Repairing DB file filled in first sectors by ransomware

24 views
Skip to first unread message

Paulo Braga

unread,
Mar 25, 2022, 6:12:22 AM3/25/22
to datarecovery...@googlegroups.com
Hello friends, good day!

I have a challenge and I would like to know if someone with knowledge in file structure analysis or databases can help me.

I have a case of ransowmare infection and analyzing the hexadecimal structures of the files, I believe that the ransomware did not encrypt the databases. What he did was zero the first sectors of the database files. Analyzing in WinHex, I found the pattern that repeats itself in all files:

The first 6.291.440 blocks are filled and after the data is normal.

I have a database file, with the same database (no data introduced, just the tables) and I copied the first 6.291.440 blocks and saved to the damaged file. When trying to attach to SQL, the database is recognized (previously it had an error), but it still has an error when attaching.

Is there any tool to try to repair this "hybrid" file? 
Would there be any other possibilities?

Thanks for all!


LUIS D AGUILAR

unread,
Mar 25, 2022, 6:35:48 AM3/25/22
to datarecovery...@googlegroups.com
Try first if you can using actual decoding ransomware tools and they are free.  Need first to find if the ransomware you have are ready has a remedy/cure for the ransomware.


--
Data Recovery Certification Group / for issue with google group please email sc...@myharddrivedied.com
---
You received this message because you are subscribed to the Google Groups "DataRecoveryCertification" group.
To unsubscribe from this group and stop receiving emails from it, send an email to datarecoverycertif...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/CANBOQm5RbWGbw-KyhNzPS1ALfDa_5eW-72mWSnRMgTthVTRcLA%40mail.gmail.com.

Data Recovery Guru

unread,
Mar 25, 2022, 8:51:24 AM3/25/22
to datarecovery...@googlegroups.com
Databases could be specific. 
Search by type online.
For example "SQL database repair". 
Stellar has a software for that.

To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/CABfL34K5%3DghC7WAjJKvcn8FhKOJ-XKABbfjOZubsnN8NQL2rLw%40mail.gmail.com.

Paulo Braga

unread,
Mar 25, 2022, 9:08:11 AM3/25/22
to datarecovery...@googlegroups.com
Hi Luis, thanks for response. 

Yes, this is the first thing I do. I search and identify the ransomware. Is "Phobos" ransomware and don't have any solution yet. 

I’m trying do this path for recovery this case.



Paulo Braga

unread,
Mar 25, 2022, 9:38:44 AM3/25/22
to datarecovery...@googlegroups.com
Hi!

Thanks for response.
I will try this software.

If someone have another software recommendation, could help.

Thanks 

wayne horner

unread,
Mar 25, 2022, 2:42:00 PM3/25/22
to datarecoveryce.
The ransomware probably encrypted the first section and then encrypted and appended it to the file
Then zeroed out that section.
You could examine the ends of several files
You might see a pattern
sometimes they put a header and some structure there, like the original filename
some kind of ID... whatever stuff they need to decrypt.

Alandata Data Recovery -  (949)287-3282  
"Cleanroom Data Recovery of RAID, VMware, Network Attached Storage, Linux, Tape, Disk, Forensics"


To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/CANBOQm7Xf8f_L_Zjm%2ByEqzF8tvVT4BGKFQ5GUtCR%3D3H2EO4Qsg%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages