Live USB Linux drives from Zombie-Process

The PERFECT Digital Beach Bar

Like us on Facebook!
Opens in new window

NOTE: In order to welcome our mobile clientelle, we've switched to a smartphone-friendly (more or less) layout.
Bear with us; as we're trying to be helpful, we've tested it thoroughly, but not on every phone.

News: Sorry! The site went down for a minute or twenty on August 4th. because during some routine mantenence and installation we discovered that the previous owner of the building had no business wiring anything. We found this inside our wall. Needless to say, power to the building was cut off while it was removed.

NEWS: So you may have noticed that not all of the "Show Larger" images are actually... well... any LARGER.

We're fixing that.

One. Bloody. Pic. At. A. Time.

Thanks for being patient! = )

go green, vote democrat




Zombie-Process would like to take a moment out of the wacky t-shirt fun to bring our
clientelle a serious public service announcement about the recent rash of ransomware.


Ransomware has become a nasty problem lately. It quickly encrypts all document, PFD, and picture files on your hard drive (some of the more aggressive ones have a wider range of affected filetypes - we'll address that later, in the IT professionals section below, where we talk about viable recovery options.)

For now, you should be aware of three things:

1. If you're not backing up your files, YOU SHOULD BE.

Also, be sure your secondary backup is not connected directly to your computer at all times, or it could be encrypted as well. This goes for shared network resources and mapped network drives.

Ideally your secondary backup should either be an offsite backup service, a drive you ONLY connect to the computer during backup cycle (or you could cycle out your permanently connected USB backup weekly), or a mapped network drive on a secure computer whose link/access is TERMINATED at the end of any backup script.

2. There (under most circumstances) IS NO WAY to unencrypt the files. They're encrypted with a 1024-bit RSA key. If that means nothing to you, fine, but you should now that it equates to, in human terms, "uncrackable."

3. Even if you do pay the ransom, you MAY NOT get your files back. If your antivirus has halfway removed the virus, it may have removed the part with your key response in it to access the unlock code in attacker's database. Also, the attacker may have picked up shop and moved on.

How does this happen?

So we know this is VERY DANGEROUS and destructive. The best way to prevent hardship is to not catch the virus in the first place. Keep your antivirus up to date, don't click on ads or strange links, and DO NOT open zipfiles in E-mails stating such things as "you have a late invoice" or "you missed your FedEx package."

These mails look very convincing, but that is the intent.

Also, ads on the internet with taglines like "you won't BELIEVE what happens next!" or "The AMAZING thing a Winsconsin mom did!" are almost always a trap. We call these "click-bait."


Okay, so we know how to AVOID it, but nothing's 100% proof against everything, so let's start with what you should do as an end-user if you suspect ransomware on your computer.

Your first clue is that some of your files aren't opening properly. Pictures will say something like it isn't in "the right format" and your documents will come up as gibberish, and some programs will ask you what "format" or "encoding" they're in. This is a sign that the virus has encrypted these files.


Actually, I'm going to repeat that.


These things eat through files AMAZINGLY quickly. The faster you turn off your computer,
the less damage.

DO NOT turn your computer back on because you "just need one E-mail." The moments
it takes to recover that E-mail could mean hundreds to thousands of files lost.


I will repeat from Step 1: Under NO circumstances should you turn the computer
back on. The virus destroys files at an alarming rate, and a few moments = hundreds
of files.


Let them know not to boot to the operating system. Tell them there's an encryption
locker virus on it
. Competent IT people can recover some of your data if you're VERY
VERY lucky. However, the probability is usually low.


Through trial an error, we've come up with the best way (relatively speaking) to deal with a ransomware locked computer. Luckily, most of them are sort of a code-by-numbers kit, and a lot of people releasing these are lazy in their programming, targeting only the most common, highly esteemed files (.jpg/jpeg, .gif, .doc/docx, .xls/xlsx, .bmp, .png, .tif... you get the idea.) and they leave things like .QBW/.DBF/.PST/.MBX alone.

That makes recovery a little more simple, and hopefully a little more successful.

You'll need a Live Linux USB, an external USB hard drive with PLENTY of space, an active internet connection to get to the Linux repos (not necessary if USB Linux is preloaded with all the proper tools), and a recent copy of Testdisk/photorec.

STEP 1: Boot the computer into live Linux with a USB drive.

A CD here will be too slow and clunky, and you'll want to install a few extra tools from the repos
(or just grab our premade ones. Links at top where it says "Attention Geeks!") A CD works, sort of, but... not well.

Make sure that the computer's internal hard drive shows up, and that Linux is reading the files. You won't have to worry about the virus spreading any further, as it won't run under Linux, and you can assess the damage more thoroughly.

Back up all the salvageable files and directories into a FOLDER on a USB hard drive.

