咨询微信: dbservice1234 7 x 24 在线支持!

oracle database hacked by malware/ransomware

oracle database hacked by malware/ransomware

I have oracle 11g database which is running on windows server 2003 R2.The whole server is hacked by the hackers and all my datafiles,cotrolfiles,redologfiles and even all the files on the server is encrypted with AES encryption method.All the files are showing like a zip file and the hackers give the email id with each file.Now i dont have any backup of that database because all the backup file itself on that server and that is also encrypted.
 
 
 
I dont know how to decrypt the files because its my production database.Is there anyone who can help me out on this issue.
 
 

Are the files really encrypted (which would take a considerable length of time for a server of any size) or have "they" just messed around with the file associations so that every file type looks like a zip file?  That's quick to do, incredibly annoying but doesn't do [much] permanent damage.

Is Windows itself running?  (If so, then they didn't "encrypt" everything).

If you can get into Windows, can you open (right-click, Open With...) any file in any other program?  Even Notepad, the lowest common denominator of Windows "editors", would do.

 

Seriously, though, without backups (stored on another machine) you really are dead in the water. 

Even a backup of the file system would be [slightly] better than nothing.

 

I might even go as far as to say that you should be grateful that this was caused by a hacker - the nett effect would have been exactly the same had the machine's disks failed or the motherboard blown - and then you'd be the one in the firing line for failing to arrange proper recovery measures for your "production database".

 

 

Actually they encrypt the datafiles,controlfiles and redologfiles and they remove all the .dmp files for the backup.i found some information after searching on google.

 

You can get the details of the virus with below URL.This is what exactly they did with our database.

 

Cybercrooks developing dangerous new file-encrypting ransomware, researchers warn | PCWorld

 

PowerLocker consists of a single file that’s dropped in the Windows temporary folder. Once run on a computer for the first time, it begins encrypting all user files stored on local drives and network shares, except for executable and system files.

 

Every file is encrypted using the Blowfish algorithm with a unique key. Those keys are then encrypted with a 2048-bit RSA key that’s part of a public-private key pair unique for every computer. The computer owners will have the public keys, but won’t have the corresponding private RSA keys needed to decrypt the Blowfish keys.

 

 

you can also try prm-dul to recover data directly from encrypted datafiles .  because most of malware/ransomeware will only encrypt datafile header  , and left most of data not damaged . 

 

reference video :    https://youtu.be/jOT6k-KF8Hg