Fixed indentation in README. Added output of head commands.

eugenekolo · Nov 17, 2015 · 86bc841 · 86bc841
1 parent 0c8ee9e
commit 86bc841
Showing 1 changed file with 26 additions and 23 deletions.
diff --git a/README.md b/README.md
@@ -5,38 +5,40 @@ More Info: http://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-p
 ## How to
 1. Hopefully you have NOT deleted any encrypted files  
 2. Run sort_files.sh / > sorted.list to obtain a list of the encrypted files sorted by encryption time
-	* Note: run sort_files.sh /path/to/vm/partition if the data was on a vm
+    * Note: run sort_files.sh /path/to/vm/partition if the data was on a vm
 3. Most importantly, obtain the first file in that list, be it X.encrypted (head -1 sorted.list)
 4. Find the seed using ./decrypter.py -f /path/to/X.encrypted
 5. If you have the seed you can safely decrypt the files. Run ./decrypter.py -s <seed> -l <sorted.list> -e <error.list>
 6. Check decryption was correct and clean the ".encrypted" files on your own.
-	* Note: Unfortunately, the ransomware does not preserve ownership (user/group), some things might get broken because of this.
+    * Note: Unfortunately, the ransomware does not preserve ownership (user/group), some things might get broken because of this.
 7. If you have files still encrypted they will appear in the file you provided as <error.list>. You will need to redo steps 3) -> 6) using the <error.list> until no more files.
 
 ## Example
     bash decrypter/sort_files.sh  > sorted_list
     head -1 sorted_list
+    $> ./d/home/user/.bash_logout.encrypted
     python decrypter/decrypter.py -f ./d/home/user/.bash_logout.encrypted
     $> [*] Seed: 1447255617
     python decrypter/decrypter.py -s 1447255617 -l sorted_list -e error_list
      
 Output:
 
-	...
-	[FAILED] ./d/usr/share/doc/mlocate/README.encrypted
-	[OK] ./d/usr/share/doc/mlocate/TODO.Debian.encrypted
-	[OK] ./d/usr/share/doc/readline-common/changelog.Debian.gz.encrypted
-	[FAILED] ./d/usr/share/doc/readline-common/copyright.encrypted
-	[FAILED] ./d/usr/share/doc/readline-common/inputrc.arrows.encrypted
-	[OK] ./d/usr/share/java/libintl.jar.encrypted
-	[*] recovered 7572 files
-	[*] failed to recover (probably bad seed) 9424 files
-	[*] 36 corrupted (probably truncated) files
+    ...
+    [FAILED] ./d/usr/share/doc/mlocate/README.encrypted
+    [OK] ./d/usr/share/doc/mlocate/TODO.Debian.encrypted
+    [OK] ./d/usr/share/doc/readline-common/changelog.Debian.gz.encrypted
+    [FAILED] ./d/usr/share/doc/readline-common/copyright.encrypted
+    [FAILED] ./d/usr/share/doc/readline-common/inputrc.arrows.encrypted
+    [OK] ./d/usr/share/java/libintl.jar.encrypted
+    [*] recovered 7572 files
+    [*] failed to recover (probably bad seed) 9424 files
+    [*] 36 corrupted (probably truncated) files
 
 ## Handling failed/corrupted files
 The example shows 9424 files that failed to recover. This is usually because the seed used for the failed files is different for some files due to time differences. You have to get the seed of the files that failed. This procedure might work to get those:
 
     head -1 error_list 
+    $> ./d/home/README_FOR_DECRYPT.txt.encrypted
     python decrypter/decrypter.py -f ./d/home/README_FOR_DECRYPT.txt.encrypted
     $> [*] Seed: 1447255625
     python decrypter/decrypter.py -s 1447255625 -l error_list -e error_list2
@@ -57,21 +59,22 @@ Output:
 Repeat the above steps to get the remaining 4424 failed files:
 
     head -1 error_list2
+    $> ./d/root/test/size_10028.encrypted
     python decrypter/decrypter.py -f ./d/root/test/size_10028.encrypted
     $> [*] Seed: 1447255634
     python decrypter/decrypter.py -s 1447255634 -l error_list2 -e error_list3
 
     ...
-	[OK] ./d/usr/share/doc/libsqlite3-0/changelog.html.gz.encrypted
-	[OK] ./d/usr/share/doc/linux-image-2.6.32-5-amd64/changelog.Debian.gz.encrypted
-	[OK] ./d/usr/share/doc/locales-all/copyright.encrypted
-	[OK] ./d/usr/share/doc/lsb-base/copyright.encrypted
-	[OK] ./d/usr/share/doc/mlocate/AUTHORS.encrypted
-	[OK] ./d/usr/share/doc/mlocate/changelog.gz.encrypted
-	[OK] ./d/usr/share/doc/mlocate/README.encrypted
-	[OK] ./d/usr/share/doc/readline-common/copyright.encrypted
-	[*] recovered 4424 files
-	[*] failed to recover (probably bad seed) 0 files
-	[*] 0 corrupted (probably truncated) files
+    [OK] ./d/usr/share/doc/libsqlite3-0/changelog.html.gz.encrypted
+    [OK] ./d/usr/share/doc/linux-image-2.6.32-5-amd64/changelog.Debian.gz.encrypted
+    [OK] ./d/usr/share/doc/locales-all/copyright.encrypted
+    [OK] ./d/usr/share/doc/lsb-base/copyright.encrypted
+    [OK] ./d/usr/share/doc/mlocate/AUTHORS.encrypted
+    [OK] ./d/usr/share/doc/mlocate/changelog.gz.encrypted
+    [OK] ./d/usr/share/doc/mlocate/README.encrypted
+    [OK] ./d/usr/share/doc/readline-common/copyright.encrypted
+    [*] recovered 4424 files
+    [*] failed to recover (probably bad seed) 0 files
+    [*] 0 corrupted (probably truncated) files
 
 DONE!