Skip to content
/ nelasod-recover Public

Recover files encrypted by Nelasod ransomware with plaintext/ciphertext pairs

6 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

adrgs/nelasod-recover

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
NelasodRecover
NelasodRecover
 
 
1570216925505.png
1570216925505.png
 
 
NelasodRecover.sln
NelasodRecover.sln
 
 
README.md
README.md
 
 

Repository files navigation

NelasodRecover

Recover files encrypted by Nelasod with plaintext/ciphertext pairs

Go to release to download the compiled binary.

Made with Windows Forms C#

1570216925505

Made this tool while investigating an external HDD that was encrypted with Nelasod, without having the malware to analyze. What I found was that the virus produced an unique keystream for each file based on the first 5 byes, and then xors this keystream with the original file (leaving the first 5 bytes intact).

This means that, we can recover all the files that start with the same 5 bytes if we have just one original file of that type and the encrypted file.

Useful for binary file types that have a fixed header. Not so much for .txt files

About

Recover files encrypted by Nelasod ransomware with plaintext/ciphertext pairs

Topics

ransomware decryption plaintext recovering-data ransomware-recovery ciphertext-pairs

Resources

Readme
Activity

Stars

6 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases 1

NelasodRecover Latest
Oct 4, 2019

Packages

No packages published

Languages