Duplicati won't restore data from cloud. Ransom attack It's URGENT

Building up quite a few posts here for you to look at and comment on. If somehow AES Crypt is giving you trouble, there’s also SharpAESCrypt.exe in the Duplicati folder, but it’s a command-line tool so more work.
Here is its help text, and there’s another post there citing a case where GUI restore failed, but CLI worked. Keeping on original path might be best. CLI syntax is somewhat complicated to get right in complete form. Examining things in more detail would probably best be done after the immediate emergency calms down.

I’m still trying but I don’t know how to do it from CMD. Is there any way I can do it with software UI so I don’t have to do it with the CMD? I’m not experience to do in CMD

It would be greatly appreciated, if you can help e to restore the data.

What exactly are you trying to do at the moment? Neither the OneDrive download nor AES Crypt is CMD. Could you please say something about what you’ve been able to do so far, and what the current issue is?

1 Like

I had downloaded an encrypted from OneDrive and trying to decrypt using CMD. Below is the command I’m using.

Duplicati.CommandLine.exe help Usage: SharpAESrypt d [o] [1-4] PASSWORD [<D:\duplicati-20190425T064417Z.dlist.zip.aes> D:]

Did AES Crypt not work? If you need to do it the harder way, here’s an example of decrypting a .zip.aes file into just a .zip file (which you should then be able to open with any zip program, but insides aren’t really for humans to be interpreting. Use a Duplicati installation or one of the standalone restore scripts for that part.

C:\Duplicati Backups\local test 7 encrypted>dir Duplicati-b*
 Volume in drive C is Windows
 Volume Serial Number is 5822-1128

 Directory of C:\Duplicati Backups\local test 7 encrypted

12/25/2018  02:17 PM             1,005 duplicati-b4574aeb7200248b8a4ed0473b6836192.dblock.zip.aes
11/27/2018  11:57 AM             1,277 duplicati-bbaa0dda752734c749b07a894c0fd5c43.dblock.zip.aes
11/23/2018  03:36 PM             1,437 duplicati-bea036779eba84c48921bd4a3d65f122e.dblock.zip.aes
               3 File(s)          3,719 bytes
               0 Dir(s)  35,302,105,088 bytes free

C:\Duplicati Backups\local test 7 encrypted>"C:\Program Files\Duplicati 2\SharpAesCrypt.exe" help
Usage: SharpAESCrypt e|d[o][1-4] <password> [<fromPath> [<toPath>]]

Use 'e' or 'd' to specify operation: encrypt or decrypt.
Append an 'o' to the operation for optimistic mode. This will skip some tests and leaves partial/invalid files on disk.
Append a single number (up to 4) to the operation to set the number of threads used for crypting. Default is single thread mode (1).

If you ommit the fromPath or toPath, stdin/stdout are used insted, e.g.:
  SharpAESCrypt e 1234 < file.jpg > file.jpg.aes

Abnormal exit will return an errorlevel above 0 (zero):
  4 - Password invalid
  3 - HMAC Mismatch / altered data (also invalid password for version 0 files)
  2 - Missing input stream / input file not found
  1 - Any other cryptographic or IO exception

C:\Duplicati Backups\local test 7 encrypted>"C:\Program Files\Duplicati 2\SharpAesCrypt.exe" d password duplicati-b4574aeb7200248b8a4ed0473b6836192.dblock.zip.aes duplicati-b4574aeb7200248b8a4ed0473b6836192.dblock.zip

C:\Duplicati Backups\local test 7 encrypted>dir Duplicati-b*
 Volume in drive C is Windows
 Volume Serial Number is 5822-1128

 Directory of C:\Duplicati Backups\local test 7 encrypted

04/29/2019  04:32 PM               689 duplicati-b4574aeb7200248b8a4ed0473b6836192.dblock.zip
12/25/2018  02:17 PM             1,005 duplicati-b4574aeb7200248b8a4ed0473b6836192.dblock.zip.aes
11/27/2018  11:57 AM             1,277 duplicati-bbaa0dda752734c749b07a894c0fd5c43.dblock.zip.aes
11/23/2018  03:36 PM             1,437 duplicati-bea036779eba84c48921bd4a3d65f122e.dblock.zip.aes
               4 File(s)          4,408 bytes
               0 Dir(s)  35,300,982,784 bytes free

C:\Duplicati Backups\local test 7 encrypted>

That’s enough to give some confidence that a typical dblock file decrypts OK. Using AES Crypt would be easier than doing this for each file, but at least one little test adds confidence that all the files will decrypt.

