联系:手机/微信(+86 17813235971) QQ(107644445)
作者:惜分飞©版权所有[未经本人同意,不得以任何形式转载,否则有进一步追究法律责任的权利.]
接到一个客户的oracle数据文件被加密的恢复请求,文件被加密为扩展名为:.id[76B8C076-3009].[decrypt20@firemail.cc].eking,通过底层分析,确认该文件被加密破坏较少
E-Mail:dba@xifenfei.com
联系:手机/微信(+86 17813235971) QQ(107644445)
作者:惜分飞©版权所有[未经本人同意,不得以任何形式转载,否则有进一步追究法律责任的权利.]
最近有一些朋友咨询了几种oracle数据库被加密的勒索病毒,我们都可以通过工具修复实现数据库直接open,数据使用exp/expdp导出,实现数据近似完美恢复,业务直接测试正常,远比各种工具直接导出数据效果要好很多.比如以下几种:
.id[A6B00388-2930].[Ransomwaree2020@cock.li].eking
E-Mail:dba@xifenfei.com
联系:手机/微信(+86 17813235971) QQ(107644445)
作者:惜分飞©版权所有[未经本人同意,不得以任何形式转载,否则有进一步追究法律责任的权利.]
有oracle数据库被加密扩展名为:.[77C81F29].[Evilminded@privatemail.com].makop
E-Mail:dba@xifenfei.com
联系:手机/微信(+86 17813235971) QQ(107644445)
作者:惜分飞©版权所有[未经本人同意,不得以任何形式转载,否则有进一步追究法律责任的权利.]
又一客户数据库被勒索病毒加密,扩展名为:.id[32D2A259-3147].[mikolio@cock.li].eking
E:\BaiduNetdiskDownload>dir *.eking
驱动器 E 中的卷是 SSD
卷的序列号是 98A5-7F8E
E:\BaiduNetdiskDownload 的目录
2021-05-04 01:55 162,604,986,658 ORACLEBAK20210503.DMP.id[32D2A259-3147].[mikolio@cock.li].eking
1 个文件 162,604,986,658 字节
0 个目录 262,026,616,832 可用字节
通过分析,确认只是少了的dmp数据被破坏
E-Mail:dba@xifenfei.com
联系:手机/微信(+86 17813235971) QQ(107644445)
作者:惜分飞©版权所有[未经本人同意,不得以任何形式转载,否则有进一步追究法律责任的权利.]
接到朋友一个oracle数据库被加密的恢复请求,被加密文件为:
-------=== Your network has been infected! ===------- *****************DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BCdadccBEA You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjQ4Ni1VeE5hL2hSVzJVeXU0Wm1CeHhhdDFLUDVGWTlqMnJFekZlczd3NlVFdnBROHYz………… -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * YHSKC2aqLa0A1xzn
通过底层分析坏块情况,确认只是对文件头的127个block进行了破坏
由于客户是10g的版本,无法实现直接open库,然后expdp/exp导出数据.通过底层技术,直接恢复数据到新库,然后处理非表数据(index,view,proc,sequence等),实现最大限度恢复客户数据,最大程度减少客户整合数据的工作量
E-Mail:dba@xifenfei.com
 |
|