分类目录归档:勒索恢复

VMware勒索加密恢复(vmdk勒索恢复)

发表于 2025 年 3 月 29 日 惜分飞

客户运行VMware Esxi由于被黑客攻破,导致所有的vmdk文件均被加密,其中包含大量的数据库虚拟机,这段时间,客户找了不少人进行分析恢复,要不就是恢复效果不好,要不就是要加太高,通过底层分析,确认可以比较完美的恢复,包括虚拟机直接运行的mysql、oracle数据库,docker中运行的mysql数据库,那其中一个恢复case来说明,被加密的虚拟机文件是一个500G的vmkd文件(.vmdk.{74C1B740-FEC0-01BD-914B-5F2CBAAA094E}.tianrui)
通过工具对其扫描,该磁盘采用的是lvm方式管理
lvm1
lvm2

lvm中的文件采用的是xfs格式文件系统,对其进行解析,并直接看到oracle数据库文件
lvm_oracle111
lvm_oracle
把相关oracle数据库相关文件恢复出来,然后使用工具检测无坏块,直接上传到服务器中,直接open库,实现oracle数据库完美恢复
对于类似这种被加密的勒索的虚拟机,我们可以实现比较好的恢复效果,如果此类的数据库(oracle,mysql,sql server)等被加密,需要专业恢复技术支持,请联系我们:
电话/微信:17813235971    Q Q:107644445QQ咨询惜分飞    E-Mail:dba@xifenfei.com
系统安全防护措施建议:
1.多台机器,不要使用相同的账号和口令
2.登录口令要有足够的长度和复杂性,并定期更换登录口令
3.重要资料的共享文件夹应设置访问权限控制,并进行定期备份
4.定期检测系统和软件中的安全漏洞,及时打上补丁。
5.定期到服务器检查是否存在异常。
6.安装安全防护软件,并确保其正常运行。
7.从正规渠道下载安装软件。
8.对不熟悉的软件,如果已经被杀毒软件拦截查杀,不要添加信任继续运行。
9.保存良好的备份习惯,尽量做到每日备份,异地备份。

发表在 勒索恢复 | 标签为 , , , | 留下评论

vmdk文件被加密恢复(虚拟机文件加密)

发表于 2025 年 3 月 20 日 惜分飞

有客户的vm虚拟化平台被勒索病毒加密,扩展名为:.{110DCD0A-295C-27A4-914B-5F2CBAAA094E}.tianrui
tainrui

README.TXT文件内容如下,预留邮箱为:tianrui@mailum.com

I'll try to be brief: 1. It is beneficial for us that your files are decrypted no less than you, 
we don't want to harm you, we just want to get a ransom for our work.
2. Its only takes for us at list 20 minutes after payment to completely decrypt you,
to its original state, it's very simple for us!
3.If you contact decryption companies, you are automatically exposed to publicity,also, 
these companies do not care about your files at all, they only think about their own benefit!
4.They also contact the police. Again, only you suffer from this treatment!
5. We have developed a scheme for your secure decryption without any problems, unlike the above companies,
who just as definitely come to us to decipher you and simply make a profit from you as intermediaries, 
preventing a quick resolution of this issue!

6. In case of refusal to pay, we transfer all your personal data such as (emails, link to panel, 
   payment documents , certificates , personal information of you staff, SQL,ERP,
financial information for other hacker groups) and they will come to you again for sure!

We will also publicize this attack using social networks and other media,
   which will significantly affect your reputation

7. If you contact us no more than 12 hours after the attack, the price is only 50% of the price afterwards!

8. Do not under any circumstances try to decrypt the files yourself; you will simply break them!
         YOU MUST UNDERSTAND THAT THIS IS BIG MARKET AND DATA RECOVERY NEED MONEY ONLY !!!
9.IF YOU CHOOSE TO USE DATA RECOVERY COMPANY ASK THEM 
   FOR DECRYPT TEST FILE FOR YOU IF THEY CANT DO IT DO NOT BELIEVE THEM

10.Do not give data recovery companies acces to your network they make your data cant be decrypted by us - 
for make more money from you !!!!! DO NOT TELL THEM YOUR COMPANY NAME BEFORE THEY GIVE YOU TEST FILE !!!!!! 



Contacts :

Download the (Session) messenger (https://getsession.org)  
You fined me "0585ae8a3c3a688c78cf2e2b2b7df760630377f29c0b36d999862861bdbf93380d"

MAIL:tianrui@mailum.com

通过底层分析,确认vmdk文件可以通过找出来分区信息,确认当时运行的是一个win操作系统
QQ20250320-231317

查看对应分区中数据情况
QQ20250320-231716
对于类似这种被加密的勒索的虚拟机,我们可以实现比较好的恢复效果,如果此类的数据库(oracle,mysql,sql server)等被加密,需要专业恢复技术支持,请联系我们:
电话/微信:17813235971    Q Q:107644445QQ咨询惜分飞    E-Mail:dba@xifenfei.com
系统安全防护措施建议:
1.多台机器,不要使用相同的账号和口令
2.登录口令要有足够的长度和复杂性,并定期更换登录口令
3.重要资料的共享文件夹应设置访问权限控制,并进行定期备份
4.定期检测系统和软件中的安全漏洞,及时打上补丁。
5.定期到服务器检查是否存在异常。
6.安装安全防护软件,并确保其正常运行。
7.从正规渠道下载安装软件。
8.对不熟悉的软件,如果已经被杀毒软件拦截查杀,不要添加信任继续运行。
9.保存良好的备份习惯,尽量做到每日备份,异地备份。

发表在 勒索恢复 | 标签为 , , , | 留下评论

.[OnlyBuy@cyberfear.com].REVRAC勒索mysql恢复

发表于 2025 年 3 月 13 日 惜分飞

有朋友接到一个mariadb库被加密的case,部分文件被加密为:.[D2BB58C7].[OnlyBuy@cyberfear.com].REVRAC扩展名
revrac

黑客预留的+README-WARNING+.txt内容类似:

YOUR FILES ARE ENCRYPTED

Your files, documents, photos, databases and other important files are encrypted.

You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key.
Only we can give you this key and only we can recover your files.

To be sure we have the decryptor and it works you can send an 
    email: TechSupport@cyberfear.com  and decrypt one file for free.

Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb 
(non archived), and files should not contain valuable information. (databases,backups, large excel sheets,sql. etc.) 

Do you really want to restore your files?
Write to email: OnlyBuy@cyberfear.com

Your personal ID is indicated in the names of the files and in the end of this message, before writing a message by email
indicate the name of the ID indicated in the files IN THE SUBJECT OF THE EMAIL

Attention!
 * Do not rename encrypted files.
 * Do not try to decrypt your data using third party software, it may cause permanent data loss.
 * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) 
   or you can become a victim of a scam.

YOUR ID: D2BB58C7

通过分析ibd文件没有被破坏
225026

这种情况恢复相对比较简单,可以直接通过对单独ibd文件会的思路进行处理,类似恢复文章:
frm和ibd文件数据库恢复
MySQL 8.0版本ibd文件恢复
[MySQL异常恢复]mysql ibd文件恢复
InnoDB: Cannot open table db/tab from the internal data dictionary of InnoDB though the .frm file for the table exists
当然前提需要有表创建语句,这个客户有昨天的备份的被的.sql备份,通过技术手段分析,确认只有3个表的创建语句丢失,对于丢失的ddl语句,通过直接对ibdata文件解析获取,基于这些信息结合,实现数据的完美恢复

对于类似这种被加密的勒索的数据文件,我们可以实现比较好的恢复效果,如果此类的数据库(oracle,mysql,sql server)等被加密,需要专业恢复技术支持,请联系我们:
电话/微信:17813235971    Q Q:107644445QQ咨询惜分飞    E-Mail:dba@xifenfei.com
系统安全防护措施建议:
1.多台机器,不要使用相同的账号和口令
2.登录口令要有足够的长度和复杂性,并定期更换登录口令
3.重要资料的共享文件夹应设置访问权限控制,并进行定期备份
4.定期检测系统和软件中的安全漏洞,及时打上补丁。
5.定期到服务器检查是否存在异常。
6.安装安全防护软件,并确保其正常运行。
7.从正规渠道下载安装软件。
8.对不熟悉的软件,如果已经被杀毒软件拦截查杀,不要添加信任继续运行。
9.保存良好的备份习惯,尽量做到每日备份,异地备份。

发表在 MySQL恢复, 勒索恢复 | 标签为 , , , | 评论关闭