Rescue .pst file from ransomware infected PC

Forums › Microsoft Windows › Rescue .pst file from ransomware infected PC

turb

881 posts

Ultimate Geek

#197900 17-Jun-2016 09:07

A mate's win7 PC has become infected with ransomware.

All his word docs, photos etc have been given new extensions and encrypted, but his .pst file hasn't been renamed, so I'm hoping it may be okay.

He works at sea, so needs offline access to old emails.

The infected PC is a cruddy old laptop with a damaged screen that was headed for the bin anyway, so I don't need to try fixing it.

My question is this:

How can I get the .pst file from the infected PC and safely check it without risking contaminating another machine?

Interests: HTPC, Web App authoring.

billgates

4705 posts

Uber Geek

Trusted

#1575498 17-Jun-2016 09:09

Create a new PST from within Outlook of the infected machine and then import that PST into another copy of Outlook in a replacement machine.

Do whatever you want to do man.

turb

881 posts

Ultimate Geek

#1575502 17-Jun-2016 09:15

But how to do it safely? I don't want to stick an infected usb stick into the new PC?

Interests: HTPC, Web App authoring.

wellygary

8312 posts

Uber Geek

#1575512 17-Jun-2016 09:43

turb: But how to do it safely? I don't want to stick an infected usb stick into the new PC?

Boot the new machine with a live version of ubuntu, ( or other linux flavour)

Open the PST file in something like evolution, and then re-export the data to a new Pst file to a newly formatted stick, , insert stick intonew windows machine...

frankv

5680 posts

Uber Geek

Lifetime subscriber

#1575516 17-Jun-2016 09:45

An infection can only spread if it can cause you to run some kind of program on the new machine. If auto-run isn't enabled for the USB, then it is safe to plug it in. Most anti-virus software will scan a USB on insertion, before allowing anything on it to run.

Worst case, take the USB to some other kind of machine (e.g. Linux, Mac, Android, Arduino) which won't run a Win executable. Delete anything that isn't a .PST. Then it'll be clean.

turb

881 posts

Ultimate Geek

#1575541 17-Jun-2016 10:27

Great ideas, thank you for the help!

Interests: HTPC, Web App authoring.

1101

3122 posts

Uber Geek

#1576966 20-Jun-2016 10:58

frankv:

An infection can only spread if it can cause you to run some kind of program on the new machine. If auto-run isn't enabled for the USB, then it is safe to plug it in. Most anti-virus software will scan a USB on insertion, before allowing anything on it to run.

That :-)
If you know what youre doing, there is no issue . But dont rely on AV to keep you safe from a possibly infected USB (for several reasons) . As long as it doesnt autorun, you'll be OK.
The other option is to burn the PST to a DVD. Again, make sure it doesnt autorun

Just to be safe , scan the USB/DVD in a PC that doesnt have any critical data on it .

bigtone58

2 posts

Wannabe Geek

ID Verified

#1578783 23-Jun-2016 07:46

<quote>
A mate's win7 PC has become infected with ransomware.

All his word docs, photos etc have been given new extensions and encrypted, but his .pst file hasn't been renamed, so I'm hoping it may be okay.

He works at sea, so needs offline access to old emails.

The infected PC is a cruddy old laptop with a damaged screen that was headed for the bin anyway, so I don't need to try fixing it.

My question is this:

How can I get the .pst file from the infected PC and safely check it without risking contaminating another machine?

</quote>

You need to be careful here, but if the affected machine is still operational (i.e. you can browse the internet, send/receive emails, create documents/spreadsheets, etc), then the ransomware has done its thing and bolted through the stable door. There is therefore no active component of the infection on the machine at the moment, but there is possibly a dormant form that could be retriggered if you happened to stumble on it in your recovery of the PST file.

