Duplicati won't restore data from cloud. Ransom attack It's URGENT

#1

Hello,

I’m trying to restore the data from Microsoft Onedrive for business. It keeps saying wrong passphrase or corrupted data.

My computer hit by ransom I won’t able to restore from anything. Is there any way I can restore the data and I have all the data in the Onedrive with AES 256 encryption.

Anything help guys. I’m willing to pay if anyone helps me recover my data.

Thank you

#2

Was the OneDrive data available in local / synced folders? In that case I’d think the duplicati data may have been affected by the ransomware attack. If it was purely remote and out of reach of the ransomware, then I assume you’ll be able to access it after figuring out the correct configuration. How sure are you that you’re using the correct backup password, for example?

#3

I was accessing OneDrive with duplicati only. I’m 100% sure for the password. I have another computer with same password with same onedrive just different path and it’s working fine.

If I download the data from onedrive to an external drive. Do I able to restore like that? Is there any way I can decrypt the data without using duplicati?

#4

What are you currently attempting to do to access your data set to restore? What exactly happens, other than the error text you already mentioned?

Downloading the data to a local machine/drive should still allow you to have Duplicati unpack it. However The dblock files can be unencrypted and unzipped if necessary but in general you’ll require Duplicati to put the pieces back together. I think I’ve heard about the existence of a specialized restore tool but I’m not sure where it is or how it works, hopefully someone else can clarify.

#5

I’m directly accessing the data from a browser in OneDrive for Business. I start downloading the data directly from OneDrive. As long as it, I can get the data decrypt. Once the data I get decrypted data I will try to run with duplicati because it was an incremental backup.

How to get the decrypted data without using Duplicati?

#6

Why aren’t you trying to do a restore from within the Duplicati UI? That’s what I’d start with. Go to the “Restore” tab and select “Direct restore from backup files”.

The data as accessed directly via a browser will be nearly useless to you. You’d need to download the entire Duplicati directory exactly as-is to a local disk and then use Duplicati to unpack it (or the recovery tool i mentioned before, though as I said someone else will need to give you more info on that… or search the forum if you’re in more of a hurry).

#7

If those together mean you’re downloading, that can get you as far as decrypting without Duplicati to make sure you can decrypt. Download AES Crypt and sample several files to make sure they seem decryptable. The reason this is useful to know is that there have been occasional reports where somehow files are not.

After a complete download, you could perform a complete decrypt (just use Control-A to multiselect, then decrypt with AES Crypt). You’ll then have converted the backup to something that’s nearby, not encrypted, and ready for Duplicati to restore as a local file backup. You can do that with direct restore, and it will take some time to build a partial temporary database. May be awhile if your backup was large, and that may be an issue if you’re under a ransomware deadline – thus the reason I have you try download/decrypt sooner.

Disaster Recovery gives general suggestions, and the download+decrypt is basically like what you’d get if using Duplicati.CommandLine.RecoveryTool.exe step 1 below to download and decrypt the OneDrive files.

C:\Program Files\Duplicati 2>Duplicati.CommandLine.RecoveryTool.exe help
Duplicati Recovery Tool
=======================

This tool performs a recovery of as much data as possible in small steps that must be performed in order.
We recommend that you use Duplicati.CommandLine.exe to do the restore, and rely only on this tool if all else fails.


The steps to perform are:
-------------------------

1: Download
  Download files from the remote store and keep them unencrypted on a location available in the local filesystem.

2: Index
  Builds an index file to figure out what data is contained inside the files downloaded

3: Restore
  Restores the files to a destination you choose

Steps 2 and 3 can be done either above or using direct restore, and I’m not sure which is the faster way…

EDIT: You “should” just be able to do the whole affair with the direct restore after installing Duplicati, but IF you’re already partway through a download, and if time pressure exists, the do-it-yourself way might give you some earlier confidence that you’ll be able to get your data back. If you have any saved configuration exports, that would help you get your backup going again, but I assume the priority now is to see if you’re likely to be able to get your latest pre-ransomware files back (thereby avoiding having to pay the ransom).

I don’t know if you’re feeling network-connection or transfer-rate-limited, but if so you might be able to find someone with a faster connection, and some downloaders can do parallel transfers to keep the net busy. Duplicati doesn’t do parallel OneDrive transfers, but Cyberduck appears to be able to do so. Connections

EDIT 2: There are a couple of even more obscure recovery tools that don’t need any Duplicati code at all, meaning they rely on you to do the download and decrypt. That’s key, so I hope your decryption looks OK.

Independent restore program and WIP Rust/Native Code disaster recovery tool

1 Like
#8

What operating system are you restoring with, and how big is your backup?

edit: whoops, replied to the wrong post

#9

If you find yourself not making any progress after a few hours, feel free to contact me, either through a reply to this post or a direct message. Once I get off work I would be more than happy to help out.

#10

Building up quite a few posts here for you to look at and comment on. If somehow AES Crypt is giving you trouble, there’s also SharpAESCrypt.exe in the Duplicati folder, but it’s a command-line tool so more work.
Here is its help text, and there’s another post there citing a case where GUI restore failed, but CLI worked. Keeping on original path might be best. CLI syntax is somewhat complicated to get right in complete form. Examining things in more detail would probably best be done after the immediate emergency calms down.

#11

I’m still trying but I don’t know how to do it from CMD. Is there any way I can do it with software UI so I don’t have to do it with the CMD? I’m not experience to do in CMD

#12

It would be greatly appreciated, if you can help e to restore the data.

