Last week I posted this on Facebook:
Just had to break the news to a friend that the photos on the hard drive that failed – the contents of which we WERE able to recover thanks to some hard disk utilities – turned out to be encrypted by ransomware (CryptoWall), and we had no way to decrypt them. And no, they didn’t have a recent backup. (And yes, there were some VERY important photos on there. I’m hoping that they’ll recover some at least from friends and family with whom they shared ’em.)
This is why, folks. This is why I harp and harp and harp on backing up. Seriously. Sh*t happens. Sometimes its benign, and sometimes its downright heartbreaking. PLEASE back up.
I want to go into that in just a little more detail, and expand on how this could have all been very close to a non-event.
Hard drive failure
The call I got was from a friend. He was at a local office supply store’s computer service desk, a tad befuddled at the terms, and dollar amounts, the technicians were throwing at him.
The situation turned out to be this:
My friend’s question was simple: did he need this, or was he being taken for a ride. He put the technician on the phone.
The bottom line was that, no, he probably wasn’t being taken for a ride, and that yes, the situation was serious. They’d just gone beyond what the in-store technician could do, hence the need to send it out.
He brought the machine to me instead.
Hard drive recovery
When I encounter bad sectors on a hard drive my go-to tool of choice for many years has been SpinRite, so that’s where I started. I hooked the faulty drive up to one of my spare systems and let it go.
Unfortunately SpinRite hasn’t been updated in years – which is really sad, actually, as it’s a great tool when it works. Naturally it didn’t work for me in this case. Be it the BIOS on the machine, the SATA interface or the sheer size of the 1 terabyte drive, SpinRite would only go so far before crashing.
I Googled SpinRite alternatives, and while there aren’t any really, I came up with something close: MHDD. (As always and for any website, be careful to understand what is and is not an advertisement – advertisements are not related to the site itself, and can often be misleading.)
MHDD’s most basic difference from SpinRite is that when it finds a bad sector it “remaps” it – basically taking it out of use and replacing it with one of the spare sectors that hard disks have for exactly this purpose. Note, however, that it doesn’t attempt to recover the data in that bad sector. SpinRite will actually first work long and hard, if need be, to recover the data in that sector – often both recovering it and repairing it so that no remap is needed.
All seemed well, and I sent the machine home.
Later that day I got an email.
After getting back into the machine and poking around, it appeared that several of my friend’s pictures were somehow damaged.
What I found was not pretty.
The images weren’t images any more. Oh, they had the same names and the “.jpg” extension all right, it’s just that their contents didn’t look like jpg image data at all. In fact the contents looked more like random data. Almost as if the files had been … encrypted.
And then I found this:
Somehow, somewhere, this machine had become infected with the CryptoWall ransomware: software that encrypts all your important files, and then displays a ransom note instructing you how to pay to get the decryption key to get all your files back.
My friend had never seen that ransom note. That means either the encryption process hadn’t completed when he’d last turned off the machine, or the virus had attached itself to the machine while at the service center. Timestamps on the files would indicate that it arrived prior to the service center touching the machine.
- It appeared to be totally unrelated to the hard disk failure. (It’s possible that the encryption process caused the hard disk to stumble into a previously unused bad sector, but there was no real direct cause and effect at play here.)
- The hard disk recovery was a success, but the prognosis for this new situation was even worse.
BleepingComputer.com has a good page on CryptoWall, including common approaches to recovery. Unfortunately none of them could be used.
- Restore from a backup: There was no recent backup. Some files are available on a months-old backup, but that doesn’t help with recently created, updated (or encrypted) files. Naturally I’ll have more to say on this.
- File Recovery Software: The process of recovering the original drive to another drive invalidated anything that file recovery tools might use. (Though the original “failed” drive remains unaltered, and may be a last-resort at some point.)
- Shadow Volume Copies: The process of recovering the drive to another invalidated anything that file recovery tools might use. The original drive may have them, but the chances are slim since CryptoWall actually intentionally deletes them.
- Restore DropBox Folders: Dropbox wasn’t being used.
In short, and as of this writing, we are SOL: severely out of luck. The files that were encrypted remain encrypted with little-to-no chance of direct recovery.
Which leads to the moral of this story.
Avoid? No. Recover? What could have been…
Bad stuff happens. It just does. You simply cannot avoid it all the time.
Hard disks die – without notice and without warning. In fact they can die so quickly, so suddenly and so badly that all data stored on them can be instantly and irretrievably lost forever. Nothing malicious is required – they can just die. Stuff happens. Most failures aren’t instantaneous or irretrievable, but they can be.
And of course malware happens. It shouldn’t. In a perfect world, we’d never invite it in, and if we did, our perfect anti-malware tools would protect us 100% of the time. Neither the world, nor our computer, nor even ourselves are perfect. Stuff happens.
You can’t avoid it.
But you can prepare for it.
And this is what makes situations like my friend’s doubly frustrating. Here’s what could have been:
- Hard disk dies.
- Replace it and restore with the previous day’s image backup.
- Done. Get on with your life.
- Machine is infected and all files on it are encrypted and a ransom demanded.
- Restore the machine from the previous day’s backup.
- Done. Get on with your life.
(In the second case, there’s of course, another step: “don’t repeat whatever caused the infection”.)
THIS IS WHY I harp and harp and harp on backing up.
It hurts me to see data loss – particularly important data like irreplaceable family photos (as might well be the case here).
If there’s only one copy, it’s not backed up. If that’s true for anything you consider even the slightest bit important, start backing up, please.
I don’t really care how you do it or what tools you use (as long as they work, of course), just make sure that you’re doing it.2