savemydata@qq.com encrypted database recovery

E-mail:chf.dba@gmail.com

Title: savemydata@qq.com encrypted database recovery

Author: DATABASE SOS©All rights reserved [without my consent, it may not be reproduced in any form, otherwise there is the right to further legal responsibility.]

Recently encountered customer Oracle file is encrypted with suffix name:.id-BE19A09A.[savemydata@qq.com].harma
1

The corresponding txt file is:
2

Through analysis, it is determined that the encryption is to segment the data file to process the encryption destruction. Through the analysis of the oracle dictionary storage information and the corresponding data storage relationship, open the database and skip the segmented encrypted part to achieve a more complete database recovery.
3

For the sql server database, if it is unfortunately encrypted by this type of virus, it can also achieve a more perfect recovery at the database level, reduce losses as much as possible, and do not help the hacker’s rampant behavior (that is, do not give them Bitcoin)

.YOUR_LAST_CHANCE encrypted database recovery

E-mail:chf.dba@gmail.com

Title: .YOUR_LAST_CHANCE encrypted database recovery

Author: DATABASE SOS©All rights reserved [without my consent, it may not be reproduced in any form, otherwise there is the right to further legal responsibility.]

Recently, a friend reported that the sql server database is encrypted in the format: .id_multi-digit_.YOUR_LAST_CHANCE, let us analyze and determine whether it can be restored.
YOUR_LAST_CHANCE

A similar txt file is:
YOUR_LAST_CHANCE-2

Through analysis, this type of encryption ransomware is determined, and we can achieve a good recovery from the database level, which can basically be used directly after recovery.
sql-recover

If your database server (Oracle or sql server) is accidentally ransomized by this virus, you can contact us to recover directly from the database
E-Mail:chf.dba@gmail.com

*** ALL YOUR WORK AND PERSONAL FILES HAVE BEEN ENCRYPTED ***

E-mail:chf.dba@gmail.com

Title: *** ALL YOUR WORK AND PERSONAL FILES HAVE BEEN ENCRYPTED ***

Author: DATABASE SOS©All rights reserved [without my consent, it may not be reproduced in any form, otherwise there is the right to further legal responsibility.]

During a period of recent vacation, I received a lot of win file system encrypted database recovery, mainly focused on virus recovery similar to the following. Through analysis, we can determine that the Oracle and Sql Server databases of this type of encrypted virus can achieve more perfect recovery
1. There is a file under the directory of each file !!! DECRYPT MY FILES !!!. Txt file, the content is:
1

2. Encrypted file name: add the following.id-3109967046_ [Icanhelp@cock.li].firex3m after the original file name
oracle1
sql1

By analyzing the encrypted oracle and sql databases, we can basically achieve perfect recovery (the application of the recovery result can be run directly)
sql-recover
oracle-recovery

SQL Server Database Bitcoin Encryption Ransomware Recovery

E-mail:chf.dba@gmail.com

Title: SQL Server Database Bitcoin Encryption Ransomware Recovery

Author: DATABASE SOS©All rights reserved [without my consent, it may not be reproduced in any form, otherwise there is the right to further legal responsibility.]

For the Oracle database encrypted by GANDCRAB virus, we can provide a more perfect recovery. “GANDCRAB V5.0.4 Bitcoin encryption oracle database recovery”> GANDCRAB V5.0.4 Bitcoin encryption oracle database recovery and GANDCRAB Upgraded Oracle Recovery , we have done some research on the SQL Server database encrypted by GANDCRAB recently, and now it can be better recovered.
gandcrab5.2-sql-server

1

And if the cost of finding a hacker to decrypt is $ 10w, the customer cannot accept the cost.The main thing in the system is that the sql server database is encrypted. The customer has a backup of several months ago, but the data is severely lost and cannot bear the relevant losses. Recovery support. After a series of recovery, we can achieve a more perfect recovery of the database
gandcrab5.2-sql-server1

gandcrab5.2-sql-server2

If your sql server database is unfortunately encrypted by Bitcoin, you can contact us at any time to provide database level recovery support
E-Mail:chf.dba@gmail.com

.ALCO Bitcoin Crypto Ransom Recovery

E-mail:chf.dba@gmail.com

Title: .ALCO Bitcoin Crypto Ransom Recovery

Author: DATABASE SOS©All rights reserved [without my consent, it may not be reproduced in any form, otherwise there is the right to further legal responsibility.]

