As I saw wannacry encrypts files and then removes them, I thought it is possible to recover some of the original files by file system recovery using a bootable OS.
Is it possible to use a bootable recovery OS to recover wannacry encrypted files?
Asked
Active
Viewed 481 times
1
-
4This is a Q&A site. Half of this post is a request to do some work for you. What's remaining is a question: "is it possible" the answer is "it depends", on a lot of factors. – techraf May 25 '17 at 00:50
-
@techraf If you are sure about the dependencies I would glad to give you the right answer. but please consider the real behavior of Wannacry not just guessing. – M at May 25 '17 at 01:04
-
2No, I think you misread my comment. I did not try to answer, I explained why I think this question should be closed. Which I already voted for. – techraf May 25 '17 at 01:05
-
@techraf As there is no documentation for viruses you can't be sure of the behavior without testing it. As you can see at the answer bellow, I wanted to be sure if the idea works or not. What else can I do ? – M at May 25 '17 at 01:08
2 Answers
2
The short answer is no. There is some analysis on ransomwaree back then. Ransomware indeed think ahead of undelete tools.
Perhaps you mistaken it with system run under virtual machine (e.g. VM snapshot) ; intrusion monitoring system (that also take snapshot of the machine state or files from time to time, like tripwire, OSSEC); version control system, etc.
mootmoot
- 2,397
- 10
- 16
-
Just read about file history and video linked in my answer, I saw lots of viruses that won't overwrite original file and just remove them. But this thing is more advanced. – M at May 26 '17 at 17:34