I am assuming that MS Word and MS Outlook are installed on the affected machine as you mention docs and PST files respectively. I would also assume that there is a high likelihood of MS Excel being installed as it is the usual companion of MS Word. Your description leads me to believe that these applications may be the ones that are predominantly used and are therefore highly likely to have been used as the path to introduce the ransomware. Without knowing which particular ransomware variant you have been stung with, I can only quote the fact that says "roughly 60-70% of ransomware is introduced via socially engineered emails that subsequently run scripts/macros that do the nasty work". The implication of this in your case is that the ransomware probably came in as a document or spreadsheet attachment to an email that looked legitimate to your mate (probably seeming to have come from someone who had been recently emailed - that's the social engineering part). When it was opened it then ran a macro from within that attachment that downloaded the ransomware engine which then proceeded to encrypt the files it wanted to target, maybe turn off some file backup options, maybe delete any system restore points, maybe overwrite free space multiple times, leave a message in the directories within which it encrypted files, and delete itself from the machine (leaving no retrievable copy of either a public or private key). It may have had to ask to have the macro execution enabled but being a "cruddy old laptop with a damaged screen" it may have had the ability to run macros still turned on as that was an old default. (The "maybe" parts in the preceding statement are dependant upon the ransomware variant you got stung with).

I would guide you to proceed as follows:-

. Copy the PST file to a USB stick and take it to another "clean" machine.
. Run as many Anti-Virus and Anti-Malware tools over it as you can find. I would recommend Malwarebytes and Hitman Pro as first attempts (as well as your "updated" Anti-Virus suite). There are many others available as well.
. Review the logs from these tools to see if they found the ransomware in a particular email in the PST file.
. If it explicitly states that the email has been erased, then you are probably safe, but just to go "belts and braces" I would proceed as follows:-
. If an email is not identified you will have to then do some detective work to find out when the files got encrypted. It should be apparent by looking up the dates on the files left behind by the ransomware.
. Now you need to attach and open the PST file and find emails in the PST from just before the dates on the ransom demand files. You can do this with Outlook or an Outlook email viewer tool (available from Microsoft).
WARNING Don't try to open the email yet or you may retrigger the ransomware.
RECOMMENDATION Turning off "allowed macro execution" in Excel and Word may help to prevent a retrigger. (I haven't researched how to do that but it should be relatively straight forward).
. You need to look for an email with an attachment that is likely to be a Word document or an Excel spreadsheet and might have some unusual phraseology in the Subject header (the ransomware carrier).
. This is the email that MUST be deleted without opening it, and you will probably have to do this with Outlook (so be careful).

If you have managed to get to this point then the PST should be clean and you have probably removed all traces of the ransomware (apart from the already encrypted files). Please also take into account other advice offered in this thread as they all have valid points to make.

If you wish, you can PM me, but as I am fairly new to being active on this site, it may take me a little to figure out how that works.

Regards Tony

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

turb

881 posts

Ultimate Geek

#1578870 23-Jun-2016 10:24

bigtone58:
<quote>
A mate's win7 PC has become infected with ransomware.

All his word docs, photos etc have been given new extensions and encrypted, but his .pst file hasn't been renamed, so I'm hoping it may be okay.

He works at sea, so needs offline access to old emails.

The infected PC is a cruddy old laptop with a damaged screen that was headed for the bin anyway, so I don't need to try fixing it.

My question is this:

How can I get the .pst file from the infected PC and safely check it without risking contaminating another machine?

</quote>

You need to be careful here, but if the affected machine is still operational (i.e. you can browse the internet, send/receive emails, create documents/spreadsheets, etc), then the ransomware has done its thing and bolted through the stable door. There is therefore no active component of the infection on the machine at the moment, but there is possibly a dormant form that could be retriggered if you happened to stumble on it in your recovery of the PST file.

I am assuming that MS Word and MS Outlook are installed on the affected machine as you mention docs and PST files respectively. I would also assume that there is a high likelihood of MS Excel being installed as it is the usual companion of MS Word. Your description leads me to believe that these applications may be the ones that are predominantly used and are therefore highly likely to have been used as the path to introduce the ransomware. Without knowing which particular ransomware variant you have been stung with, I can only quote the fact that says "roughly 60-70% of ransomware is introduced via socially engineered emails that subsequently run scripts/macros that do the nasty work". The implication of this in your case is that the ransomware probably came in as a document or spreadsheet attachment to an email that looked legitimate to your mate (probably seeming to have come from someone who had been recently emailed - that's the social engineering part). When it was opened it then ran a macro from within that attachment that downloaded the ransomware engine which then proceeded to encrypt the files it wanted to target, maybe turn off some file backup options, maybe delete any system restore points, maybe overwrite free space multiple times, leave a message in the directories within which it encrypted files, and delete itself from the machine (leaving no retrievable copy of either a public or private key). It may have had to ask to have the macro execution enabled but being a "cruddy old laptop with a damaged screen" it may have had the ability to run macros still turned on as that was an old default. (The "maybe" parts in the preceding statement are dependant upon the ransomware variant you got stung with).

