分类目录归档:勒索恢复

oracle dmp被加密为.eking扩展名恢复

又一客户数据库被勒索病毒加密,扩展名为:.id[32D2A259-3147].[mikolio@cock.li].eking

E:\BaiduNetdiskDownload>dir *.eking
 驱动器 E 中的卷是 SSD
 卷的序列号是 98A5-7F8E

 E:\BaiduNetdiskDownload 的目录

2021-05-04  01:55   162,604,986,658 ORACLEBAK20210503.DMP.id[32D2A259-3147].[mikolio@cock.li].eking
               1 个文件 162,604,986,658 字节
               0 个目录 262,026,616,832 可用字节

通过分析,确认只是少了的dmp数据被破坏
20210509174037


通过expdp dmp被加密破坏恢复工具进行恢复,实现绝大多数数据的完美恢复
20210509210046

如果此类的数据库(oracle,mysql,sql server)等被加密,需要专业恢复技术支持,请联系我们:
电话/微信:13429648788    Q Q:107644445QQ咨询惜分飞    E-Mail:dba@xifenfei.com

发表在 勒索恢复 | 标签为 , , , | 评论关闭

Avaddon勒索病毒数据库恢复

接到朋友一个oracle数据库被加密的恢复请求,被加密文件为:
20210505193114


read.txt文件中信息

-------===    Your network has been infected!    ===-------





*****************DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED*****************





All your documents, photos, databases and other important 

files have been encrypted and have the extension: .BCdadccBEA



You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!



The only way to restore your files is to buy our special software. 
Only we can give you this software and only we can restore your files!



We have also downloaded a lot of private data from your network.

If you do not contact as in a 3 days we will post information about your breach 
on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.



You can get more information on our page, which is located in a Tor hidden network.





How to get to our page

--------------------------------------------------------------------------------

|

|  1. Download Tor browser - https://www.torproject.org/

|

|  2. Install Tor browser

|

|  3. Open link in Tor browser - avaddonbotrxmuyl.onion

|

|  4. Follow the instructions on this page

|

--------------------------------------------------------------------------------



Your ID:

--------------------------------------------------------------------------------



MjQ4Ni1VeE5hL2hSVzJVeXU0Wm1CeHhhdDFLUDVGWTlqMnJFekZlczd3NlVFdnBROHYz…………



--------------------------------------------------------------------------------



* DO NOT TRY TO RECOVER FILES YOURSELF!



* DO NOT MODIFY ENCRYPTED FILES!



* * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * *

YHSKC2aqLa0A1xzn

通过底层分析坏块情况,确认只是对文件头的127个block进行了破坏
20210505192823
由于客户是10g的版本,无法实现直接open库,然后expdp/exp导出数据.通过底层技术,直接恢复数据到新库,然后处理非表数据(index,view,proc,sequence等),实现最大限度恢复客户数据,最大程度减少客户整合数据的工作量
20210505194153


如果此类的数据库文件(oracle,mysql,sql server)等被加密,需要专业恢复技术支持,请联系我们:
电话/微信:13429648788    Q Q:107644445QQ咨询惜分飞    E-Mail:dba@xifenfei.com

发表在 勒索恢复 | 标签为 , , , | 评论关闭

.Globeimposter-Beta666qqz扩展名数据库加密恢复

又接一医院客户请求,多套win系统被勒索病毒加密,其中有几套是oracle数据库,请求我们进行分析,确认是否可以恢复.
HOW TO BACK YOUR FILES.txt文件信息

                   YOUR FILES ARE ENCRYPTED !!!

TO DECRYPT, FOLLOW THE INSTRUCTIONS:

To recover data you need decrypt tool.

To get the decrypt tool you should:

1.In the letter include your personal ID! Send me this ID in your first email to me!
2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files!
3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! 
4.We can decrypt few files in quality the evidence that we have the decoder.


 DO NOT TRY TO DO SOMETHING WITH YOUR FILES BY YOURSELF YOU WILL BRAKE YOUR DATA !!! ONLY WE ARE CAN HELP YOU! CONTACT US:

China.Helper@aol.com

                   ATTENTION !!! THIS IS YOUR PERSONAL ID WICH YOU HAVE TO SEND IN FIRST LETTER:

Tq rx zo f3 B1 Eg S/ m1 SI Yw KS av ip Js /5 oU
uk FL LY Wa pF P1 Dc ss 8l dU cl pE xe Sa Gw oC
Fq /+ rF dz D3 DU Pz S6 6e uB M5 Wx zD 3C DW EC
nk 1I V1 rf zK R4 36 tq 7o bJ rK Rq 81 ib hf lh
+8 Oz rR 4g VM rz FH ST rJ ve 1S K2 PN FL 7I Gg
yp Wq vv 1j V8 Fz vN 0x y9 l2 Ig Ql fD lK MJ +H
Vw WV 80 FY /s OE oG 9V nC TY Ys Zd nQ is T2 Bw
U4 cK yM km OB Ko 8p Yg g/ DA 5N S+ DX e5 /v 0s
A9 Ae B6 Q1 aO Q9 gN 5/ pg HA LS jD 50 1K p6 Jn
T0 g4 MR Gp 3L l4 GM Fv rD Pq gC pp Tf kz 4k vh
ZG rz SB CD 1f lh M5 UA QI mn ky CG es re GI qc
7s 7h aZ /B sR 6V yn /I xC h7 Xc oR 4G uQ ZC DU
Bs Ij AI 1f 0c w0 Y7 Vd xy FI R2 lz L1 8r dK lF
zS SM CK Mb Rm wo EQ ht ht zj 1m R0 NM 0W 0T lA
9A AP vl dA dB XA Fx cH iR ux C8 Hn uv B9 H0 tk
0J Ph Cn VZ S+ 6b NT BT YZ jC Wf ah Ml N5 q6 FS
uZ Tk 5o 0+ Sq 3c lZ 0a SH LR nW jn 1f A2 rg k6
jx qq eD T1 GT 6w cC 6C TP 3j 6Z KV 6D 1N tS Jo
p/ Sl DB J2 yD Q1 u5 Y7 GS E9 /c kh U6 r8 QP wy
jU Fa +Y Um TZ Mo PY gQ /L pj 5d QD EK A8 g2 qY
8Z 1d Np 3M qm Ri Sf Nc IT cN 2O Uj Ou Gw DZ H3
Wb Lo BV mE wZ 4= 

被加密文件类似
20210403180555


通过底层分析,只是小部分数据被加密破坏
20210403180929

这个客户相对比较幸运,他们有3月19日的备份,通过结合备份,实现比较好的效果数据恢复
如果此类的数据库文件(oracle,mysql,sql server)等被加密,需要专业恢复技术支持,请联系我们:
电话/微信:13429648788    Q Q:107644445QQ咨询惜分飞    E-Mail:dba@xifenfei.com

发表在 勒索恢复 | 标签为 , , , | 评论关闭