标签归档：vmdk加密恢复

有客户的vm虚拟化平台被勒索病毒加密,扩展名为:.{110DCD0A-295C-27A4-914B-5F2CBAAA094E}.tianrui

---

README.TXT文件内容如下,预留邮箱为:tianrui@mailum.com

I'll try to be brief: 1. It is beneficial for us that your files are decrypted no less than you, 
we don't want to harm you, we just want to get a ransom for our work.
2. Its only takes for us at list 20 minutes after payment to completely decrypt you,
to its original state, it's very simple for us!
3.If you contact decryption companies, you are automatically exposed to publicity,also, 
these companies do not care about your files at all, they only think about their own benefit!
4.They also contact the police. Again, only you suffer from this treatment!
5. We have developed a scheme for your secure decryption without any problems, unlike the above companies,
who just as definitely come to us to decipher you and simply make a profit from you as intermediaries, 
preventing a quick resolution of this issue!

6. In case of refusal to pay, we transfer all your personal data such as (emails, link to panel, 
   payment documents , certificates , personal information of you staff, SQL,ERP,
financial information for other hacker groups) and they will come to you again for sure!

We will also publicize this attack using social networks and other media,
   which will significantly affect your reputation

7. If you contact us no more than 12 hours after the attack, the price is only 50% of the price afterwards!

8. Do not under any circumstances try to decrypt the files yourself; you will simply break them!
         YOU MUST UNDERSTAND THAT THIS IS BIG MARKET AND DATA RECOVERY NEED MONEY ONLY !!!
9.IF YOU CHOOSE TO USE DATA RECOVERY COMPANY ASK THEM 
   FOR DECRYPT TEST FILE FOR YOU IF THEY CANT DO IT DO NOT BELIEVE THEM

10.Do not give data recovery companies acces to your network they make your data cant be decrypted by us - 
for make more money from you !!!!! DO NOT TELL THEM YOUR COMPANY NAME BEFORE THEY GIVE YOU TEST FILE !!!!!! 



Contacts :

Download the (Session) messenger (https://getsession.org)  
You fined me "0585ae8a3c3a688c78cf2e2b2b7df760630377f29c0b36d999862861bdbf93380d"

MAIL:tianrui@mailum.com

通过底层分析,确认vmdk文件可以通过找出来分区信息,确认当时运行的是一个win操作系统

---

查看对应分区中数据情况

---

对于类似这种被加密的勒索的虚拟机,我们可以实现比较好的恢复效果,如果此类的数据库(oracle,mysql,sql server)等被加密,需要专业恢复技术支持，请联系我们:
电话/微信:17813235971    Q Q:107644445    E-Mail:dba@xifenfei.com
系统安全防护措施建议：
1.多台机器，不要使用相同的账号和口令
2.登录口令要有足够的长度和复杂性，并定期更换登录口令
3.重要资料的共享文件夹应设置访问权限控制，并进行定期备份
4.定期检测系统和软件中的安全漏洞，及时打上补丁。
5.定期到服务器检查是否存在异常。
6.安装安全防护软件，并确保其正常运行。
7.从正规渠道下载安装软件。
8.对不熟悉的软件，如果已经被杀毒软件拦截查杀，不要添加信任继续运行。
9.保存良好的备份习惯，尽量做到每日备份，异地备份。