============================================================ RANSOM / ENCRYPTED FILE PAIR ANALYSIS REPORT ============================================================ Original file : /var/www/www-root/data/www/test2.lex1.ru/Clear_log.sql Encrypted file: /var/www/www-root/data/www/test2.lex1.ru/Clear_log.sql.PQkDIcswR === BASIC SIZES === Original size : 4251 Encrypted size: 4493 Diff : 242 === ENTROPY / PRINTABLE === Original entropy : 5.3836 Encrypted entropy : 7.9633 Original printable : 100% Encrypted printable : 36.99% === HEAD / TAIL HEX === Orig head(32) : 0d0a555345205b42505f41756469746f725d0d0a474f0d0a4442434320534852 Enc head(32) : 7d33e23663e10a940670b8ded988f86e893193a9d84ce4e66aa34a3d440d4cd2 Orig tail(32) : 46494c45284e277a75705f6c6f67272c302c205452554e434154454f4e4c5929 Enc tail(32) : dc442ec96e89c6b643c605b85c4dc49ba4c5f02ecb7831ba536ef3c560493053 === COMMON SUBSTRINGS === Longest common substring in first 2000 bytes: 2 === MODS === Encrypted size mod 16: 13 Encrypted size mod 32: 13 Encrypted size mod 64: 13 === BLOCK REPETITION === Block 8: total=561 repeated=0 unique=561 Block 16: total=280 repeated=0 unique=280 Block 32: total=140 repeated=0 unique=140 === RAW EQUALITY OVERLAP === Best offset : 39 Equal bytes : 29 / 4251 Equal ratio : 0.6822% === SIMPLE TRANSFORMS === Best XOR candidate: offset=-114 key=224 score=15 / 1024 Best ADD candidate: offset=-59 delta=123 score=15 / 1024 === XOR LAYOUT TESTS === exactAligned: no extraAtStart: no extraAtEnd: no splitExtra: no === PLAIN CHUNK SEARCH === Chunk size 8: 0 Chunk size 16: 0 Chunk size 24: 0 Chunk size 32: 0 Chunk size 48: 0 Chunk size 64: 0 === ASCII RUNS IN ENCRYPTED FILE === Found ASCII runs: 7 Offset 308, len 6: *9xE{d Offset 488, len 6: 0gEhq1 Offset 656, len 6: q/&2bK Offset 801, len 6: 7&n#ru Offset 2832, len 6: KYg@%n Offset 3090, len 7: [;"B9mw Offset 3745, len 6: v'K"38 === WINDOW SIMILARITY === Best direct-equality window score: 5 / 128 origPos: 864 encPos : 3328 === COMPRESSION TESTS === gzdecode: no gzuncompress: no gzinflate: no bzdecompress: SUCCESS, len=2 === CONTAINER SIGNATURES === No known signatures found in first 300 offsets. === REGION ANALYSIS (242 bytes if possible) === [first] len=242 entropy=7.1066 printable=37.19% [first] head=7d33e23663e10a940670b8ded988f86e [first] tail=3aab6a30cf72bb3a9eb3cf10e95c4e8c [middle] len=242 entropy=7.1712 printable=38.43% [middle] head=3f1acab9e02ba0e470d7c431729e492c [middle] tail=3f6c865797686892633bc8629db0caa6 [last] len=242 entropy=7.0501 printable=35.95% [last] head=8456e2feaeba03c628c4d790c213873e [last] tail=a4c5f02ecb7831ba536ef3c560493053 === EVERY N-TH EQUALITY === step=2 same=18/4251 ratio=0.4234% step=3 same=18/4251 ratio=0.4234% step=4 same=18/4251 ratio=0.4234% step=5 same=18/4251 ratio=0.4234% step=6 same=18/4251 ratio=0.4234% step=7 same=18/4251 ratio=0.4234% step=8 same=18/4251 ratio=0.4234% step=9 same=18/4251 ratio=0.4234% step=10 same=18/4251 ratio=0.4234% step=11 same=18/4251 ratio=0.4234% step=12 same=18/4251 ratio=0.4234% step=13 same=18/4251 ratio=0.4234% step=14 same=18/4251 ratio=0.4234% step=15 same=18/4251 ratio=0.4234% step=16 same=18/4251 ratio=0.4234% === BYTE FREQUENCY TOP 10 === Original: byte=0x5f count=252 byte=0x0a count=237 byte=0x0d count=237 byte=0x54 count=184 byte=0x4e count=160 byte=0x4f count=160 byte=0x20 count=158 byte=0x55 count=138 byte=0x73 count=138 byte=0x74 count=137 Encrypted: byte=0x73 count=30 byte=0xd2 count=28 byte=0xe4 count=28 byte=0xc6 count=27 byte=0x55 count=26 byte=0x86 count=26 byte=0xa1 count=26 byte=0x2e count=25 byte=0x6e count=25 byte=0xac count=25 === LIKELIHOOD ESTIMATE === strong_encryption : 13 ransomware_like : 7 compression_or_container : 1 simple_xor : 0 simple_addsub : 0 === INTERPRETATION === - Encrypted file entropy is extremely high; this strongly resembles true ciphertext. - Low printable ratio supports binary encrypted output rather than transformed text. - Simple XOR or ADD/SUB style byte transforms are very unlikely. - No raw plaintext chunks from the original were found inside the encrypted file. - Original and encrypted files share almost no direct common substrings in the scanned region. - No repeated 16-byte blocks; weak ECB-like patterns are not visible. - Encrypted file is longer than original by 242 bytes; this suggests metadata, IV/nonce, tag, wrapped key, or container overhead. - No obvious ZIP/GZIP/7z/PDF/PNG style signatures detected near the beginning. === POSSIBLE SCENARIOS === 1) Strong symmetric encryption plus metadata block (most likely). 2) Ciphertext + prepended/appended per-file metadata or encrypted session key. 3) Ransomware-style file encryption using AES/ChaCha + public-key wrapping. 4) Encrypted container with small overhead, but not a plain archive format. === RECOMMENDED NEXT STEPS === 1) Compare 2-3 more encrypted files and check whether overhead size is always identical. 2) Check whether the same extension is added to all files. 3) Search for ransom note, dropped executable, PowerShell script, batch file, or task scheduler entry. 4) Compare first and last 64 bytes across multiple encrypted files. 5) Determine whether metadata size stays fixed across small and large files. 6) Keep originals read-only and work only on copies. 7) Search for backups, shadow copies, old versions, detached database blobs, sync history. 8) If more artifacts appear, identify ransomware family before attempting recovery. === FINAL TECHNICAL VERDICT === This pair strongly suggests real cryptographic file encryption, not a simple reversible byte-wise obfuscation. A direct PHP-only derivation of the decryption formula from this single pair is unlikely to succeed. Отчёт сохранён в: /var/www/www-root/data/www/test2.lex1.ru/ransom_analysis_report.txt