Recently our NAS storage was affected by deadbolt ransomware. Some drives images made with clonezilla software were also affected. The virus encrypts only certain file types, such as .dat .txt etc. I noticed next files from each clonzilla image were encrypted:
Actually only "efi-nvram.dat" is used by Clonezilla. The rest of *.txt files are read by human, not program.
The file efi-nvram.dat is about the data in the EFI boot in the BIOS. It can be easily recreated in the BIOS. Check your BIOS manual for the details.
So the answer is, yes. Just restore the image. If the restored OS fails to boot, enter BIOS to add the efi boot file for your OS.
Steven
👍
1
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello everyone,
Recently our NAS storage was affected by deadbolt ransomware. Some drives images made with clonezilla software were also affected. The virus encrypts only certain file types, such as .dat .txt etc. I noticed next files from each clonzilla image were encrypted:
efi-nvram.dat
info-dmi.txt
Info-img-id.txt
Info-lshw.txt
Info-lspci.txt
Info-OS-prober.txt
Info-packages.txt
Info-saved-by-cmd.txt
Info-smart.txt
Could you tell me, is it possible to restore an image without these files?
Best regards Andrey R.
Actually only "efi-nvram.dat" is used by Clonezilla. The rest of *.txt files are read by human, not program.
The file efi-nvram.dat is about the data in the EFI boot in the BIOS. It can be easily recreated in the BIOS. Check your BIOS manual for the details.
So the answer is, yes. Just restore the image. If the restored OS fails to boot, enter BIOS to add the efi boot file for your OS.
Steven