Qee lub sij hawm koj yeej xav saib rau hauv lub qhov muag ntawm qee tus neeg sau kab mob thiab nug: vim li cas thiab vim li cas? Peb tuaj yeem teb cov lus nug "yuav ua li cas" peb tus kheej, tab sis nws yuav nthuav heev kom paub seb qhov no lossis tus tsim malware xav li cas. Tshwj xeeb tshaj yog thaum peb tuaj hla xws li "pearls".
Tus phab ej ntawm tsab xov xwm niaj hnub no yog ib qho piv txwv nthuav ntawm tus cryptographer. Nws tau pom meej tias tsuas yog lwm qhov "ransomware", tab sis nws cov kev siv ua haujlwm zoo li ib tus neeg dag ntxias. Peb yuav tham txog qhov kev siv no hnub no.
Hmoov tsis zoo, nws yuav luag tsis yooj yim sua kom taug qab lub neej voj voog ntawm tus encoder no - muaj ob peb txheeb cais ntawm nws, txij li, hmoov zoo, nws tsis tau nthuav dav. Yog li ntawd, peb yuav tawm hauv lub hauv paus chiv keeb, txoj kev kis kab mob thiab lwm yam ntaub ntawv. Cia peb tham txog peb rooj sib tham nrog Wulfric Ransomware thiab peb tau pab tus neeg siv txuag nws cov ntaub ntawv li cas.
I. Nws pib li cas
Cov neeg uas tau raug tsim txom los ntawm ransomware feem ntau hu rau peb lub chaw kuaj kab mob tiv thaiv kab mob. Peb muab kev pab txawm hais tias cov khoom siv tshuaj tiv thaiv kab mob twg lawv tau teeb tsa. Lub sijhawm no peb tau hu los ntawm ib tus neeg uas nws cov ntaub ntawv raug cuam tshuam los ntawm tus encoder tsis paub.
Nyob zoo tav su Cov ntaub ntawv tau encrypted ntawm cov ntaub ntawv cia (samba4) nrog tus password tsis nkag. Kuv xav tias tus kab mob tuaj ntawm kuv tus ntxhais lub computer (Windows 10 nrog tus qauv Windows Defender tiv thaiv). Tom qab ntawd tus ntxhais lub computer tsis qhib. Cov ntaub ntawv yog encrypted mas .jpg thiab .cr2. Cov ntaub ntawv txuas ntxiv tom qab encryption: .aef.
Peb tau txais los ntawm cov neeg siv cov qauv ntawm cov ntaub ntawv encrypted, daim ntawv nqe txhiv, thiab cov ntaub ntawv uas zoo li tus yuam sij tus sau ransomware xav tau los txiav txim siab cov ntaub ntawv.
Nov yog tag nrho peb cov lus qhia:
- 01c.aef (4481K)
- hacked.jpg (254K)
- hacked.txt (0K)
- 04c.aef (6540K)
- pass.key (0K)
Cia wb mus saib daim ntawv. Muaj pes tsawg bitcoins lub sijhawm no?
Neeg txhais lus:
Nco ntsoov, koj cov ntaub ntawv tau encrypted!
Tus password yog tshwj xeeb rau koj lub PC.Them tus nqi ntawm 0.05 BTC rau qhov chaw nyob Bitcoin: 1ERtRjWAKyG2Edm9nKLLCzd8p1CjjdTiF
Tom qab them nyiaj, xa email rau kuv, xa cov ntaub ntawv pass.key rau [email tiv thaiv] nrog kev ceeb toom ntawm kev them nyiaj.Tom qab kev pom zoo, kuv yuav xa koj tus decryptor rau cov ntaub ntawv.
Koj tuaj yeem them rau bitcoins online hauv ntau txoj hauv kev:
- them nyiaj los ntawm bank card
Hais txog Bitcoins:
Yog koj muaj lus nug thov sau ntawv rau kuv ntawm [email tiv thaiv]
Raws li ib tug ntxiv, kuv mam li qhia koj yuav ua li cas koj lub computer raug hacked thiab yuav ua li cas los tiv thaiv nws yav tom ntej.
Tus hma pretentious, tsim los qhia tus neeg raug tsim txom ntawm qhov xwm txheej loj. Txawm li cas los xij, nws tuaj yeem ua phem dua.
Rice. 1. -Raws li ib qho nyiaj ntxiv, kuv yuav qhia koj yuav ua li cas tiv thaiv koj lub computer yav tom ntej. β Zoo li raug.