A friend recently consulted another win platform which was encrypted by bitcoin ransomware with the suffix name: .ALCO + oracle database recovery request.
. ALCO +

The analysis revealed that the virus is more disgusting than ever, and the head and tail of the file are encrypted in a spaced manner
oracle-1-alco +
oracle-3-alco +
oracle-2-alco +

The analysis results prove that ALCO + separately encrypts the 318 blocks at the beginning and end of the Oracle file.
Through our analysis, for this type of failure, we can also have better recovery results.
oracle-4-alco +

.CHAK1 Bitcoin Crypto Ransomware Recovery

E-mail:chf.dba@gmail.com

Title: .CHAK1 Bitcoin Crypto Ransomware Recovery

Author: DATABASE SOS©All rights reserved [without my consent, it may not be reproduced in any form, otherwise there is the right to further legal responsibility.]

Recently, a friend encountered an oracle database whose bitcoin suffix is ​​.CHAK1.
oracle-chak1

We have confirmed that this destruction and the last ( Bitcoin encryption ransom interval encryption ) is similar
oracle-chak1
oracle-chak2
< hr>
Through analysis, such damage results are:
1) 1280 block interval encryption,
2) The first 10M data of each encrypted file may be lost
For this customer, through analysis, business data can be recovered perfectly.
data

If your database is ransomized by Bitcoin crypto and needs recovery support please contact us
E-Mail:chf.dba@gmail.com

.wncry Bitcoin Ransomware Recovery

E-mail:chf.dba@gmail.com

Title: .wncry Bitcoin Ransomware Recovery

Author: DATABASE SOS©All rights reserved [without my consent, it may not be reproduced in any form, otherwise there is the right to further legal responsibility.]

I have also paid attention to various bitcoin ransomware before. For the oracle database, I mainly focus on pl/sql dev and File Encryption Ransomware, no matter which kind of extortion has not happened The scope of the impact is only wide and has a great impact. Even the public security network of the dynasty was severely infected, and many departments were unable to operate normally.
After infection
btb
wncry

Here you can find that the Bitcoin encryption this time is selective encryption, not all files are encrypted, but judged based on the file suffix name, and then encrypted for blackmail.
View encrypted files
1
2

This failure is different from the previous encrypted ransomware.This time, the entire file is completely encrypted, which is quite different from the previous encryption, because the full-text encryption also brings great difficulty to the recovery.

Receive Bitcoin
https://btc.com/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
You can find this linked list. Lisso people receive a lot of bitcoin, and it is generally not recommended to pay bitcoin: 1) it fuels this arrogance, and 2) the payment may not be decrypted (there are examples of failure around)
3

Fortunately, although we cannot decrypt the encrypted file, according to the encryption principle, we have run oracle (stored the oracle data file) on the hard disk, then there are traces on the hard disk. As long as this trace is not covered, we can pass the underlying Scan the block to recover the data (similar to: asm disk header completely damaged recovery ). Through this principle, we successfully restored a customer’s database today. If this aspect cannot be recovered by itself, you can contact us for technical support
E-Mail:chf.dba@gmail.com
Due to limited technical skills, at present we can only recover the encrypted database for extorting Bitcoin, other files cannot be recovered. For the database, we also need to evaluate the site to determine whether it can be recovered.

GANDCRAB V5.0.4 Bitcoin encryption oracle database recovery

E-mail:chf.dba@gmail.com

Title: GANDCRAB V5.0.4 Bitcoin encryption oracle database recovery

Author: DATABASE SOS©All rights reserved [without my consent, it may not be reproduced in any form, otherwise there is the right to further legal responsibility.]

After receiving a friend’s recovery request, the win server file was encrypted by the bitcoin ransomware oracle database of GANDCRAB V5.0.4 (Zhonglian his [large Chinese table name / xml type]), let us analyze it and determine whether it can be restored
3
4

Through the analysis of the tool, it is found that the file header and data file space need to be reconstructed using bitmap-related blocks. The main business data should theoretically be good. By analyzing the basic database information such as database tablespaces and data files, Manually rebuild, rebuild the control file, and after a series of recovery, the database forced to open successfully

SQL> select open_mode from v $ database;

OPEN_MODE
--------------------
READ WRITE

SQL> select name from v $ datafile;

