JPEG Medic // Accurate Manual JPEG Recovery
Table of Contents
  1. Overview
  2. Theory of JPEG Repair
    1. JPEG structure
    2. How to fix broken JPEG file
  3. Working with the Program
    1. Main menu
    2. Virtual folder tree
    3. Files panel
    4. Preview panel
    5. Cluster view
    6. Hex view
  4. Repairing JPEG image
    1. Opening JPEG file
    2. Repair window
      1. Menu commands
    3. Repair procedure
      1. Visual analysis and localization of damaged MCUs
      2. Finding the next correct MCU
      3. Deleting damaged MCUs
      4. Inserting empty MCUs
      5. Color correction
        1. Automatic color correction
        2. Manual color correction
      6. Filling empty MCUs with data
        1. Use the thumbnail image to fill the empty MCUs
        2. Auto-generate missing content
    4. Saving repaired JPEG image
    5. Repairing fragmented JPEG file
    6. Repairing damaged JPEG image based on SOS marker
    7. Repairing JPEG file encoded by ransomware

Repairing JPEG file encoded by ransomware

Ransomware is a type of malware that encrypts some of your crucial files and then ransoms for money to decrypt them. With JpegMedic, you can partially recover encrypted JPEG files.

The way ransomware encrypts files depends on the type of ransomware. Some types only encrypt the beginning of the file, while others can encrypt the beginning, the end, and the middle of the file. Others can even encrypt the entire file. However, the majority of ransomware encrypts files only partially to speed up the infestation of the system. This opens a possibility to recover the non-encrypted part. The recovery strategy significantly depends on what type of ransomware has encrypted your files. But regardless of the strategy you will need just one good image made with the same camera and preferably with the same settings as the encrypted one.

Recovery of a JPEG file with the encrypted beginning

Hint! For some simpler cases when ransomware only encrypts the beginning of the file you can try to use JpegMedic ARWE. JpegMedic ARWE can recover such files in the batch mode, semi-automatically.

To recover the image, follow these steps:

  1. Open the encrypted file in JpegMedic
  2. Add the good JPEG file as a metadata sample
  3. In the Cluster list, select the cluster you would like to start the work from (you can start with the first one)
  4. Run the Image > Create new from current cluster menu command. The following window will be shown:

    Create New

  5. Click OK, to display the Repair window.
  6. In the Repair window, manually find the beginning of the first correct MCU. The easiest way to do this is to click the Reload from next cluster (>>>>) button that attempts to read data starting from the next cluster.

Hint: Each particular ransomware encrypts some fixed number of bytes, so after you have repaired the first encrypted JPEG file, remember the offset where you have found the first correct MCU. And when you will recover other JPEG files, you can simply jump directly to that offset and save a lot of time. The majority of ransomware encrypts first 153605 bytes of a file.

After a while, when the cursor passes by the encrypted part of the data, you should see some image in the preview area:

Ransomeware jpeg image

Most likely, the image will be displayed incorrectly, with wrong colors or unaligned. So you will need to delete several first MCUs in the beginning of the image, because most likely they will be damaged, insert empty MCUs in the beginning of the file and then apply color correction.

Please keep in mind that when you save a recovered JPEG file empty MCUs in the beginning of the image will be filled with gray color. So, to make the image more esthetical, you can just clear the entire first line. Upon saving this empty line will be removed completely from the image.

After you perform all the repairing procedures, you will be able to see the correct image.

Fixed ransomeware jpeg image

If you know the size of the encrypted part of the file, you can attempt to repair the image in the automatic mode. To do this, enable the The file was encrypted by ransomware option and enter the size of the encrypted part of the file into the corresponding field. Note: this option is only available if the very first cluster is selected in the Cluster view. When this option is selected, JpegMedic attempts to do the following operations:

  1. Finds the first correct MCU.
  2. Aligns offsets and puts MCUs to correct positions.
  3. Removes several MCUs in the beginning of the image to get rid of lines containing unequal number of MCUs. This way, after saving the file there will be no ugly gray lines in the beginning of the image.
  4. Performs automatic color correction.

If everything goes fine, you should see automatically repaired image. And you only clicked a few times to get it! Also, the program automatically enables borders to allow you estimating the amount of lost data.

It could be that the resulting colors will not look satisfying to you. In this case, you can perform additional color correction using the corresponding sliders. After that, the image is ready for saving.

