After receiving a friend’s recovery request, the win server file was encrypted by the bitcoin ransomware oracle database of GANDCRAB V5.0.4 (Zhonglian his [large Chinese table name / xml type]), let us analyze it and determine whether it can be restored

Through the analysis of the tool, it is found that the file header and data file space need to be reconstructed using bitmap-related blocks. The main business data should theoretically be good. By analyzing the basic database information such as database tablespaces and data files, Manually rebuild, rebuild the control file, and after a series of recovery, the database forced to open successfully

SQL> select open_mode from v $ database;

OPEN_MODE
--------------------
READ WRITE

SQL> select name from v $ datafile;

NAME
-------------------------------------------------- ------------------------------
E:\ORCLNEW1\SYSTEM01.DBF.HKNWFZ
E:\ORCLNEW1\SYSAUX01.DBF.HKNWFZ
E:\ORCLNEW1\UNDOTBS01.DBF.HKNWFZ
E:\ORCLNEW1\USERS01.DBF.HKNWFZ
E:\ORCLNEW1\BHDATA.DBF.HKNWFZ
E:\ORCLNEW1\BHMAIL.DBF.HKNWFZ
E:\ORCLNEW1\BHINDEX.DBF.HKNWFZ
E:\ORCLNEW1\ZHBASIS.DBF.HKNWFZ
E:\ORCLNEW1\ZHARCHIVES.DBF.HKNWFZ
E:\ORCLNEW1\ZHSERVICES.DBF.HKNWFZ
E:\ORCLNEW1\ZHADVICES.DBF.HKNWFZ
E:\ORCLNEW1\ZHEXPENSES.DBF.HKNWFZ
E:\ORCLNEW1\ZHMEDICINE.DBF.HKNWFZ
E:\ORCLNEW1\ZHLAB.DBF.HKNWFZ
E:\ORCLNEW1\ZHCHECK.DBF.HKNWFZ
E:\ORCLNEW1\ZHLOB.DBF.HKNWFZ
E:\ORCLNEW1\ZHINDEX.DBF.HKNWFZ
E:\ORCLNEW1\SLREPORT.DBF.HKNWFZ
E:\ORCLNEW1\ZHMATERIAL.DBF.HKNWFZ
E:\ORCLNEW1\ZHMEDREC.DBF.HKNWFZ
E:\ORCLNEW1\ZHINSURE.DBF.HKNWFZ

Because the customer’s database has a large number of xml column types, exp cannot be exported, and only expdp can be used for export. Because expdp creates intermediate tables during the export process, some repairs are made to the database to ensure that the database can write normally. Object and database export succeeded