#13

What exactly are you trying to do at the moment? Neither the OneDrive download nor AES Crypt is CMD. Could you please say something about what you’ve been able to do so far, and what the current issue is?

1 Like
#14

I had downloaded an encrypted from OneDrive and trying to decrypt using CMD. Below is the command I’m using.

Duplicati.CommandLine.exe help Usage: SharpAESrypt d [o] [1-4] PASSWORD [<D:\duplicati-20190425T064417Z.dlist.zip.aes> D:]

#15

Did AES Crypt not work? If you need to do it the harder way, here’s an example of decrypting a .zip.aes file into just a .zip file (which you should then be able to open with any zip program, but insides aren’t really for humans to be interpreting. Use a Duplicati installation or one of the standalone restore scripts for that part.

C:\Duplicati Backups\local test 7 encrypted>dir Duplicati-b*
 Volume in drive C is Windows
 Volume Serial Number is 5822-1128

 Directory of C:\Duplicati Backups\local test 7 encrypted

12/25/2018  02:17 PM             1,005 duplicati-b4574aeb7200248b8a4ed0473b6836192.dblock.zip.aes
11/27/2018  11:57 AM             1,277 duplicati-bbaa0dda752734c749b07a894c0fd5c43.dblock.zip.aes
11/23/2018  03:36 PM             1,437 duplicati-bea036779eba84c48921bd4a3d65f122e.dblock.zip.aes
               3 File(s)          3,719 bytes
               0 Dir(s)  35,302,105,088 bytes free

C:\Duplicati Backups\local test 7 encrypted>"C:\Program Files\Duplicati 2\SharpAesCrypt.exe" help
Usage: SharpAESCrypt e|d[o][1-4] <password> [<fromPath> [<toPath>]]

Use 'e' or 'd' to specify operation: encrypt or decrypt.
Append an 'o' to the operation for optimistic mode. This will skip some tests and leaves partial/invalid files on disk.
Append a single number (up to 4) to the operation to set the number of threads used for crypting. Default is single thread mode (1).

If you ommit the fromPath or toPath, stdin/stdout are used insted, e.g.:
  SharpAESCrypt e 1234 < file.jpg > file.jpg.aes

Abnormal exit will return an errorlevel above 0 (zero):
  4 - Password invalid
  3 - HMAC Mismatch / altered data (also invalid password for version 0 files)
  2 - Missing input stream / input file not found
  1 - Any other cryptographic or IO exception

C:\Duplicati Backups\local test 7 encrypted>"C:\Program Files\Duplicati 2\SharpAesCrypt.exe" d password duplicati-b4574aeb7200248b8a4ed0473b6836192.dblock.zip.aes duplicati-b4574aeb7200248b8a4ed0473b6836192.dblock.zip

C:\Duplicati Backups\local test 7 encrypted>dir Duplicati-b*
 Volume in drive C is Windows
 Volume Serial Number is 5822-1128

 Directory of C:\Duplicati Backups\local test 7 encrypted

04/29/2019  04:32 PM               689 duplicati-b4574aeb7200248b8a4ed0473b6836192.dblock.zip
12/25/2018  02:17 PM             1,005 duplicati-b4574aeb7200248b8a4ed0473b6836192.dblock.zip.aes
11/27/2018  11:57 AM             1,277 duplicati-bbaa0dda752734c749b07a894c0fd5c43.dblock.zip.aes
11/23/2018  03:36 PM             1,437 duplicati-bea036779eba84c48921bd4a3d65f122e.dblock.zip.aes
               4 File(s)          4,408 bytes
               0 Dir(s)  35,300,982,784 bytes free

C:\Duplicati Backups\local test 7 encrypted>

That’s enough to give some confidence that a typical dblock file decrypts OK. Using AES Crypt would be easier than doing this for each file, but at least one little test adds confidence that all the files will decrypt.

If you’re on Linux or Mac (are you?), you might need to run mono. Do you have only one file downloaded?

EDIT: I’m trying to learn whether or not it’s even possible to download everything before your deadline. To sample can give confidence (and more sampling can be done), but you may be download-speed-limited. Using a faster connection and downloader may help, but it might be a race against time (or a gamble that everything will wind up OK after whatever preliminary testing can be done before some deadline passes).

EDIT 2: Do you have an idea of how much OneDrive space your backup takes, and your Internet speed? Multiplying size in bytes times 8 to get bits, then dividing by your connection bits-per-second (probably in millions, so factor that in) will give you seconds theoretical-best-case-possible using parallel downloader.

#16

Hello, I’m trying I guess I don’t know how to properly do with CMD. Is there any video so I can watch first and try to do it to prevent error from my side

#17

I don’t think you have a lot of time for videos, there is none that I know of for SharpAESCrypt, and aren’t you under a deadline? Can’t you just post what you tried and what you got? And why not use a GUI tool instead?

AES Crypt Downloads

1 Like
#18

If you’re on Windows and don’t want to do a full screenshot, you can left-mouse-button drag over text, then press Enter to put it on the clipboard. If you’re on some other OS (are you?) then somebody else may help. Windows can also do screenshots of selected areas in many ways, including Snipping Tool in recent ones. These can be pasted into the forum directly.

#19

What kind of situation are you in.
What size of business?
What is your dead line?
Would you be able to arrange a remote support session or provide someone access to the data for the purpose of restoring?
What is the size of the backup repository?

#20

I tried with Duplicati from One drive but I keep saying wrong passphrase or corrupted data. I have uploaded an image for error code. I’m trying to on a Windows Computer.
error|690x163