CERBER RANSOMWARE

User avatar
BobArch2
5StarLounger
Posts: 1145
Joined: 25 Jan 2010, 22:25
Location: Pickering, Ontario, Canada

Re: CERBER RANSOMWARE

Post by BobArch2 »

jmt356 wrote:My backup was created with ShadowProtect. I am attempting to restore the files on that backup with ShadowProtect, but ShadowProtect mounts all of the files on a virtual drive and then I must copy and paste them from that virtual drive to my C drive. I am constantly getting errors because of the length of the file names and paths...
Sorry for the delay in responding to an old post...

ShadowProtect only loads backup up files in a virtual drive if you load SP through the Windows environment. If you use the bootable Recovery Environment media the backup files are available for a direct restore using the restore facility without doing a copy-n-paste. Which should eliminate the long file name issue you encountered.
Regards,
Bob

jmt356
SilverLounger
Posts: 2184
Joined: 28 Mar 2010, 01:49

Re: CERBER RANSOMWARE

Post by jmt356 »

Just to be clear, I am working with an external USB. Would it even have MBR written into it? I thought MBR was only on internal disks that carry operating systems.
Regards,

JMT

User avatar
StuartR
Administrator
Posts: 11502
Joined: 16 Jan 2010, 15:49
Location: London, Europe

Re: CERBER RANSOMWARE

Post by StuartR »

External USB sticks can be partitioned, and therefore they have an MBR. See https://en.wikipedia.org/wiki/Master_boot_record
StuartR


jmt356
SilverLounger
Posts: 2184
Joined: 28 Mar 2010, 01:49

Re: CERBER RANSOMWARE

Post by jmt356 »

Bob (Post=206687): I believe the SP recovery environment only allows the restoration of an entire disk image, not of individual files within that image. What I was trying to do was restore the files in My Documents without restoring the entire disk image (programs, etc.), since it was only the files in My Documents that were corrupted by Cerber Ransomware.

Stuart (Post=206786): Is it safe to assume that if the external drive is not partitioned, there will be no MBR?
Regards,

JMT

User avatar
StuartR
Administrator
Posts: 11502
Joined: 16 Jan 2010, 15:49
Location: London, Europe

Re: CERBER RANSOMWARE

Post by StuartR »

jmt356 wrote:Stuart (Post=206786): Is it safe to assume that if the external drive is not partitioned, there will be no MBR?
IF the external drive has no partitions then it has no data. You need at least one formatted partition to store data on the drive.
StuartR


jmt356
SilverLounger
Posts: 2184
Joined: 28 Mar 2010, 01:49

Re: CERBER RANSOMWARE

Post by jmt356 »

To my knowledge there are no partitions on the external hard drive (no partitions show up when exploring the drive in File Explorer), yet I am able to store data on it.
Regards,

JMT

User avatar
HansV
Administrator
Posts: 72002
Joined: 16 Jan 2010, 00:14
Status: Microsoft MVP
Location: Wageningen, The Netherlands

Re: CERBER RANSOMWARE

Post by HansV »

If there data on the drive, it has a partition.
Regards,
Hans

User avatar
StuartR
Administrator
Posts: 11502
Joined: 16 Jan 2010, 15:49
Location: London, Europe

Re: CERBER RANSOMWARE

Post by StuartR »

jmt356 wrote:To my knowledge there are no partitions on the external hard drive (no partitions show up when exploring the drive in File Explorer), yet I am able to store data on it.
The thing that File Explorer displays, that has a drive letter and contains your files and folders, is called a partition.
StuartR


jmt356
SilverLounger
Posts: 2184
Joined: 28 Mar 2010, 01:49

Re: Overcoming file length issue when restoring my files

Post by jmt356 »

jmt356 wrote:Bob (Post=206687): I believe the SP recovery environment only allows the restoration of an entire disk image, not of individual files within that image. What I was trying to do was restore the files in My Documents without restoring the entire disk image (programs, etc.), since it was only the files in My Documents that were corrupted by Cerber Ransomware.
Is it possible to restore the files in My Documents using SP's virtual environment without performing a complete restoration of the SP disk image?

If so, will restoring through the SP virtual environment overcome the file length issue I am getting when I try to copy and paste the files when mounting the SP backup within Windows?
Regards,

JMT

User avatar
BobArch2
5StarLounger
Posts: 1145
Joined: 25 Jan 2010, 22:25
Location: Pickering, Ontario, Canada

Re: Overcoming file length issue when restoring my files

Post by BobArch2 »

jmt356 wrote:
jmt356 wrote:Bob (Post=206687): I believe the SP recovery environment only allows the restoration of an entire disk image, not of individual files within that image. What I was trying to do was restore the files in My Documents without restoring the entire disk image (programs, etc.), since it was only the files in My Documents that were corrupted by Cerber Ransomware.
Is it possible to restore the files in My Documents using SP's virtual environment without performing a complete restoration of the SP disk image?

If so, will restoring through the SP virtual environment overcome the file length issue I am getting when I try to copy and paste the files when mounting the SP backup within Windows?
I did not try the restore via the bootable SPX Recovery Environment DVD, but will do so later today or tomorrow. What I did try was restoring files from the virtual drive created through the Windows environment

Background:

My User folder with all the sub-folders are stored on a secondary hard drive (F:), not my system drive (C:). The User folder does not contain all my personal files. Those are stored in a different area in my system. But the User folder does contain lots of information.

Steps taken:
I mounted drive F: contained on the SPX backup image as virtual drive K: via SPX in the Windows environment.
I opened up the virtual drive K: and right clicked on the USER folder and used the COPY command to copy the entire contents to a spare SSD drive J: Everything copied without any issues.
I have no way of knowing what the maximum file length was of the 491 files in 494 folders without examining all items, but there are several levels in many folders.

Then tried restoring virtual drive K: to my spare SSD drive J: using the restore function in SPX. That led to a problem. Not a problem with SPX but related to disk sizes. The source drive (K: (aka F:)) is a 439GB partition while the target SSD drive is only 111GB. The action messed up the SSD drive and needed a reformat. But, as stated, it is a spare drive in my system :grin:

I will try booting into the Recovery Environment later to see what is possible.
Snap1.jpg
Snap2.jpg
Snap3.jpg
You do not have the required permissions to view the files attached to this post.
Regards,
Bob

User avatar
BobArch2
5StarLounger
Posts: 1145
Joined: 25 Jan 2010, 22:25
Location: Pickering, Ontario, Canada

Re: Overcoming file length issue when restoring my files

Post by BobArch2 »

jmt356 wrote:
jmt356 wrote:Bob (Post=206687): I believe the SP recovery environment only allows the restoration of an entire disk image, not of individual files within that image. What I was trying to do was restore the files in My Documents without restoring the entire disk image (programs, etc.), since it was only the files in My Documents that were corrupted by Cerber Ransomware.
Just tried booting into the SPX Recovery Environment (RE).

The "Restore" function deals with the whole volume only. It does not allow selective file recovery.

However, there is a "Explore Backup" feature in the RE which does allow selecting files and then using the COPY process. Just like using the virtual drive facility in the Windows SPX environment. Comparing the two facilities, "Explore Backup (in the RE) vs using the virtual file in Windows, I would use the virtual approach. Less cumbersome.
Regards,
Bob

jmt356
SilverLounger
Posts: 2184
Joined: 28 Mar 2010, 01:49

Re: CERBER RANSOMWARE

Post by jmt356 »

Bob: Will copying through the Explore Backup function within the RE overcome the file length issue?
Regards,

JMT

User avatar
BobArch2
5StarLounger
Posts: 1145
Joined: 25 Jan 2010, 22:25
Location: Pickering, Ontario, Canada

Re: CERBER RANSOMWARE

Post by BobArch2 »

jmt356 wrote:Bob: Will copying through the Explore Backup function within the RE overcome the file length issue?
Since the RE bootable CD/DVD is a version of WinPE I would suggest that the length issue will be the same. The maximum length is based on all characters contained in the full path including the drive letter, nulls, folder name lengths and file name lengths.

What puzzles me is that I believe you have used the virtual environment in the past employing the copy-n-paste process without any issues. The problem seems to have surfaced when your system became infected. So perhaps additional characters have been added to the overall length size and that is causing the copy issues.

I have examined the length sizes of my test and have not found any that come close to the limit. Limits appear to be in the range of 255-260 bytes, based on what I found researching length limits.
Regards,
Bob

jmt356
SilverLounger
Posts: 2184
Joined: 28 Mar 2010, 01:49

Re: CERBER RANSOMWARE

Post by jmt356 »

Bob, I never used the virtual environment to copy and paste. I only used it to restore a full disk image. I employed copying and pasting when using SP from within Windows.

I have files whose length exceed 205 when adding the folder names. I organize my items through folders and subfolders that can go several layers deep.
Regards,

JMT

User avatar
BobArch2
5StarLounger
Posts: 1145
Joined: 25 Jan 2010, 22:25
Location: Pickering, Ontario, Canada

Re: CERBER RANSOMWARE

Post by BobArch2 »

jmt356 wrote:Bob, I never used the virtual environment to copy and paste. I only used it to restore a full disk image. I employed copying and pasting when using SP from within Windows.

I have files whose length exceed 205 when adding the folder names. I organize my items through folders and subfolders that can go several layers deep.
I did use the term "virtual environment" in the message you are responding to while the term should have been "virtual drive" as mentioned by both you and I in previous posts. As we both agree, when running SP or SPX in the Windows environment the mounting of the backup file is assigned a drive letter and is a not a physical drive but thought of as a virtual drive.

Is it possible to identify which file(s) is/are giving the length problem. Then examine the overall length with all the characters associated with drive letter, folder name, sub-folder names, file name etc. might provide a more definitive answer and possible solution.
Regards,
Bob

User avatar
stuck
UraniumLounger
Posts: 6657
Joined: 25 Jan 2010, 09:09
Location: up North (but it's not that grim)

Re: CERBER RANSOMWARE

Post by stuck »

Is it too late to chip in with this link as a possible way of breaking the encryption:
https://success.trendmicro.com/solution ... -decryptor

Ken

User avatar
HansV
Administrator
Posts: 72002
Joined: 16 Jan 2010, 00:14
Status: Microsoft MVP
Location: Wageningen, The Netherlands

Re: CERBER RANSOMWARE

Post by HansV »

Thanks, Ken! The page does mention CERBER, so hopefully JMT can use it.
Regards,
Hans

User avatar
viking33
PlatinumLounger
Posts: 5683
Joined: 24 Jan 2010, 19:16
Location: Cape Cod, Massachusetts,USA

Re: CERBER RANSOMWARE

Post by viking33 »

I've only been casually following this thread because I don't use SR but the latest post mentions Trend Micro ransomware decryption. Is that only for TM customers or is it a standalone program that anyone can use?
BOB
:massachusetts: :usa:
______________________________________

If I agreed with you we'd both be wrong.

User avatar
HansV
Administrator
Posts: 72002
Joined: 16 Jan 2010, 00:14
Status: Microsoft MVP
Location: Wageningen, The Netherlands

Re: CERBER RANSOMWARE

Post by HansV »

I haven't tested it, but I get the impression that it's freeware.
Regards,
Hans

User avatar
stuck
UraniumLounger
Posts: 6657
Joined: 25 Jan 2010, 09:09
Location: up North (but it's not that grim)

Re: CERBER RANSOMWARE

Post by stuck »

See this post for details on where I got the link.

Ken