某客户的windows环境上的所有文件都被比特币勒索加密,其加密后缀名为babyk。数据库不算很大,所以我让客户把加密的oracle数据文件打包给我。
1 2 3 4 5 6 7 8 9 10 |
-rw-r--r-- 1 root root 362422344 Apr 26 03:08 EXAMPLE01.DBF.babyk -rw-r--r-- 1 root root 681582664 Dec 30 2011 NNC_DATA01.DBF.babyk -rw-r--r-- 1 root root 104865864 Dec 30 2011 NNC_DATA02.DBF.babyk -rw-r--r-- 1 root root 209723464 Dec 30 2011 NNC_DATA03.DBF.babyk -rw-r--r-- 1 root root 262152264 Apr 26 03:08 NNC_INDEX01.DBF.babyk -rw-r--r-- 1 root root 52437064 Apr 26 03:08 NNC_INDEX02.DBF.babyk -rw-r--r-- 1 root root 209723464 Apr 26 03:08 NNC_INDEX03.DBF.babyk -rw-r--r-- 1 root root 1772101704 Apr 26 03:09 SYSAUX01.DBF.babyk -rw-r--r-- 1 root root 13463724104 Dec 30 2011 SYSTEM01.DBF.babyk -rw-r--r-- 1 root root 5251144 Apr 26 03:08 USERS01.DBF.babyk |
可以看到所有数据文件都有一个加密后缀名babyk。
黑客的勒索-How To Restore Your Files.txt内容为:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
What Happened to My Computer? Your important files are encrypted. Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without Can I Recover My Files? Sure. We guarantee that you can recover all your files safely and easily. But you have not so enough time.if you want to decrypt all your files, you need to pay. You only have 3 days to submit the payment. After that the price will be doubled. Also, if you don't pay in 7 days, you won't be able to recover your files forever. How Do I Pay? Payment is accepted in Monero only. If you don’t know what Monero is, please Google for information on how to buy and pay for Monero. Send $10000 worth of monero to this address: 88D7gE1jUbmPBjdFsvR8FugHA4ZZY9H6NHy9ZkWec7c4iYiATW5cpuAYoRbBq2ePoFeBgpzZunGLXgCTPmAfDU8V1qZmgUv ID:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx After the payment is completed, please send the payment picture and ID to sdfca4s654asd@protonmail.com. After we confirm your payment amount, we will reply to the decryption program to your email address. Warning: Don't try to decrypt by yourself, you may permanently damage your files. |
黑客的勒索价格为10000美元。强烈建议不要轻信黑客,已经出现过很多客户抱怨付了款之后并未黑客并未恢复。
我自己写了一个简单的shell脚本,可以判断oracle数据文件的加密范围,如果加密比例比较低的话,那么原则上可以通过odu等抽取工具把未加密的数据抽取出来,达到最大程度的恢复。
运行检查脚本,会输出一个error.log可以看到加密范围
1 |
nohup sh check.sh 'SYSTEM01.DBF.babyk' 8192 |
1 2 3 4 5 6 7 8 9 10 11 |
[root@rac1 datafile]# head error.log 1-127 block was Encrypted! 1280-1407 block was Encrypted! 2560-2687 block was Encrypted! 3840-3967 block was Encrypted! 5120-5247 block was Encrypted! 6400-6527 block was Encrypted! 7680-7807 block was Encrypted! 8960-9087 block was Encrypted! 10240-10367 block was Encrypted! 11520-11647 block was Encrypted! |
可以看到,bybak类型的勒索加密对于oracle数据文件是间隔加密,规律为每10M会加密1M,那么粗略计算的话,恢复比例应该在90%左右。
但是由于system有很多字典数据会被加密,所以在恢复时,会非常麻烦,因为odu抽取数据恢复是非常需要数据字典信息的。如果有之前整库exp或者expdp的逻辑备份是最好的,正好这个客户有一个2个月前的expdp备份,可以通过expdp备份来重构odu的字典信息。
重构字典之后,可以顺利的把未加密的数据全部抽取出来。例如:
1 2 3 4 5 |
ODU> unload table xinc.MD_DB_RELATION Unloading table: MD_DB_RELATION,object ID: 76652 Unloading segment,storage(Obj#=76652 DataObj#=76652 TS#=7 File#=6 Block#=1891 Cluster=0) 640 rows unloaded |
表MD_DB_RELATION的640条数据就这样抽取出来了。
如果有朋友不幸遭遇了比特币勒索加密的问题,想要恢复oracle/mysql/sql server可以联系我。联系方式18685078367。