Use this opportunity to grab files in the AppData and ProgramFiles directories that your clinet will want,
such as quickbooks and other database files, PST files and folders, and any specialized data folders, files, and directories from proprietary software.


This is a good idea if you miss something. You'll be formatting their hard drive anyway, after you're done, so cloning it thoroughly at a raw-data level is advisable.

This will ensure maximum recoverability. If you haven't been messing with dd lately, the command is:

sudo dd if=/infected_dev of=/backupdrive/partition/image.RAW conv=sync,noerror bs=4M



Now that you have a backup, you can start trying to pull files off the damaged drive.

Interestingly enough, this virus USUALLY seems to generate the encrypted version of the file, delete the old file, and THEN copy the new file into it place. This is good news. It means that the original file exists, albeit without filename OR info on the hard drive somewhere.

This is another good reason to turn the computer off immediately. The "blank" space doesn't get overwritten.

Install testdisk, and use the photorec option, telling it to scan the whole disk, regardless of partitions.

For partition type, always select "Other: ntfs/Fat32/etc." because I guarantee that your partition is almost always NTFS in this case, unless they had a flash drive plugged in that fell victim to the virus.

Point the restore directory to a FOLDER on your good, external USB hard drive and wait. (You may have to try several times and you don't want everything mixed in together).

(Be sure to put Linux's desktop into presentation mode, or, failing that, turn off the sleep/hibernate feature.)



You are going to have a LOT of files recovered from PhotoRec.

Almost all of them are going to be the result of every banner ad, web image, Facebook game, software installer, news site logo, and internet image that the end user has ever looked at. That's okay, it means we're actually getting somewhere.

HOWEVER! If you're looking for quick results to tell you that you are actually recovering files, do a search on all the PhotoRec results (usually lots and lots and lots and LOT of directories) for JPG files between 1 and 16MB.

Windows had this feature built into the Explorer filesearch bar, and it shouldn't be difficult. If you're using Linux the command is a tidge more complex, but then again, you're using Linux, so you'll be fine. ; )



Format the hard drive completely before reinstalling Windows. Your clients haven't been backing up
until now, and there's no reason to kid yourself that they're probably going to start now. That LAST thing you want is for them to re-infect themselves with a pre-loaded copy of the virus.

INSTALL ANTIVIRUS AND UPDATE IT COMPLETELY before dumping the salvaged files back onto their computer. If you can't figure out why, then you don't need to be in the I.T. industry.

When restoring PST/MBX/mailbox files of any sort, make sure the antivirus has the mailbox scan tool present. Most likely your client got the virus from a fake E-mail with a .zip attachment. Don't let them re-infect themselves from the get-go.

Keep the .RAW file from their pre-formatted hard drive around for a while, just in case.

Give them ALL the files PhotoRec recovers. I've had clients that save little piddly ad images for reference, and I'd rather THEY make the call on what to DELETE, than ME make the call on what to salvage or not.


Okay, so if you're here, you've got hold of one of the nastier variants that doesn't limit itself to just
personal document and image files. Now, PhotoRec has a LOT of filetypes it recovers, but some fall
through the gaps. I've tried to add custom file info to it with varying degrees of success, but if you're
REALLY in a pinch, you'll need to get a good hex editor, look up info on the file type you're after
(headers, identifiers, etc. - I LOOOVE file types that store the actual filename in the file header.
It's absolutely MARVELOUS.)

Once you've found any identifying quirks, just run a search (either on the damaged hard drive OR
its RAW file) for any identifying bits or bobs of the file. With any luck, it's deleted, but not over-
written, and corruption will be at a minimum.

I like HxD as a good, free, Windows-based hex editor, but any one will do, provided it has an ASCII
text raw search feature. Good luck!



NEWS FLASH: The bar is open! Check out our Perfect Digital Beach Bar with 1500+ mixed drink recipes!

Now, without further ado, a bunch of neat designs you can get on all sorts of COOL STUFF:


Search Designs!: (Leave blank and hit "Search" to show EVERYTHING!)



New Stuff

  I'm not short, I'm FUN-SIZED!  
Click us to buy cool swag with our picture on it! (Same for our friends below).


We also have bumper stickers! (Available for most designs. Check the CafePress links!)

Shamrock Irish Flag Bumper Stickers
Justin Bailey for President 2087
ms60 qvcw 1vku ufbc Game on.
I'd rather be elsewhere. The tiki bar is open, I wish I were somewhere other than here.
if you can read this, you are too damned close to my car
Celtic Pride
if you can read this, you are too damned close to my car
I hate stupid people derp face
Your brain do9es not equal a hat rack.
Bumper Sticker up up down down left right left right b a select start  equals LOVE. 2 player.




2010 Weber Consulting | D. Weber Enterprises | Site runs on Visual FoxPro