If you’re on Linux or Mac (are you?), you might need to run mono. Do you have only one file downloaded?

EDIT: I’m trying to learn whether or not it’s even possible to download everything before your deadline. To sample can give confidence (and more sampling can be done), but you may be download-speed-limited. Using a faster connection and downloader may help, but it might be a race against time (or a gamble that everything will wind up OK after whatever preliminary testing can be done before some deadline passes).

EDIT 2: Do you have an idea of how much OneDrive space your backup takes, and your Internet speed? Multiplying size in bytes times 8 to get bits, then dividing by your connection bits-per-second (probably in millions, so factor that in) will give you seconds theoretical-best-case-possible using parallel downloader.

Hello, I’m trying I guess I don’t know how to properly do with CMD. Is there any video so I can watch first and try to do it to prevent error from my side

I don’t think you have a lot of time for videos, there is none that I know of for SharpAESCrypt, and aren’t you under a deadline? Can’t you just post what you tried and what you got? And why not use a GUI tool instead?

AES Crypt Downloads

1 Like

If you’re on Windows and don’t want to do a full screenshot, you can left-mouse-button drag over text, then press Enter to put it on the clipboard. If you’re on some other OS (are you?) then somebody else may help. Windows can also do screenshots of selected areas in many ways, including Snipping Tool in recent ones. These can be pasted into the forum directly.

What kind of situation are you in.
What size of business?
What is your dead line?
Would you be able to arrange a remote support session or provide someone access to the data for the purpose of restoring?
What is the size of the backup repository?

I tried with Duplicati from One drive but I keep saying wrong passphrase or corrupted data. I have uploaded an image for error code. I’m trying to on a Windows Computer.
error|690x163

We’re now trying to determine if that’s a Duplicati problem or if your files are truly corrupted or encrypted by ransomware (what are the file dates – normally you would have a range?). Bypassing Duplicati to do direct decryption answers the question.

I have only cloud backup left which I can’t restore because of error messages.
I have more than 200gb data. I need to recover as soon as possible.
Yes if you help me I can give you my TeamViewer ID.
Can you please email me? it’s nikunjkatharotiya1612@gmail.com

I had first backup files from Feb and last was April 27.
Even I can restore from Feb it’s fine to

Is this data corporate or personal?
If it is corporate, are you authorized to allow access to it?

You’re talking about actual current OneDrive file dates I hope. If so, good news, but we still need to figure out the decryption problem by either your showing the error, or trying AES Crypt to see if that can decrypt files…

1 Like

It’s small business data. Yes, I’m authorized to access data. Can we talk on email and I can provide my team viewer id?

I’m leaving a client site now, I’ll email you after I get home

Yes, It’s one drive backup dates. How can we check data is not corrupted? I had to make new account because I don’t able to reply from that account for next 18 hours.

Exactly like I’ve been saying. Decrypt with something. That’s the main question at the moment. If it decrypts, testing with a ZIP program is a bonus, however the encrypted form has enough self-checking that corruption should be revealed at that level. If you can get a full set of unencrypted ZIP files, there’s a good chance of the recovery getting something (hope all) back even if it needs help (hopefully it won’t). Decryption is essential…

EDIT:
AES Crypt User Guide page 7 shows a decrypt. Short answer is right click, choose AES Decrypt, type password. Here’s what it looks like on the example file that I used for the SharpAESCrypt output earlier: