our test server was hacked and they installed a ransomware (Cry36) for which there is no solution to date. We also didn't keep any snapshots up to date (lesion learned).
Since it's only a test server, i am not too worried. But we had stored in our Firebird DB (v2.5) a bunch of work which i would like to save.
Looking at the database in a hex editor, i can see that the data is encrypted up until offset 00006430.
Looking at the structure of the firebird database it says that all the headers are encrypted (Header page, PIP,..., Data page).
All the data is still there.
I've tryed with gfix and even copying the headers from an older version of the db. But while it does fix the db, the headers are wrong and most of the new pages are removed.
Does anyone have any idea how to restore the database or extract the tables?
Regards
I have used this method restoring ransomware files encrypted on hard drives from any ransomware by renaming the file in question back to its original filename and extension. You may be able to apply the same method to revert the data or database back to the pre-encrypted version of the file/s or data/bases.
From my testing:
the ransomed file = is compressed and or simply renamed, the encryption is either not applied actually but only implied or the containing file or renamed file is encrypted but the original file is never touched. Simply rename back to original and you can access the file as you could be for the attack. Example:
This is the Ransomed file:
Adobe Acrobat XI Pro 11.0.20.zip.id[42AF04FF-2275].[supportcrypt2019#cock.li].Adame
This is the Ransomed file, renamed and fixed:
Adobe Acrobat XI Pro 11.0.20.zip
The removed portion of the FileName is:
.id[42AF04FF-2275].[supportcrypt2019#cock.li].Adame
Upon renaming the file, you will be prompted for approval to change the application type/ file type for which the file will be opened (Back to its original state), and what application will open it (its original designation as determined by the FileType preset after the FileName. The reason the file doesn't work when ransomed is the final file extension renaming scheme, whereas in this case .ADAME is not a real file type, but made up, and no program will or can open it. Thus, the file can not be opened as named.
You would need to do this for each file individually, could you post more information on the database file and encryption information as this should work for you as well. The Ransom Methodology should be the same. I can not identify the naming scheme used on your system without more information pertaining to unusual or new/unidentified portions of code injected throughout your instance.
For Renaming multiple files you could try an application such as "Advanced Renamer" for bulk processing.
I have a filepicker.io instance where I am using the pickAndStore function to allow users to upload various files, however while testing Microsoft Visio I found the files are being blocked / denied upload by a yellow error that states it does not register as an accepted file type (and lists out all the files it believes are allowed)?
In my logs of the arguments sent to the function, I can see the full array of file types I allow and the 4 variants of visio I added are clearly there:
The four I added:
".vss", ".vssx", ".vsd", ".vsdx"
Full array:
[".doc", ".dot", ".docx", ".docm", ".dotx", ".xls", ".xlt", ".xlsx", ".xltx", ".xlsm", ".xlsb", ".oft", ".msg", ".ppt", ".pptx", ".pptm", ".pps", ".ppsx", ".mpp", ".pub", ".pdf", ".html", ".mhtml", ".txt", ".rtf", ".csv", ".xml", ".css", ".zip", ".tar", ".rar", ".vss", ".vssx", ".vsd", ".vsdx", ".mp3", ".wav", ".swf", ".ics", ".srt", ".wmf", ".eps", ".ai", ".psd", ".gif", ".jpg", ".jpeg", ".png", ".bmp", ".m4v", ".mp4", ".flv", ".f4v", ".mov", ".wmv", ".wm", ".webm", ".3gp", ".3gpp", ".m2p", ".rv", ".rm", ".avi", ".3gp2", ".mpg", ".mpeg", ".ts", ".vp6", ".h264", ".arf", ".wrf", ".m2ts"]
However When I use "My Computer" as a source and upload any one of the twenty odd .vsd files I have to use as tests, all of them trigger the error to appear and deny upload:
The image i am seeing saying that .vsd does not register
I'm not sure what else I can do at this point to fix? I don't particularly want to have to use mimetype in this one instance as it suggests not to use this along side extension in the filepicker documentation.
Here is the link i used that provides various Visio files you can use to test. I would rather not use the files clients upload using our platform as I would need to ask permission and in case they are sensitive. I don't think there has been a single successful upload (of a visio file, others are fine) so I would be surprised if it was file specific.
https://www.microsoft.com/en-gb/download/confirmation.aspx?id=24023
Thanks!
All extensions are converted back to mimetype therefor you can't mixed extension & mimetype.
It appears that ".vss", ".vssx", ".vsd", ".vsdx" are in the database.
Could you post some of the files you are testing so we can check them ourselves.
Regards,
Dylan
Filepicker needs to include "application/vnd.ms-visio.viewer" in the mapping from those file extensions. It looks like that's what the browser is reporting the MIME type for those files to be.
I'm evaluating the InkFilePicker service. How do I make sure that uploading a new file to my S3 bucket won't overwrite an existing file with an identical name already in that bucket?
I'm currently using another third party upload solution that allows me to rename a file with a GUID as its file name to prevent such accidental overwrite situations.
How do rename files using InkFilePicker? Or what is the right approach with InkFilePicker to prevent unintended overwrites?
Thanks,
Sam
Looks like InkFilePicker prepends a unique key to file name during upload.
myfile.pdf becomes something like DNjimbeSQWVrcd0Uv8lJ_myfile.pdf when it's saved on Amazon S3 so it inherently prevents overwrites.
I'm working on a application that downloads some files to the local storage for caching. The files online are sometimes in 3 or 4 nested folders and I would like to also keep this hierarchy in my cache folder.
Is there no easy way other then having to (await (await folder.GetFolderAsync("dir1")).GetFolderAsync("dir2)) and so on? Now it's hardcoded with dir1 and dir2.
What's the easiest way when the file path is a string like "MyFolder/OtherFolder/lastFolder/file.xml"?
The static member function StorageFolder::GetFolderFromPathAsync can be used to get a StorageFolder object for a folder given its path.
Our app has a document type which uses the suffix .sgb. It's a package type, so in a lot of cases users zip them up and send them as .sgb.zip.We can't ask our users to rename them to .sgbz. I've added .zip files as a document type to our app, and it's opening the .sgb.zip files; but the OS is offering my app to the user to open all .zip files. I've tried specifying sgb.zip as a new document type, but it just gets ignored. Can I specify a document type with the suffix .sgb.zip somehow, or do I have to open all .zips and see whether they have a .sgb file in them?