【Data Recovery】.[[email protected]].Devos ransomware-Phobos ransomware family

Internet 2022-03-28 11:26:07 views: null

content

Foreword: Case Introduction

1. What is .[[email protected]].Devos ransomware?

2. How to recover the ransomware file with the .[[email protected]].Devos suffix?

3. Introduction to the recovery case:

1. Encrypted data

2. Data Recovery Completion

3. Data recovery period

Recommended system security measures:

Foreword: Case Introduction

        In 2022, a domestic enterprise claimed to be attacked by a ransomware virus. After the attacker penetrated its internal network, it infected multiple servers with malware. When the company discovered the attack, it took immediate steps to contain it. After investigation, it was confirmed that multiple server machines were infected. All files in the infected machine have been added with the suffix ".[ [email protected] ].Devos" and cannot be opened normally. The suffix can confirm that the virus is the Devos ransomware of the Phobos ransomware family.

        Let's take a look at this .devos suffix ransomware virus.

1. What is .[ [email protected] ].Devos ransomware virus?

        We found that .[ [email protected] ].Devos is the name of a ransomware-type program. When we launch a sample on our test system, it encrypts the file and appends the ".id[XXXXXX].[ [email protected] ].Devos" extension to the filename. For example, a file originally titled "1.jpg" appears as "1.jpg.id[XXXXXX].[ [email protected] ].Devos" and "2.jpg" appears as "2.jpg.id[XXXXXX] ].[ [email protected] ].Devos”, and so on. After the encryption process is complete.

        Regardless of the propagation method employed, the attack generally works the same way. .[ [email protected] ].Devos ransomware scans users' computers to locate their data. Next, the data-locking Trojan will trigger its encryption process. Devos Ransomware applies encryption algorithms to securely lock all target files. All files encrypted by the Devos Ransomware will have their names changed as the Trojan adds a .id[XXXXXX].[ [email protected] ].Devos extension to its name. As you can see from Devos Ransomware's extension, this threat generates a new unique ID for each victim. This helps attackers differentiate between the various users who have fallen victim to their data-locking Trojan.

.[ [email protected] ]. How does Devos ransomware spread the infection?

According to our analysis of the poisoned machine environment, the ransomware basically invades in the following ways.

 

2. How to recover the ransomware file with the .[ [email protected] ].Devos suffix?

        Due to the encryption algorithm of this suffix virus file, each infected computer server file is different. It is necessary to independently detect and analyze the virus characteristics and encryption of the encrypted file to determine the most suitable recovery plan.

        Considering the time, cost, risk and other factors required for data recovery, it is recommended that if the data is not too important, it is recommended to directly scan and disinfect the entire disk, format and reinstall the system, and then do a good job of system security protection. If the infected data does have the value and necessity of recovery, you can pay attention to the 91 data recovery public account for free testing and consultation on data recovery solutions.

3. Introduction to the recovery case:

1. Encrypted data

        A company server needs to restore 150,000 pieces of data, mainly restoring the A/C set database files of the financial software U8.

 

2. Data Recovery Completion

        The data has been restored, and 150,000 files, except for the 22 useless cache files on the C drive, are all 100% restored, including the A/C set database files. The recovered files can be opened and used normally.

 

3. Data recovery period

Recovery period:

       For a file server, our team started overnight recovery construction on the night of receipt of the customer's order, and finally completed the recovery of all data the next night, which took 1 day.

Recommended system security measures:

1. Multiple machines, do not use the same account and password

2. The login password should be of sufficient length and complexity, and the login password should be changed regularly

3. The shared folder of important data should be set up with access control and backed up regularly

4. Regularly detect security loopholes in systems and software, and patch them in time.

5. Regularly go to the server to check whether there is any abnormality.

6. Install security protection software and make sure it works properly.

7. Download and install the software from regular channels.

8. For unfamiliar software, if it has been intercepted and killed by anti-virus software, do not add trust and continue to run. 

9. Keep good backup habits, try to make daily backups and off-site backups.

Guess you like

Origin blog.csdn.net/javaFay/article/details/123765914
Recommended
Ranking
A quick primer on numpy basics
Two sister tease python project
Java | Multiple keywords in the replacement content are returned to the front end in red style
C ++: references
The string leetcood 1018 is a binary prefix divisible by 5
Flutter 布局组件
Java combat spingboot-redis
PMP pre-exam sprint and wrong questions sorting
ActiveMq C# Message Features: Delayed and Timed Message Delivery
DSP28377S_ copy a program from the RAM to FLASH portion DETAILS
Daily
More
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)

Code World

© 2018 codetd.com