*** ALL YOUR WORK AND PERSONAL FILES HAVE BEEN ENCRYPTED ***

E-mail:chf.dba@gmail.com

Title: *** ALL YOUR WORK AND PERSONAL FILES HAVE BEEN ENCRYPTED ***

Author: DATABASE SOS©All rights reserved [without my consent, it may not be reproduced in any form, otherwise there is the right to further legal responsibility.]

During a period of recent vacation, I received a lot of win file system encrypted database recovery, mainly focused on virus recovery similar to the following. Through analysis, we can determine that the Oracle and Sql Server databases of this type of encrypted virus can achieve more perfect recovery
1. There is a file under the directory of each file !!! DECRYPT MY FILES !!!. Txt file, the content is:
1

2. Encrypted file name: add the following.id-3109967046_ [Icanhelp@cock.li].firex3m after the original file name
oracle1
sql1

By analyzing the encrypted oracle and sql databases, we can basically achieve perfect recovery (the application of the recovery result can be run directly)
sql-recover
oracle-recovery

.ALCO Bitcoin Crypto Ransom Recovery

E-mail:chf.dba@gmail.com

Title: .ALCO Bitcoin Crypto Ransom Recovery

Author: DATABASE SOS©All rights reserved [without my consent, it may not be reproduced in any form, otherwise there is the right to further legal responsibility.]

A friend recently consulted another win platform which was encrypted by bitcoin ransomware with the suffix name: .ALCO + oracle database recovery request.
. ALCO +

The analysis revealed that the virus is more disgusting than ever, and the head and tail of the file are encrypted in a spaced manner
oracle-1-alco +
oracle-3-alco +
oracle-2-alco +

The analysis results prove that ALCO + separately encrypts the 318 blocks at the beginning and end of the Oracle file.
Through our analysis, for this type of failure, we can also have better recovery results.
oracle-4-alco +

.CHAK1 Bitcoin Crypto Ransomware Recovery

E-mail:chf.dba@gmail.com

Title: .CHAK1 Bitcoin Crypto Ransomware Recovery

Author: DATABASE SOS©All rights reserved [without my consent, it may not be reproduced in any form, otherwise there is the right to further legal responsibility.]

Recently, a friend encountered an oracle database whose bitcoin suffix is ​​.CHAK1.
oracle-chak1

We have confirmed that this destruction and the last ( Bitcoin encryption ransom interval encryption ) is similar
oracle-chak1
oracle-chak2
< hr>
Through analysis, such damage results are:
1) 1280 block interval encryption,
2) The first 10M data of each encrypted file may be lost
For this customer, through analysis, business data can be recovered perfectly.
data

If your database is ransomized by Bitcoin crypto and needs recovery support please contact us
E-Mail:chf.dba@gmail.com

.wncry Bitcoin Ransomware Recovery

E-mail:chf.dba@gmail.com

Title: .wncry Bitcoin Ransomware Recovery

Author: DATABASE SOS©All rights reserved [without my consent, it may not be reproduced in any form, otherwise there is the right to further legal responsibility.]

I have also paid attention to various bitcoin ransomware before. For the oracle database, I mainly focus on pl/sql dev and File Encryption Ransomware, no matter which kind of extortion has not happened The scope of the impact is only wide and has a great impact. Even the public security network of the dynasty was severely infected, and many departments were unable to operate normally.
After infection
btb
wncry

Here you can find that the Bitcoin encryption this time is selective encryption, not all files are encrypted, but judged based on the file suffix name, and then encrypted for blackmail.
View encrypted files
1
2

This failure is different from the previous encrypted ransomware.This time, the entire file is completely encrypted, which is quite different from the previous encryption, because the full-text encryption also brings great difficulty to the recovery.

Receive Bitcoin
https://btc.com/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
You can find this linked list. Lisso people receive a lot of bitcoin, and it is generally not recommended to pay bitcoin: 1) it fuels this arrogance, and 2) the payment may not be decrypted (there are examples of failure around)
3

Fortunately, although we cannot decrypt the encrypted file, according to the encryption principle, we have run oracle (stored the oracle data file) on the hard disk, then there are traces on the hard disk. As long as this trace is not covered, we can pass the underlying Scan the block to recover the data (similar to: asm disk header completely damaged recovery ). Through this principle, we successfully restored a customer’s database today. If this aspect cannot be recovered by itself, you can contact us for technical support
E-Mail:chf.dba@gmail.com
Due to limited technical skills, at present we can only recover the encrypted database for extorting Bitcoin, other files cannot be recovered. For the database, we also need to evaluate the site to determine whether it can be recovered.

ORA-00702: bootstrap version ” does not match version ‘8.0.0.0.0’

E-mail:chf.dba@gmail.com

Title: ORA-00702: bootstrap version ” does not match version ‘8.0.0.0.0’

Author: DATABASE SOS©All rights reserved [without my consent, it may not be reproduced in any form, otherwise there is the right to further legal responsibility.]

ORA-00704 and ORA-00702 errors were reported when the customer feedback database could not be started properly just after New Year’s Day in 19
ora-00702 

Successful open of redo thread 1
MTTR advisory is disabled because FAST_START_MTTR_TARGET is not set
SMON: enabling cache recovery
Errors in file D:\APP\ADMINISTRATOR\diag\rdbms\orcl\orcl\trace\orcl_ora_3756.trc:
ORA-00704: bootstrap process failed
ORA-00702: bootstrap version '' does not match version '8.0.0.0.0'
Errors in file D:\APP\ADMINISTRATOR\diag\rdbms\orcl\orcl\trace\orcl_ora_3756.trc:
ORA-00704: bootstrap process failed
ORA-00702: bootstrap version '' does not match version '8.0.0.0.0'
Error 704 happened during db open, shutting down database
USER (ospid: 3756): terminating the instance due to error 704
Instance terminated by USER, pid = 3756

Through analysis and confirmation, it was confirmed that the script was injected due to the database suffered, and the database base table data was destroyed. As a result, the database could not be started normally after restarting.
1

This kind of failure can be restored by the oracle base table to achieve the perfect open database, data 0 is lost. If you cannot resolve it yourself, please contact us for recovery support
E-Mail:chf.dba@gmail.com
Remind again in 2019: 1) database backup and disaster recovery, 2) please use the official channel to download database media and database access tools, 3) regularly check whether the database is injected with malicious scripts

GANDCRAB V5.0.4 Bitcoin encryption oracle database recovery

E-mail:chf.dba@gmail.com

Title: GANDCRAB V5.0.4 Bitcoin encryption oracle database recovery

Author: DATABASE SOS©All rights reserved [without my consent, it may not be reproduced in any form, otherwise there is the right to further legal responsibility.]

After receiving a friend’s recovery request, the win server file was encrypted by the bitcoin ransomware oracle database of GANDCRAB V5.0.4 (Zhonglian his [large Chinese table name / xml type]), let us analyze it and determine whether it can be restored
3
4

Through the analysis of the tool, it is found that the file header and data file space need to be reconstructed using bitmap-related blocks. The main business data should theoretically be good. By analyzing the basic database information such as database tablespaces and data files, Manually rebuild, rebuild the control file, and after a series of recovery, the database forced to open successfully

SQL> select open_mode from v $ database;

OPEN_MODE
--------------------
READ WRITE

SQL> select name from v $ datafile;

NAME
-------------------------------------------------- ------------------------------
E:\ORCLNEW1\SYSTEM01.DBF.HKNWFZ
E:\ORCLNEW1\SYSAUX01.DBF.HKNWFZ
E:\ORCLNEW1\UNDOTBS01.DBF.HKNWFZ
E:\ORCLNEW1\USERS01.DBF.HKNWFZ
E:\ORCLNEW1\BHDATA.DBF.HKNWFZ
E:\ORCLNEW1\BHMAIL.DBF.HKNWFZ
E:\ORCLNEW1\BHINDEX.DBF.HKNWFZ
E:\ORCLNEW1\ZHBASIS.DBF.HKNWFZ
E:\ORCLNEW1\ZHARCHIVES.DBF.HKNWFZ
E:\ORCLNEW1\ZHSERVICES.DBF.HKNWFZ
E:\ORCLNEW1\ZHADVICES.DBF.HKNWFZ
E:\ORCLNEW1\ZHEXPENSES.DBF.HKNWFZ
E:\ORCLNEW1\ZHMEDICINE.DBF.HKNWFZ
E:\ORCLNEW1\ZHLAB.DBF.HKNWFZ
E:\ORCLNEW1\ZHCHECK.DBF.HKNWFZ
E:\ORCLNEW1\ZHLOB.DBF.HKNWFZ
E:\ORCLNEW1\ZHINDEX.DBF.HKNWFZ
E:\ORCLNEW1\SLREPORT.DBF.HKNWFZ
E:\ORCLNEW1\ZHMATERIAL.DBF.HKNWFZ
E:\ORCLNEW1\ZHMEDREC.DBF.HKNWFZ
E:\ORCLNEW1\ZHINSURE.DBF.HKNWFZ

Because the customer’s database has a large number of xml column types, exp cannot be exported, and only expdp can be used for export. Because expdp creates intermediate tables during the export process, some repairs are made to the database to ensure that the database can write normally. Object and database export succeeded
2

oracle dmp encryption recovery

E-mail:chf.dba@gmail.com

Title: oracle dmp encryption recovery

Author: DATABASE SOS©All rights reserved [without my consent, it may not be reproduced in any form, otherwise there is the right to further legal responsibility.]

Received friend recovery request, oracle dmp file is encrypted
20191124230422

By analyzing the file, it is found that the encryption is mainly blanking and partially encrypting the head and tail blocks according to 8 bytes in each 16 bytes.
20191124230702
20191124231600

By performing recovery, skipping the damaged part, the remaining data is directly imported into the database, and the test data can be stored in the database normally through show = y, achieving perfect recovery of the dmp file table data
20191124231917
20191124232238
When your Oracle dmp(exp and expdp) is damaged for some reason and cannot be resolved by yourself, please contact us to provide professional database recovery technical support
E-Mail:chf.dba@gmail.com