Some cameras add multiple thumbnails when saving JPEG files. One of such thumbnails can be saved to the end of file. For example, Nikon D4 adds three thumbnails, and the final thumbnail in the end of the file has quite good resolution, specifically 1632x1080 pixels. Since, ransomware encrypts only the beginning of the file, this thumbnail remains intact. Surely, you can simply save this thumbnail and don’t try to recover the original image. But instead you can use this thumbnail to replace broken MCUs in the beginning of the image and for better color correction. Which means you can restore almost 100% of the original photograph.

When you open a file with such a survived thumbnail, the program automatically displays it and selects the first cluster containing this thumbnail in the Cluster view. That is why, to use the The file was encrypted by ransomware option you need to manually select the first cluster in the Cluster view. After that, JpegMedic will automatically use the thumbnail to refill the empty areas after deletion of the encrypted MCUs. This also allows for better color correction.

Sometimes, dimensions of a thumbnail are not proportional to dimensions of the image. So you can see a discrepancy on the joint edges:

Fixed ransomeware jpeg image

That is why you may need to additionally adjust position of the thumbnail.

Fixed ransomeware jpeg image

After adjusting the position of the thumbnail and color correction you will end up with a good full-sized image that you can saving.

Video demonstration:

Recovery of a JPEG file where the beginning, the middle and the end are encrypted

As a general rule, after such encryption you can only recover two separated parts of the image. If such recovery has any practical meaning, is arguable and depends on the context:

Ransomeware jpeg image

But in some cases even such damage can be fixed. As said above, some cameras write a big-size thumbnail image to the end of a JPEG file, and even two thumbnails in some cases. This means that the encrypted file ends up with the encrypted beginning and the middle, and a the end of the thumbnail. By combining the surviving parts of the image and thumbnails, you can recover almost 100% of the original photograph.

When you open such a JPEG file in JpegMedic you can see that the program displays one or sometimes two relatively small damaged images, and the Offset field value will point to the end of the file or near it. It is the thumbnail we can use to fill the empty areas of the original photo:

Ransomeware jpeg image

But first we need to locate the remaining parts of the main image. The principal algorithm to find the beginning of the main image is described above, and the procedure to locate the lower parts can be found in Finding the next correct MCU section.

Some kinds of ransomware fill the encrypted parts with zeros. This allows locating the first non-encrypted cluster visually:

Ransomeware jpeg image

In such cases you simply need to select the first non-encrypted cluster, and then use the Image > Create new from current cluster command and in the opened window select the preliminary loaded correct image sample.

After the image editing window opens, add the thumbnail the program has found using the Thumbnail > Add command. The thumbnail should appear in the right part of the window. Then, you simply follow the standard recovery steps using the available commands.

The entire recovery procedure can be split onto several stages:

  1. Locate the beginning of the survived upper part of the image.
  2. Several first and last MCUs of the survived upper part will look damaged. You need to clear them.
  3. Align the image so to position the upper part correctly. You can do this by inserting empty MCUs to the beginning of the image.
  4. Enable display of the thumbnail.
  5. By inserting empty MCU lines to the beginning of the image make the image and the thumbnail overlap and match each other. For convenience, you can zoom in. Don't pay too much attention to colors discrepancy, you can fix this later.
  6. If needed, fine-tune position of the thumbnail relative to the image.
  7. Turn off display of the thumbnail.
  8. Set the cursor to the empty space in the upper part of the image, then use the Apply thumbnail command. The program fills the empty space with the thumbnail. Then, use the Auto color command to adjust color mismatch between the thumbnail and the main image.
  9. Go to the end of the survived upper part of the image. Locate the beginning of the survived lower part.
  10. A few first MCUs of the survived lower part will look damaged. Clear them.
  11. Align the image so to position the survived lower part correctly. You can do this by inserting empty MCU blocks between the upper and the lower parts of the image.
  12. Enable display of the thumbnail.
  13. By inserting empty MCU lines between the upper and the lower parts of the image make the image and the thumbnail overlap and match each other.
  14. Turn off display of the thumbnail.
  15. Set the cursor to the empty space between the upper and the lower parts of the image, then use the Apply thumbnail command. The program fills the empty space with the thumbnail. Then, use the Auto color command to adjust color discrepancy between the thumbnail and the original image.
  16. Check out the bottom of the image. Possibly, a part of MCUs could be lost during the above steps. You can easily bring them back, by setting the cursor to the last visible MCU and using the Reload from current MCU command. An additional sign of correct recovery is the FF D9 byte sequence in the Hex dump just near the beginning of the last MCU. To quickly check for these bytes, put the cursor to the last MCU of the image, and the cursor in the Hex dump will automatically jump to the beginning of the selected MCU.
  17. Finally, we have a completely recovered image that we can save.

With some practice, the above procedure can take no more than three minutes, as shown on the below video: