Wannacry File Restorer allows recovering files left in the middle of the Wannacry malware encryption process on a computer. Thanks to this PoC, these files can be recovered.
When cyberattacks occur in large organizations, it is crucial to remember where duplicate files are stored, as this information is also subject to infection by a malware virus or more importantly in this case, by ransomware. Best practice involves first tracking where the information is located and then starting the data clean up, both for Wannacry and other future incidents:
- Files that are not encrypted were not affected by the malware because the malware did not have time to affect them. There are ways to partially recover files affected by Wannacry, which will be shown throughout the course of this article.
- It is important to always have backups and security copies that are available offline.
- Information surrounding the shared units and the cloud units.
- Information from Office365 email and the data units.
- Information from removable devices, i.e. Pen drives.
-Temporary Office files (Word, Excel, PowerPoint). If the infection was present when a document was open, a temporary file will also have been generated. These files will not be on the radar of Wannacry, meaning these files will not become encrypted. Once the files have been cleaned up, Office files can be recovered to the point they were at when Wannacry started. Once the system has been cleaned up, the temporary files generated at the time of infection can be restored.
Cloud Professional Services: Migration
Telefónica Tech and Alias Robotics created the CS4R laboratory
Navantia y Telefónica Tech: the Future of Cyber Defence