NAME
-------------------------------------------------- ------------------------------
E:\ORCLNEW1\SYSTEM01.DBF.HKNWFZ
E:\ORCLNEW1\SYSAUX01.DBF.HKNWFZ
E:\ORCLNEW1\UNDOTBS01.DBF.HKNWFZ
E:\ORCLNEW1\USERS01.DBF.HKNWFZ
E:\ORCLNEW1\BHDATA.DBF.HKNWFZ
E:\ORCLNEW1\BHMAIL.DBF.HKNWFZ
E:\ORCLNEW1\BHINDEX.DBF.HKNWFZ
E:\ORCLNEW1\ZHBASIS.DBF.HKNWFZ
E:\ORCLNEW1\ZHARCHIVES.DBF.HKNWFZ
E:\ORCLNEW1\ZHSERVICES.DBF.HKNWFZ
E:\ORCLNEW1\ZHADVICES.DBF.HKNWFZ
E:\ORCLNEW1\ZHEXPENSES.DBF.HKNWFZ
E:\ORCLNEW1\ZHMEDICINE.DBF.HKNWFZ
E:\ORCLNEW1\ZHLAB.DBF.HKNWFZ
E:\ORCLNEW1\ZHCHECK.DBF.HKNWFZ
E:\ORCLNEW1\ZHLOB.DBF.HKNWFZ
E:\ORCLNEW1\ZHINDEX.DBF.HKNWFZ
E:\ORCLNEW1\SLREPORT.DBF.HKNWFZ
E:\ORCLNEW1\ZHMATERIAL.DBF.HKNWFZ
E:\ORCLNEW1\ZHMEDREC.DBF.HKNWFZ
E:\ORCLNEW1\ZHINSURE.DBF.HKNWFZ

Because the customer’s database has a large number of xml column types, exp cannot be exported, and only expdp can be used for export. Because expdp creates intermediate tables during the export process, some repairs are made to the database to ensure that the database can write normally. Object and database export succeeded
2

.WECANHELP encrypted database recovery

E-mail:chf.dba@gmail.com

Title: .WECANHELP encrypted database recovery

Author: DATABASE SOS©All rights reserved [without my consent, it may not be reproduced in any form, otherwise there is the right to further legal responsibility.]

After receiving the network recovery request, the oracle dmp file is encrypted and the file name is: 2020_01_10_16_00_00.DMP.id_2251820718_.WECANHELP, _RESTORE FILES_.txt file content is:

*** ALL YOUR WORK AND PERSONAL FILES HAVE BEEN ENCRYPTED ***
To decrypt your files you need to buy the special software? "Nemesis decryptor"
You can find out the details / buy decryptor + key / ask questions by email:
        wecanhelpyou@elude.in, w3canh3lpy0u@cock.li OR wecanh3lpyou2@cock.li
IMPORTANT!
DON'T TRY TO RESTORE YOU FILES BY YOUR SELF, YOU CAN DAMAGE FILES!
If within 24 hours you did not receive an answer by email,
   be sure to write to Jabber: icanhelp@xmpp.jp
Your personal ID: 2251820718

By analyzing the encrypted dmp
20200117180530
We determined that it can be restored through the technical level of the database to achieve maximum rescue of customer data
20200117181832

If your database (oracle, mysql sql server) is unfortunately encrypted by Bitcoin, you can contact us
E-Mail:chf.dba@gmail.com

Globeimposter * 865qqz ransomware recovery

E-mail:chf.dba@gmail.com

Title: Globeimposter * 865qqz ransomware recovery

Author: DATABASE SOS©All rights reserved [without my consent, it may not be reproduced in any form, otherwise there is the right to further legal responsibility.]

Recently, the client server file was encrypted with the suffix: .Globeimposter-Beta865qqz. After analyzing it, the related suffixes are similar:
.Globeimposter-Alpha865qqz
.Globeimposter-Beta865qqz
.Globeimposter-Delta865qqz
.Globeimposter-Epsilon865qqz
.Globeimposter-Gamma865qqz
.Globeimposter-Zeta865qqz, similar screenshots are as follows:
20200207191431

Analysis revealed that data was encrypted and corrupted
20200207192144

After the underlying processing of its files, most of the data recovery is achieved
20200207192721

After analysis, we can recover some databases of such viruses (oracle dmp, sql bak, etc.), if there are such problems, you can contact us for recovery support
E-Mail:chf.dba@gmail.com