I've been dealing with a ransomware attack on a few servers, and it looks like it was carried out by the Medusa Group. All the hard drives are encrypted, but one server's D: partition seems to be corrupted and isn't recognized by Windows. Instead, it prompts to format the drive. However, when I boot into a Linux OS, it shows that there's no partition type. I'm wondering if there's any chance this drive is recoverable and what tools or methods I can use to try to rescue it! Any advice?
1 Answer
If you want to recover the partition, don’t attempt to mount it as infected. Instead, create a safe environment to work in, like an isolated sandbox. Use regular data recovery tools, but remember, the focus is to analyze, not to mount or power up the drive, to avoid further complications.
Not going to mount. Will use dd to analyze a copy. All offline.