content
1. What is .[[email protected]].mkp ransomware virus?
2. How to recover the ransomware file with the [[email protected] suffix?
3. Introduction to the recovery case:
Recommended system security measures:
Foreword: Case Introduction
.[ [email protected] ].mkp suffix ransomware is a new type of virus spreading from a well-known foreign ransomware family. Recently, we have received a lot of inquiries and assistance from enterprises.
Recently, the suffix .[ [email protected] ].mkp ransomware virus in the server of a domestic company, the company's server files are all poisoned, all software server and file server files are all encrypted, data recovery is urgently needed, otherwise the company will design business The failure to operate has a great impact on the company's business. The customer contacted our 91 data recovery team. After remote detection and analysis by our 91 data recovery engineer, we quickly communicated and determined the data recovery plan with the fastest and highest recovery rate, and then the engineer team urgently arranged overnight stay. We raced against time to help customers recover data, with a recovery rate of 99.9%+ for file data and 100% recovery of database files, and finally won high praise from customers.
1. What is .[ [email protected] ].mkp ransomware virus?
.[ [email protected] ].mkp ransomware Like most ransomware, .[ [email protected] ].mkp ransomware blocks access to files by encrypting, changing file names and providing victims with instructions on how to recover Description of its file. The ransomware virus renames all encrypted files by encrypting them and appending "[XXXXXXX].[ [email protected] ].mkp " extension to the file name.
.[ [email protected] ].mkp ransomware virus gets into the computer in one way or another, it changes the Windows registry, deletes shadow copies, opens/writes/copy system files, spawns running in the background The factura.exe process, loads various modules, etc. After encrypting the data, the .[ [email protected] ].mkp ransomware also contacts the Command & Control server to send each victim an RSA private key (which is needed to decrypt the files). Ultimately, the malware encrypts pictures, documents, databases, videos, and other files, leaving only system data, with a few other exceptions.
The first stage of the attack is triggered once the .[ [email protected] ].mkp ransomware program is executed on the target system . Once the .nread file virus has made an initial malicious modification, it can activate the built-in cryptographic module through which it sets the start of the data encryption process. At this stage of the attack, the .[ [email protected] ].mkp virus scans all system drives for the target file.
After our research, we found that the .mkp suffix ransomware is an upgraded version of the original .makop ransomware that has been circulating for a long time. The suffixed viruses similar to this virus have the following suffixes, all of which belong to the same virus family, and our team can restore them. deal with:
. [ [email protected] ] .makop
.[[email protected]].makop
.[[email protected]].makop
.[[email protected]].makop
.[[email protected]].makop
. [ [email protected] ] .makop
. [ [email protected] ] .makop
.[[email protected]].makop
.[[email protected]].makop
.[[email protected]].makop
. [ [email protected] ] .makop
. [ [email protected] ] .makop
. [ [email protected] ] .makop
. [ [email protected] ] .makop
. [ [email protected] ] .makop
.[[email protected]].makop
.[[email protected]].makop
. [ [email protected] ] .mkp
. [[email protected] ] .mkp
.[ [email protected] ]. How does the.mkp ransomware spread infection?
After analyzing the machine environment and system logs of many companies infected with ransomware, it is judged that the ransomware basically invades in the following ways. Please understand and check the following intrusion prevention methods one by one. After all, prevention in advance is much easier than recovery after the event. .
remote desktop password blasting
Close the remote desktop, or modify the default user administrator
Shared settings
Check if only shared files are encrypted.
third party account
Check whether there is an account with a fixed password provided by the software manufacturer or installing the software will add an account. Including remote desktop, database and other software related to passwords.
software vulnerability
According to the system environment, targeted troubleshooting, such as common attacked environments Java, Tongda OA, Zhiyuan OA, etc. Check web logs, check domain controller and device patches, etc.
2. How to recover the ransomware virus file with the suffix of [ [email protected] ?
Due to the encryption algorithm of this suffix virus file, each infected computer server file is different. It is necessary to independently detect and analyze the virus characteristics and encryption of the encrypted file to determine the most suitable recovery plan.
Considering the time, cost, risk and other factors required for data recovery, it is recommended that if the data is not too important, it is recommended to directly scan and disinfect the entire disk, format and reinstall the system, and then do a good job of system security protection. If the infected data does have the value and necessity of recovery, you can contact us for free testing and consultation on data recovery solutions.
3. Introduction to the recovery case:
1. Encrypted data
A file server, the amount of encrypted file data is about 570,000+, the data volume is about 7.5T, and the data volume is very large.
2. Data Recovery Completion
The data is restored, more than 570,000 files, and 370 picture files cannot be restored, and the recovery rate is equal to 99.99%. The recovered files can be opened and used normally.
3. Data recovery period
Recovery period:
For a file server, our team started overnight recovery construction on the night of receipt of the customer's order, and finally completed the recovery of all data the next night, which took 1 day.
Recommended system security measures:
1. Multiple machines, do not use the same account and password
2. The login password should be of sufficient length and complexity, and the login password should be changed regularly
3. The shared folder of important data should be set up with access control and backed up regularly
4. Regularly detect security loopholes in systems and software, and patch them in time.
5. Regularly go to the server to check whether there is any abnormality.
6. Install security protection software and make sure it works properly.
7. Download and install the software from regular channels.
8. For unfamiliar software, if it has been intercepted and killed by anti-virus software, do not add trust and continue to run.
9. Keep good backup habits, try to make daily backups and off-site backups.