actions I’ve taken. It takes a little time and effort to set everything up initially, but little time to keep it up. If a hard drive fails, it can be easily replaced.

    Reply

    • Image Guard doesn’t allow only opening or viewing backup files through Macrium Reflect. Macrium Reflect and all system image backup do that because they are saved in a proprietary format. Image Guard does something much more secure. It allows only Macrium Reflect to access those files, so they can’t be deleted by any program other than Macrium Reflect. By not allowing deletion, Ransomware can’t encrypt the backup and delete the original.

      Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Additional information is available at https://askleo.com/creative-commons-license/.