II. Cia peb pib
Ua ntej tshaj plaws, peb saib cov qauv ntawm cov qauv xa tuaj. Oddly txaus, nws tsis zoo li cov ntaub ntawv uas tau raug puas tsuaj los ntawm ransomware. Qhib lub hexadecimal editor thiab saib. Thawj 4 bytes muaj cov ntaub ntawv loj, tom ntej 60 bytes tau sau nrog xoom. Tab sis qhov nthuav tshaj plaws yog thaum kawg:
Rice. 2 Txheeb xyuas cov ntaub ntawv puas. Dab tsi tam sim catches koj lub qhov muag?
Txhua yam ua tau yooj yim annoyingly: 0x40 bytes los ntawm header tau tsiv mus rau qhov kawg ntawm cov ntaub ntawv. Txhawm rau kho cov ntaub ntawv, tsuas yog xa rov qab mus rau qhov pib. Kev nkag mus rau cov ntaub ntawv tau rov qab los, tab sis lub npe tseem raug encrypted, thiab tej yam yuav nyuaj nrog nws.
Rice. 3. Lub npe encrypted nyob rau hauv Base64 zoo li ib tug rambling cov cim.
Cia peb sim ua kom tiav pass.key, xa los ntawm cov neeg siv. Hauv nws peb pom 162-byte ua ntu zus ntawm ASCII cov cim.
Rice. 4. 162 cim tseg rau ntawm tus neeg raug tsim txom lub PC.
Yog tias koj saib ze, koj yuav pom tias cov cim tau rov ua dua nrog qee zaus. Qhov no yuav qhia txog kev siv XOR, uas yog tus cwj pwm los ntawm kev rov ua dua, qhov zaus ntawm qhov nyob ntawm qhov tseem ceeb ntev. Tau faib cov hlua ua 6 cim thiab XORed nrog qee qhov sib txawv ntawm XOR ib ntus, peb tsis ua tiav qhov txiaj ntsig zoo.
Rice. 5. Pom qhov rov ua qhov qub nyob hauv nruab nrab?
Peb txiav txim siab mus rau google tsis tu ncua, vim yog, qhov ntawd ua tau thiab! Thiab lawv txhua tus thaum kawg tau coj mus rau ib qho algorithm - Batch Encryption. Tom qab kawm tsab ntawv, nws tau pom tseeb tias peb kab tsis muaj dab tsi ntau tshaj li qhov tshwm sim ntawm nws txoj haujlwm. Nws yuav tsum tau hais tias qhov no tsis yog tus encryptor tag nrho, tab sis tsuas yog tus encoder uas hloov cov cim nrog 6-byte sequences. Tsis muaj tus yuam sij lossis lwm yam zais cia rau koj :)
Rice. 6. Ib daim ntawm thawj algorithm ntawm tsis paub sau ntawv.
Lub algorithm yuav tsis ua haujlwm raws li nws yuav tsum yog tias tsis yog rau ib qho kev nthuav dav:
Rice. 7. Morpheus pom zoo.
Siv rov qab hloov pauv peb hloov txoj hlua los ntawm pass.key rau hauv cov ntawv ntawm 27 cim. Tib neeg (feem ntau yuav) cov ntawv 'asmodat' tsim nyog tau txais kev saib xyuas tshwj xeeb.
Fig.8. USGFDG = 7.
Google yuav pab peb dua. Tom qab tshawb nrhiav me ntsis, peb pom ib txoj haujlwm nthuav dav ntawm GitHub - Folder Locker, sau rau hauv .Net thiab siv lub tsev qiv ntawv 'asmodat' los ntawm lwm tus account Git.
Rice. 9. Folder Locker interface. Nco ntsoov xyuas rau malware.
Cov khoom siv hluav taws xob yog tus encryptor rau Windows 7 thiab siab dua, uas tau muab faib ua qhov qhib. Thaum lub sij hawm encryption, tus password yog siv, uas yog tsim nyog rau decryption tom ntej. Tso cai rau koj ua haujlwm ob qho tib si nrog cov ntaub ntawv tus kheej thiab nrog tag nrho cov npe.
Nws lub tsev qiv ntawv siv Rijndael symmetric encryption algorithm hauv CBC hom. Nws yog qhov tsim nyog hais tias qhov thaiv qhov loj me tau raug xaiv los ua 256 khoom - sib piv rau qhov tau txais los ntawm AES tus qauv. Nyob rau tom kawg, qhov loj yog txwv rau 128 ntsis.
