Fighting Petya: our experience with retrieving data from the Firebird database files encrypted by ransomware crypto-viruses

As you know, recently several crypto viruses have attacked many companies - most well-know are Wannacry and Petya. Usually, as reported by many companies, it is necessary to pay ransom, or, in case of Petya, all encrypted files will be lost.

Our company is specializing in Firebird database consulting, we provide tools for recovery and optimization, and, consequently, we had several request from the companies suffered by attack of Petya and some other ransomware.

Petya is a kind of «lazy» cryptovirus: usually it encrypts only the first megabyte of the file, probably, to do its nasty job as fast as possible. Usually, the loss of the first megabyte in the beginning of the Firebird database makes it unreadable: the first megabyte contains important system information about tables and other structures.

It is a pity to loss multi-gigabyte database due to the loss of the first Mb. Luckily, our recovery tool (IBSurgeon FIrstAID) can retrieve data from the Firebird and InterBase databases even in cases like Petya: FirstAID works on low-level, bypassing Firebird or InterBase engine, it requires the minimum amount of metadata to export records from the encrypted database to the new one.

Also, IBSurgeon FirstAID can borrow metadata structures from the other database: if there is an old good copy of the database available, it is possible to use it as a source of metadata and export all unencrypted data.

Firebird databases contains of pages equal in size: in the most recent version 3.0 the default page size is 8k, in previous 2.5 – 4kb. It means that Petya encrypts either first 128 pages (in case of 8Kb page size) or 256 pages (in case of 4k page).

It means that Firebird 3 databases can be usually recovered from Petya's encryption with the rate close to 100%, and Firebird 2.5 database will require borrowing external metadata to save the data.

Of course, the approach does not protect databases from the crypto-viruses, but it allows minimizing losses after such disaster. Backups and database monitoring are also very important as a passive means of protections.