psdesign1 - Fotolia

McAfee researchers test WannaCry recovery method

Although there is evidence that some victims of the WannaCry ransomware attack on 12 May have paid the attackers, there is no evidence that they are getting their data back

In response to the apparent failure of those behind the WannaCry ransomware to deliver decryption keys to victims who elect to pay the ransom, McAfee researchers have tested a potential recovery method.

Led by Raj Samani, chief scientist at McAfee and McAfee Fellow, researchers have developed an experimental recovery method that could be used to recover files – albeit with mixed results.

McAfee researchers used a file recovery method called “file carving” to recover WannaCry encrypted data. During testing, some cases led to an almost full recovery, while others were less effective.

The method offers an option for victims to try to regain their data, but Samani and researchers Christiaan Beek and Charles McFarland said they accept no responsibility if things do not go as expected.  

“In our testing, we have had some cases where the recovery did an almost full recovery and others in which it was near zero,” they said. “The number of variables are too exhaustive to list, but if a backup isn’t going to work, it’s a much better option than saying goodbye to your data.”

At the heart of the experimental recovery method is a technique known as “file carving” or simply carving, which is the process of extracting a collection of data from a larger dataset.

Data carving techniques often occur during a digital investigation when the unallocated file system space is analysed to extract files. The files are “carved” from the unallocated space using file type-specific header and footer values, the researchers said.

However, they emphasised there is a big difference between file recovery techniques and carving.

Whereas file recovery techniques make use of the file system information that remains after deletion of a file, carving deals with the raw data on the media and does not use the file system structure during its process.

Read more about ransomware

  • Businesses still get caught by ransomware even though straightforward avoidance methods exist.
  • Criminals used devices compromised for click fraud as the first step in a chain of infections leading to ransomware attacks, said security firm Damballa.
  • The first half of 2014 saw an increase in online attacks that lock up user data and hold it to ransom.
  • The Cryptolocker ransomware caught many enterprises off guard, but there is a defence strategy that works.

Investigating the WannaCry code, the research team noticed that once the encrypted file has been written,  the original file is overwritten and FlushBuffersFile is invoked.

While monitoring the ransomware encrypting, the researchers observed that on certain operating systems, the original file still existed besides the encrypted file and later the original file was removed.

For the tests, the researchers used a 32-bit computer running Windows 7. They then used the recovery tool PhotoRec executing from a USB stick with write protection to hunt the free space of the disk for the original files.

When connecting a USB stick, the researchers warn that the ransomware could be still active and will search and encrypt the extensions it supports, which is why they used a write-protected USB stick.

By using a “whitelisted” area by the ransomware, the researchers created the directory C:\Windows\Dump for storing recovered files.

After selecting the appropriate file type for the test files, the researchers said it took only a few minutes to establish that they were able to recover the “original” files from the disk’s free space.

They re-emphasised that anyone using carving tools such as PhotoRec should be aware of the risks such techniques might involve and they do so at their own risk.

The researchers discovered that by creating a folder called “Windows” on the USB stick and pointing PhotoRec to this folder as the recovery dump, the ransomware did not touch that folder because the $Drive\Windows folder is whitelisted by it.

Unable to verify every system

The researchers said they were unable to verify every operating system affected by the MS17-110 update. In some cases, they said, the Volume Shadow Copies were not deleted. As a result, they were able to carve the original files out of them.

One of the reasons for not having the shadowcopies deleted, they said, was that they did not open up the ‘@[email protected]’ with user account control (UAC) rights, a finding they said was also observed by EU cyber agency Enisa.

In case the volume shadow copies are still present on the system, files could be recovered from them, they said. This can be verified by opening a command prompt (as administrator) and typing the command: vssadmin list shadows. This will list your shadow copies available.

Once the ransomware is removed from the system, the researchers said an organisation could restore from these copies or use third-party tooling to browse the shadow-copy files and retrieve individual files from them.

Because they had mixed results with different platforms, the researchers said organisations could at least try to recover the files if no backup is available. 

Although the impact of this ransomware was at an unprecedented scale, the researchers said they are encouraged by the lack of payments made to the criminals.  

“While we will do everything we can to combat ransomware, we cannot do this alone and need each of you to follow the prevention advice in No More Ransom, but also let the criminals know that we will not pay,” the researchers said.

No More Ransom is an online portal aimed at helping victims of ransomware to recover their data and at informing the public about the dangers of ransomware. It was started as a joint initiative by McAfee (formerly Intel Security), the Dutch National Police, Europol and Kaspersky Lab.

Read more on Data breach incident management and recovery