0

I was watching this DefCon talking about Solid State Drives (SSDs) destroying forensic and data recovery jobs. It was interesting to note, that the speaker did acknowledge that it is unknown how long deleted files will remain recoverable for.

I have read several academic papers which state it is unknown how long a deleted file is recoverable for on an SSD due to wear-leveing, and that secure erasure of individual files was impossible. Some SSDs do have features to shred them, however this would wipe all of the contents and is irrelevant to cryptolocker-ransomware malware.

I was curious how cryptolocker-ransomware being spread in the wild addresses this problem, as it appears simply jumping ship from HDD to SDD would drastically increase the chances of file recovery?

user5623335
  • 381
  • 1
  • 4
  • 12
  • 2
    Drastically increase the chance of any one file being recovered, maybe. But we're talking about a large volume of files being affected ... – schroeder Aug 23 '22 at 14:18
  • Instead of hoping that the SSD contains an old copy of the file, you could create a backup on separate media. This actually defeats ransomware since you can restore any lost files from the backup. It is also physically impossible for the original files to remain on the SSD unless it is <50% full. – amon Aug 24 '22 at 07:10
  • @amon I was making an assumption that no backups were available for whatever reason. I also partially disagree, I have seen people use mobile phone free space erasers which use a cryptographically secure and high entropy junk file which keeps on increasing in size until all (or almost) all flash storage is full, yet absolutely every file is recoverable! – user5623335 Sep 06 '22 at 17:14

1 Answers1

2

Can Ransomware impact SSD drives?

Yes, absolutely. You have to differentiate between "a file may be difficult to fully erase, to the point where no traces of the original file are recoverable" and "it's impossible to lose data stored on an SSD".

If it were possible to simply recover every file that has ever been written to an SSD, then that would mean SSDs could store magnitudes more data than their full capacity. This isn't the case.

How does ransomware address this?

They don't. Say you are an average person with no special computer knowledge and your PC is infected by ransomware. That means all your music, documents, photos, etc. are now gone unless you pay.

Even if we presume that there was a trivial way to recover 50% of the data (there isn't), that would leave that person with half their data missing. So there is a large chance they will pay if they don't have a backup.

In reality, chances of recovery of data from wear levelling sectors may be quite high, but the amount if data will be very limited.

The one who tests
  • 169
  • 4
  • I was making an assumption that no backups were available for whatever reason. I also partially disagree, I have seen people use mobile phone free space erasers which use a cryptographically secure and high entropy junk file which keeps on increasing in size until all (or almost) all flash storage is full, yet absolutely every file is recoverable! – user5623335 Sep 06 '22 at 17:15
  • @user5623335 I'll press X to doubt on that until I see a PoC. – The one who tests Sep 07 '22 at 02:10
  • Here is a source, if you Google I am sure you can find more people saying the exact same thing. It is very strange... https://forum.xda-developers.com/t/secure-wipe-and-file-shredder-apps-do-not-work.3864145/ – user5623335 Sep 08 '22 at 13:00