I would guide you to proceed as follows:-

. Copy the PST file to a USB stick and take it to another "clean" machine.
. Run as many Anti-Virus and Anti-Malware tools over it as you can find. I would recommend Malwarebytes and Hitman Pro as first attempts (as well as your "updated" Anti-Virus suite). There are many others available as well.
. Review the logs from these tools to see if they found the ransomware in a particular email in the PST file.
. If it explicitly states that the email has been erased, then you are probably safe, but just to go "belts and braces" I would proceed as follows:-
. If an email is not identified you will have to then do some detective work to find out when the files got encrypted. It should be apparent by looking up the dates on the files left behind by the ransomware.
. Now you need to attach and open the PST file and find emails in the PST from just before the dates on the ransom demand files. You can do this with Outlook or an Outlook email viewer tool (available from Microsoft).
WARNING Don't try to open the email yet or you may retrigger the ransomware.
RECOMMENDATION Turning off "allowed macro execution" in Excel and Word may help to prevent a retrigger. (I haven't researched how to do that but it should be relatively straight forward).
. You need to look for an email with an attachment that is likely to be a Word document or an Excel spreadsheet and might have some unusual phraseology in the Subject header (the ransomware carrier).
. This is the email that MUST be deleted without opening it, and you will probably have to do this with Outlook (so be careful).

If you have managed to get to this point then the PST should be clean and you have probably removed all traces of the ransomware (apart from the already encrypted files). Please also take into account other advice offered in this thread as they all have valid points to make.

If you wish, you can PM me, but as I am fairly new to being active on this site, it may take me a little to figure out how that works.

Regards Tony

Thanks ever so much for the detailed answer mate - you're a star.

I'll have a look and let you know how I go.

Interests: HTPC, Web App authoring.

turb

881 posts

Ultimate Geek

#1594260 18-Jul-2016 07:49

Thanks for the input everyone!

I followed the instructions above to check the .pst file was clean, and that nothing else had snuck onto the USB drive.

I scanned the laptop with MBAM free, and Hitman Pro.

Win Defender, Win Restore and Win Update had been disabled by the malware. Win System File Repair tool wasn't able to fix them. Any win 7 recovery, backup or installation discs are lost.

Now that I knew the .pst file was safe, I could start fiddling.

I created a new gmail address with IMAP enabled, added it to Outlook on the old machine and copied the inbox and sent folders across from the xtra account. This took some hours (>4000 emails). When the content was loaded into gmail and I could view it all from gmail on another PC it was time for a big sigh of relief.

Then on the off-chance I tried the RannohDecryptor tool from the Kaspersky website. It took a little tinkering, but OMG it worked! >24000 document and photo files (33Gb) safely decrypted.

Time for another scan of the decrypted files with the two tools above. Nothing found. Copy everything onto a external HDD.

Now I'm on a dopamine high, so I set about rebuilding the laptop:

Win 10 clean install, Win Defender, Malwarebytes Anti-Malware Premium, Malwarebytes Anti-Exploit free, uBlock Origin, Dropbox Pro, no Flash, no Java. Windows Media Player disabled. My Documents save etc now all redirected to the Dropbox folder.

For offline email access I used Thunderbird. Nothing wrong with Win Mail except it's not really clear how it works, and there aren't enough settings to mess with. Gmail Offline (which I didn't even know existed) to enable fast offline searching of the old emails.

Interestingly, the first pass of win10 defender detected another infected file, that MBAM and Hitman both missed. It was an mp3* file infected with TrojanDownloader:ASX/Wimad.at which was described by Defender as a SEVERE RISK. That made me wonder if MBAM was a waste of money, but then I remembered how the malware had disabled Defender as part of its attack. So MBAM stays.

*I'm sure this file wasn't the source of the infection as I think it needs to be played in WMP to be activated, and (like everyone) he's getting his music online nowadays.

Interests: HTPC, Web App authoring.