content
2. How to recover ransomware virus files with .520 suffix?
3. Introduction to the recovery case:
Recommended system security measures:
Foreword: Case Introduction
The .520 suffix ransomware is a new type of virus spreading from a well-known foreign ransomware family. Since the outbreak of the virus at the end of September, we have received a lot of inquiries and help from infected encryption companies every day. After continuous in-depth research, due to the defect in the encryption program of the virus, some customers could not successfully decrypt even if they paid the ransom and purchased the decryption key, resulting in even more heavy losses. After the detection and analysis of a large number of server encrypted files by our team and the summary and analysis of successful recovery cases, we have developed a more effective solution to ensure 100% recovery of database files and 99%+ recovery rate of non-database files.
Let's look at some recovery cases of .520 encrypted data.
1. What is .520 ransomware?
.520 Ransomware Like most ransomware, .520 ransomware blocks access to files by encrypting, changing filenames and providing victims with instructions on how to recover their files. The ransomware renames all encrypted files by encrypting them and appending a ".520" extension to the filename.
.520 ransomware is a file-encrypting virus designed to encode user files and hold them hostage until you pay the ransom. The ransomware typically encodes a list of files deemed valuable to the victim and changes their file extensions to make them inaccessible.
After encrypting the data, the .520 ransomware also contacts the Command & Control servers to send each victim an RSA private key. Ultimately, the malware encrypts pictures, documents, databases, videos, and other files, leaving only system data, with a few other exceptions.
If you are unfortunately infected with this ransomware virus, the first thing you should do is to disconnect from the Internet to check for data poisoning and seek the help of a professional data recovery company.
If you are infected with the .520 suffix ransomware virus, it is recommended to do the following immediately:
1. Disconnect the virus-infected Internet connection;
2. Unplug all storage devices;
3. Log out of the cloud storage account;
4. Close all shared folders;
5. Seek the help of a professional data recovery company, and do not modify the file suffix without authorization, which will destroy the content of the file twice and may cause the data to be unrecoverable later.
How does the .520 ransomware spread the infection?
After analyzing the machine environment and system logs of many companies infected with the .520 ransomware virus, it is judged that the ransomware virus basically invades in the following ways. Please understand and check the following intrusion prevention methods one by one. After all, prevention in advance is easier than recovery after the event. many.
remote desktop password blasting
Close the remote desktop, or modify the default user administrator.
Database weak password attack
Check the password complexity of the sa user of the database.
software vulnerability
According to the system environment, targeted troubleshooting, such as common attacked environments Java, Tongda OA, Zhiyuan OA, etc. Check web logs, check domain controller and device patches, etc.
2. How to recover .520 suffix ransomware virus files?
Due to the encryption algorithm of this suffix virus file, each infected computer server file is different. It is necessary to independently detect and analyze the virus characteristics and encryption of the encrypted file to determine the most suitable recovery plan.
Considering the time, cost, risk and other factors required for data recovery, it is recommended that if the data is not too important, it is recommended to directly scan and disinfect the entire disk, format and reinstall the system, and then do a good job of system security protection. If the infected data does have the value and necessity of recovery, you can pay attention to the 91 data recovery public account for free testing and consultation on data recovery solutions.
3. Introduction to the recovery case:
1. Encrypted data
Three servers, the total amount of encrypted file data is about 15 million+, and the data volume is about 400G.
Before the first server data recovery :
After the first server data is restored:
Before data recovery on the second server:
After the second server data is restored:
Before data recovery on the third server:
After the third server data is restored:
2. Data Recovery Completion
The data of the three servers has been restored. There are more than 450,000 non-database files in total. Only a few useless files on the system disk have not been restored. The overall file recovery rate is 99.99%+, and all database files are 100% restored. The recovered files can be opened and used normally.
3. Data recovery period
Recovery period:
For the three servers, our team started to perform the recovery construction overnight after receiving the order from the customer, and finally completed the recovery of all the data of the three servers on the third night, which took 2.5 days in total.
Recommended system security measures:
1. Multiple machines, do not use the same account and password
2. The login password should be of sufficient length and complexity, and the login password should be changed regularly
3. The shared folder of important data should be set up with access control and backed up regularly
4. Regularly detect security loopholes in systems and software, and patch them in time.
5. Regularly go to the server to check whether there is any abnormality.
6. Install security protection software and make sure it works properly.
7. Download and install the software from regular channels.
8. For unfamiliar software, if it has been intercepted and killed by anti-virus software, do not add trust and continue to run.
9. Keep good backup habits, try to make daily backups and off-site backups.