WannaCry: File carving can reverse ransomware encryption, says McAfee

Over 200,000 computers across the globe were infected by WannaCry ransomware, but now Raj Samani, chief scientist at McAfee, believes he and his team have found a way to recover data from files encrypted by the ransomware.

In an article for SC Magazine UK, Samani, Christian Beek and Charles McFarland detail an experimental recovery method known as ‘file carving’. The advice is “provided as is”, warn the researchers, who “accept no responsibility if things don’t go as expected”.

But if your files are encrypted and you don’t have a backup, you don’t have much to lose by giving it a go.

What’s file carving?

File carving is the process of extracting a collection of data from a larger data set. It “deals with the raw data on the media and doesn’t use the file system structure during its process,” the researchers explain. The reason it can be helpful is down to the way that WannaCry encrypts files.

The group ran an isolated test of WannaCry to monitor how it does this, and they noticed that on certain operating systems the original file was still present next to the encrypted file, before later being removed. They then ran a recovery tool, PhotoRec, and soon “discovered [they] were able to recover [the] ‘original’ files from the disk’s free-space”.

PhotoRec can recover a vast number of file formats, and when you run it, you can select which file types to hunt for.

“In our testing we have had some cases where the recovery did an almost full recovery and others in which it was near zero,” the researchers wrote. However, “the number of variables are too exhaustive to list”.

Learn more about ransomware

IT Governance has been discussing ransomware and covering news stories of attacks for some time now, but outbreaks are becoming more frequent and more severe – reaching new heights with WannaCry. In response, we’ve created a dedicated ransomware information page on our website.

Containing advice and a series of resources, the page explains what ransomware is, how it works, what happens when your system is infected and what you can do to defend your organisation. It also gives you information on and links to IT Governance services that can help you protect your organisation from attacks.

Take a look at our ransomware information page >>