Peb qhov tseem ceeb yog tsim raws li tus qauv PBKDF2. Hauv qhov no, lo lus zais yog SHA-256 los ntawm txoj hlua nkag rau hauv qhov hluav taws xob. Txhua yam uas tseem tshuav yog nrhiav txoj hlua no los tsim tus yuam sij decryption.
Zoo, cia peb rov qab mus rau peb twb tau txiav txim lawm pass.key. Nco ntsoov cov kab ntawd nrog cov lej thiab cov ntawv 'asmodat'? Cia peb sim siv thawj 20 bytes ntawm txoj hlua ua tus password rau Folder Locker.
Saib, nws ua haujlwm! Lo lus code tuaj, thiab txhua yam yog deciphered zoo kawg nkaus. Kev txiav txim los ntawm cov cim hauv lo lus zais, nws yog HEX sawv cev ntawm ib lo lus tshwj xeeb hauv ASCII. Cia peb sim tso saib cov lus code hauv daim ntawv nyeem. Peb tau txais 'shadowwolf'. Twb hnov ββcov tsos mob ntawm lycanthropy?
Cia peb saib lwm tus qauv ntawm cov ntaub ntawv cuam tshuam, tam sim no paub tias lub locker ua haujlwm li cas:
- 02 00 00 00 - hom encryption npe;
- 58 00 00 00 - ntev ntawm cov ntaub ntawv encrypted thiab base64 encoded npe;
- 40 00 00 00 - qhov loj ntawm qhov hloov pauv header.
Lub npe encrypted nws tus kheej thiab lub taub hau hloov pauv tau qhia hauv liab thiab daj, raws li.
Rice. 10. Lub npe encrypted yog highlighted nyob rau hauv liab, lub pauv header yog highlighted nyob rau hauv daj.
Tam sim no cia peb sib piv cov npe encrypted thiab decrypted nyob rau hauv hexadecimal sawv cev.
Cov qauv ntawm cov ntaub ntawv decrypted:
- 78 B9 B8 2E - khib nyiab tsim los ntawm kev siv hluav taws xob (4 bytes);
- 0C 00 00 00 - ntev ntawm lub npe decrypted (12 bytes);
- Tom ntej no los ntawm lub npe tiag tiag cov ntaub ntawv thiab padding nrog zeros mus rau qhov yuav tsum tau thaiv ntev (padding).
Rice. 11. IMG_4114 zoo li zoo dua.
III. Cov lus xaus thiab xaus
Rov qab mus rau qhov pib. Peb tsis paub dab tsi txhawb tus sau ntawm Wulfric.Ransomware thiab nws lub hom phiaj twg nws nrhiav. Tau kawg, rau cov neeg siv nruab nrab, qhov tshwm sim ntawm kev ua haujlwm ntawm txawm tias tus encryptor yuav zoo li muaj kev puas tsuaj loj. Cov ntaub ntawv tsis qhib. Tag nrho cov npe tau ploj mus. Hloov ntawm daim duab ib txwm muaj, muaj hma ntawm qhov screen. Lawv yuam kom koj nyeem txog bitcoins.
Muaj tseeb tiag, lub sijhawm no, nyob rau hauv lub guise ntawm "qhov txaus ntshai encoder," tau muab zais xws li kev tsis txaus ntseeg thiab ruam ntawm kev quab yuam, qhov twg tus neeg tawm tsam siv cov phiaj xwm npaj tau thiab tso cov yuam sij ntawm qhov chaw ua txhaum cai.
Los ntawm txoj kev, hais txog cov yuam sij. Peb tsis muaj tsab ntawv phem lossis Trojan uas tuaj yeem pab peb nkag siab tias qhov no tshwm sim li cas. pass.key - cov txheej txheem uas cov ntaub ntawv tshwm rau ntawm lub PC muaj kab mob tseem tsis paub. Tab sis, kuv nco ntsoov, hauv nws daim ntawv sau tau hais txog qhov txawv ntawm tus password. Yog li, lo lus code rau decryption yog qhov tshwj xeeb raws li tus neeg siv lub npe duab ntxoov ntxoo hma yog qhov tshwj xeeb :)
Thiab tseem, duab ntxoov ntxoo hma, yog vim li cas thiab yog vim li cas?
Tau qhov twg los: www.hab.com