dactil

Files on backup don't look encrypted but cannot open after ransomware

Recommended Posts

Greetings, we where attacked recently by devos ransomware, the files got encrypted and I know is difficult to decrypt, the curious thing thoug is we had file backups on external disks, the disks cannot be read but I have passed a recovery software on them and the files look like are there, everything intact. I recovered the files easly like there was no damage and the size look good, but when I try to open any file it says not compatible, or if I try an office file asks for selecting codification and strange characters appear, any clues?

Thanks.

Share this post


Link to post
Share on other sites
On 4/12/2020 at 6:49 AM, dactil said:

the size look good, but when I try to open any file it says not compatible, or if I try an office file asks for selecting codification and strange characters appear, any clues?

This means that the files are damaged and the embedded system MS Office cannot recognize the encoding and language. 

Share this post


Link to post
Share on other sites

The .devos extension usually indicates the Phobos ransomware, and I'm pretty certain that Phobos either securely erases original copies of files after encryption or it merely overwrites the files as it encrypts them, thus destroying the original data on the disk. Unfortunately it's rare for file recovery software to be able to recover files that have been encrypted by ransomware.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.