I have Oracle 11g database which is running on windows server 2003 R2.The whole server is hacked by the hackers and all my datafiles, cotrolfiles, redo log files and even all the files on the server is encrypted with AES encryption method.All the files are showing like a zip file and the hackers give the email id with each file.Now I dont have any backup of that database because all the backup file itself on that server and that is also encrypted.
I dont know how to decrypt the files because its my production database.Is there anyone who can help me out on this issue.
Are the files reallyEncrypted (which would take a considerable length of time for a server of any size) or have "they" just messed around with theFileAssociationsSo that every file typeLooks likeA zip file? That's quick to do, incredibly annoying but doesn't do [much] permanent damage.
Is Windows itself running? (If so, then they didn't "encrypt" everything).
If youCanGet into Windows, can you open (right-click, Open With...) any file in any other program? Even Notepad, the lowest common denominator of Windows "editors", would do.
Seriously, though, without backups (stored onAnotherMachine) you really are dead in the water.
Even a backup of the file system would be [slightly] better than nothing.
I might even go as far as to say that you should beGratefulThat this was caused by a hacker - the nett effect would have been exactly the same had the machine's disks failed or the motherboard blown - and thenYou'dBe the one in the firing line for failing to arrange proper recovery measures for your "production database".
Actually they encrypt the datafiles, control files and redo log files and they remove all the .dmp files for the backup.I found some information after searching on google.
You can get the details of the virus with below URL.This is what exactly they did with our database.
Cybercrooks developing dangerous new file-encrypting ransomware, researchers warn | PCWorld
PowerLocker consists of a single file that’s dropped in the Windows temporary folder. Once run on a computer for the first time, it begins encrypting all user files stored on local drives and network shares, except for executable and system files.
Every file is encrypted using the Blowfish algorithm with a unique key. Those keys are then encrypted with a 2048-bit RSA key that’s part of a public-private key pair unique for every computer. The computer owners will have the public keys, but won’t have the corresponding private RSA keys needed to decrypt the Blowfish keys.
You can also try prm-dul to recover data directly from encrypted datafiles . because most of malware/ransomeware will only encrypt datafile header, and left most of data not damaged .
Reference video:https://youtu.be/jOT6k-KF8Hg
DBRECOVER Recovery Options
For Oracle incidents, start with the DBRECOVER for Oracle trial to verify table visibility, row previews, and export readiness on copied datafiles. For MySQL and InnoDB incidents, DBRECOVER for MySQL is free software and can inspect.ibd files, ibdata1, and database directories locally.
When the case is urgent, preserve the original files first, work from copies, and contact paid emergency support with the database version, platform, error messages, file list, and recovery objective.