Recovering data from Firebird database partially-encrypted by ransomware

2
votes

our test server was hacked and they installed a ransomware (Cry36) for which there is no solution to date. We also didn't keep any snapshots up to date (lesion learned).

Since it's only a test server, i am not too worried. But we had stored in our Firebird DB (v2.5) a bunch of work which i would like to save. Looking at the database in a hex editor, i can see that the data is encrypted up until offset 00006430. Looking at the structure of the firebird database it says that all the headers are encrypted (Header page, PIP,..., Data page).

All the data is still there.

I've tryed with gfix and even copying the headers from an older version of the db. But while it does fix the db, the headers are wrong and most of the new pages are removed.

Does anyone have any idea how to restore the database or extract the tables?

Regards

1
firebird
I would suggest you to try ib-aid.com - the Russian company that is working for decades in lock-step with Firebird core developers. See PDF ib-aid.com/download/docs/firebird_firstaid_recovery_guide.pdf - Arioch 'The
also open translate.ru (Google Translate worse) and read three articles -> ibase.ru/dbrepair and ibase.ru/diag_info and ibase.ru/db_repair (yes, those are three different ones, not two) - Arioch 'The
I was hoping to find some cheaper solution. The reason being that the difference of the cost from ib-aid and paying the ransomware (which would restore whole the server, but could be risky) might cost me the same in the end. - Mark Crowther
well, if you would put it into your question that you need cheaper than ib-aid, i'd no suggest it - Arioch 'The
The problem is that corruption like this is a rare occurrence, so probably the only people who can really tell you how to fix this are either people who work for a company that offer recovery service (and they likely won't do it for free), or the core developers of Firebird, who probably don't have the time to do this. - Mark Rotteveel

1 Answers

0
votes

I have used this method restoring ransomware files encrypted on hard drives from any ransomware by renaming the file in question back to its original filename and extension. You may be able to apply the same method to revert the data or database back to the pre-encrypted version of the file/s or data/bases.

From my testing:

the ransomed file = is compressed and or simply renamed, the encryption is either not applied actually but only implied or the containing file or renamed file is encrypted but the original file is never touched. Simply rename back to original and you can access the file as you could be for the attack. Example:

This is the Ransomed file:

Adobe Acrobat XI Pro 11.0.20.zip.id[42AF04FF-2275].[[email protected]].Adame

This is the Ransomed file, renamed and fixed:

Adobe Acrobat XI Pro 11.0.20.zip

The removed portion of the FileName is:

.id[42AF04FF-2275].[[email protected]].Adame

Upon renaming the file, you will be prompted for approval to change the application type/ file type for which the file will be opened (Back to its original state), and what application will open it (its original designation as determined by the FileType preset after the FileName. The reason the file doesn't work when ransomed is the final file extension renaming scheme, whereas in this case .ADAME is not a real file type, but made up, and no program will or can open it. Thus, the file can not be opened as named.

You would need to do this for each file individually, could you post more information on the database file and encryption information as this should work for you as well. The Ransom Methodology should be the same. I can not identify the naming scheme used on your system without more information pertaining to unusual or new/unidentified portions of code injected throughout your instance.

For Renaming multiple files you could try an application such as "Advanced Renamer" for bulk processing.