标签归档：Avaddon病毒

Avaddon勒索病毒数据库恢复

发表于 2021 年 5 月 5 日由惜分飞

接到朋友一个oracle数据库被加密的恢复请求，被加密文件为：

read.txt文件中信息

-------===    Your network has been infected!    ===-------





*****************DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED*****************





All your documents, photos, databases and other important 

files have been encrypted and have the extension: .BCdadccBEA



You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!



The only way to restore your files is to buy our special software. 
Only we can give you this software and only we can restore your files!



We have also downloaded a lot of private data from your network.

If you do not contact as in a 3 days we will post information about your breach 
on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.



You can get more information on our page, which is located in a Tor hidden network.





How to get to our page

--------------------------------------------------------------------------------

|

|  1. Download Tor browser - https://www.torproject.org/

|

|  2. Install Tor browser

|

|  3. Open link in Tor browser - avaddonbotrxmuyl.onion

|

|  4. Follow the instructions on this page

|

--------------------------------------------------------------------------------



Your ID:

--------------------------------------------------------------------------------



MjQ4Ni1VeE5hL2hSVzJVeXU0Wm1CeHhhdDFLUDVGWTlqMnJFekZlczd3NlVFdnBROHYz…………



--------------------------------------------------------------------------------



* DO NOT TRY TO RECOVER FILES YOURSELF!



* DO NOT MODIFY ENCRYPTED FILES!



* * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * *

YHSKC2aqLa0A1xzn

通过底层分析坏块情况,确认只是对文件头的127个block进行了破坏

由于客户是10g的版本,无法实现直接open库,然后expdp/exp导出数据.通过底层技术,直接恢复数据到新库,然后处理非表数据(index,view,proc,sequence等),实现最大限度恢复客户数据,最大程度减少客户整合数据的工作量