It is my understanding that SSDs do not allow user to overwrite any specific file completely (wear-leveling). So in case of ransomware attack such as CryptoLocker, doesn't that mean there is still, always, an unencrypted copy of file on the disk? If so, can it be recovered without $100K equipment? Thanks.
Asked
Active
Viewed 233 times
-1
-
1*"doesn't that mean there is still, __always__, an unencrypted copy of file on the disk"* - There is a huge difference between "cannot overwrite specific data" and "no data get overwritten at all". The first simply means that the user has no control if and which data get overwritten. – Steffen Ullrich May 10 '21 at 14:59
-
1If your logic were to hold, then you have unlocked the secret to unlimited storage... You cannot make the leap in logic from "file remnants might still exist" to "I've just discovered that ransomware might not actually be a problem at all!" – schroeder May 10 '21 at 15:23
-
Agreed, but it should be notified that sensitive information encrypted by ransomware is usually less than a few percent of total consumed disk space, so the probability of unencrypted copy existing is very high, given that SSD makes multiple copies, not just one. – Mr. Engineer May 10 '21 at 15:29
-
1There is a risk of **fragments** remaining. If the fragment happens to be the *nuclear codes*, that's a problem. If the fragment is 20 lines of the 10 thousand lines of code that controls your oil pipeline, that's not going to help you. – user10216038 May 10 '21 at 15:41
-
1So, you are changing your question from "files" to "sensitive data"? That's an important distinction. And you are still making the assumption that the particular sensitive data you care about exists in a fragment somewhere? And still comfortable with the word "always" in your question? I think you have just reduced your question to: "could data I care about exist on an SSD in fragements even if the files are encrypted by ransomware?" And the answer would "yes, but it depends". But I'm guess you know that. – schroeder May 10 '21 at 15:57
-
If we have, say, 100MB of data we care about on our SSD, wouldn't the chance of that specific data being completely overwritten be pretty low? I have heard that SSDs make multiple copies, so in case of ransomware attack the chances of at least one copy remaining are very high. But I'm not sure if these copies can be (easily) recovered, thus the question. – Mr. Engineer May 10 '21 at 16:36
-
SSD's making multiple copies - no. There may be fragments of data that are in more than one place, but no guarantees. The chance of being able to retrieve the data you want is actually very low - it's not indexed any more. It is unlikely to be contiguous, etc – Rory Alsop May 10 '21 at 17:33
-
@Rory Alsop Thanks for sharing your knowledge, maybe open more on this subject? – Mr. Engineer May 10 '21 at 18:31
1 Answers
1
When your operating system attempts to write to a sector on an SSD, the "real" (physical) sector that the data is written to may vary due to wear leveling. Even if the OS tries to write to that same sector again, the physical sector that is written to might be different, leaving the original data intact.
Ransomware typically encrypts a lot of data, so the chance that all of the physical sectors containing the original data are not overwritten is quite low. Most likely, a lot of your data has been overwritten. You might be able to get snippets of the original data if you go to some rather extreme measures, but it will be extremely hard to reassemble it, and much of it will be missing. If you're lucky...
If you are unlucky, then the ransomware created a new file and deleted the old one (rather than overwriting it), in which case the OS might have sent the TRIM command to the SSD, which causes the now-unused physical sectors (actually, flash pages) to be electrically zeroed. If that's the case, then recovering the data will easily exceed $100,000.
forest
- 64,616
- 20
- 206
- 257