æã ããŠã€ã«ã¹äœæè ã®ç®ãèŠãŠããªãããªã?ããšå°ããããªãããšããããŸãã ãã©ã®ããã«ããšãã質åã«ã¯ç§ãã¡èªèº«ã§çããããšãã§ããŸãããç¹å®ã®ãã«ãŠã§ã¢äœæè ãäœãèããŠããã®ããç¥ãããšã¯éåžžã«èå³æ·±ãã§ãããã ç¹ã«ãã®ãããªãçç ãã«åºäŒã£ããšãã
ä»æ¥ã®èšäºã®äž»äººå ¬ã¯ãæå·åŠè ã®èå³æ·±ãäŸã§ãã ããã¯æããã«åãªããã©ã³ãµã ãŠã§ã¢ããšããŠèããããŠããŸãããããã®æè¡çãªå®è£ ã¯èª°ãã®æ®é ·ãªãžã§ãŒã¯ã®ããã«èŠããŸãã ä»æ¥ã¯ãã®å®è£ ã«ã€ããŠèª¬æããŸãã
æ®å¿µãªããããã®ãšã³ã³ãŒãã®ã©ã€ããµã€ã¯ã«ã远跡ããããšã¯ã»ãšãã©äžå¯èœã§ãã幞ããªããšã«ããã®ãšã³ã³ãŒãã¯åºãæ®åããŠããªããããçµ±èšãå°ãªãããŸãã ãããã£ãŠãèµ·æºãæææ¹æ³ããã®ä»ã®åèæç®ã¯çç¥ããŸãã ç§ãã¡ãäŒã£ãã±ãŒã¹ã«ã€ããŠè©±ããŸããã Wulfricã©ã³ãµã ãŠã§ã¢ ãŠãŒã¶ãŒã®ãã¡ã€ã«ä¿åãã©ã®ããã«æ¯æŽãããã«ã€ããŠã説æããŸãã
I. ãã¹ãŠã¯ã©ã®ããã«å§ãŸã£ãã®ã
ã©ã³ãµã ãŠã§ã¢ã®è¢«å®³ã«éã£ã人ã¯ãåœç€Ÿã®ãŠã€ã«ã¹å¯Ÿçã©ãã«åãåãããããšããããããŸãã ã©ã®ãããªãŠã€ã«ã¹å¯Ÿç補åãã€ã³ã¹ããŒã«ãããŠãããã«é¢ä¿ãªãããµããŒããæäŸããŸãã ä»åã¯ãäžæãªãšã³ã³ãŒããŒã«ãã£ãŠãã¡ã€ã«ã圱é¿ãåãã人ããé£çµ¡ããããŸããã
ããã«ã¡ã¯ãã¡ã€ã«ã¯ããã¹ã¯ãŒããªãã®ãã°ã€ã³ã䜿çšããŠãã¡ã€ã« ã¹ãã¬ãŒãž (samba4) äžã§æå·åãããŸããã åšã®ã³ã³ãã¥ãŒã¿ (æšæºã® Windows Defender ä¿è·ãåãã Windows 10) ããææããã®ã§ã¯ãªãããšèããŠããŸãã ãã®åŸãåšã®ããœã³ã³ã®é»æºãå ¥ããªããªããŸããã ãã¡ã€ã«ã¯äž»ã« .jpg ãš .cr2 ãæå·åãããŸãã æå·ååŸã®ãã¡ã€ã«æ¡åŒµå: .aefã
ç§ãã¡ã¯ãŠãŒã¶ãŒãããæå·åããããã¡ã€ã«ã®ãµã³ãã«ã身代éã¡ã¢ãããã³ã©ã³ãµã ãŠã§ã¢äœæè ããã¡ã€ã«ã埩å·åããããã«å¿ èŠãšããããŒãšæããããã¡ã€ã«ãåãåããŸããã
ãã¹ãŠã®æãããã¯æ¬¡ã®ãšããã§ãã
- 01c.aef (4481K)
- ãããã³ã°ããã.jpg (254K)
- ãããã³ã°ããã.txt (0K)
- 04c.aef (6540K)
- pass.key (0K)
ããŒããèŠãŠã¿ãŸãããã ä»åã¯ãããã³ã€ã³äœæïŒ
翻蚳ïŒ
ãã¡ã€ã«ã¯æå·åãããŠããããšã«æ³šæããŠãã ããã
ãã¹ã¯ãŒã㯠PC ã«åºæã®ãã®ã§ãã0.05 BTC ããããã³ã€ã³ ã¢ãã¬ã¹ã«æ¯æããŸã: 1ERtRjWAKyG2Edm9nKLLCzd8p1CjjdTiF
æ¯æãåŸãpass.key ãã¡ã€ã«ãæ·»ä»ããŠã¡ãŒã«ãéã£ãŠãã ããã [ã¡ãŒã«ä¿è·] æ¯æãã®éç¥ãšãšãã«ã確èªåŸããã¡ã€ã«ã®åŸ©å·åããŒã«ããéãããŸãã
ããŸããŸãªæ¹æ³ã§ãããã³ã€ã³ããªã³ã©ã€ã³ã§æ¯æãããšãã§ããŸãã
buy.blockexplorer.com â éè¡ã«ãŒãã«ããæ¯æã
www.buybitcoinworldwide.com
ããŒã«ã«ãããã³ã€ã³.ããã ãããã³ã€ã³ã«ã€ããŠ:
en.wikipedia.org/wiki/ãããã³ã€ã³
ã質åãããããŸãããã以äžã®ã¢ãã¬ã¹ãŸã§ãé£çµ¡ãã ããã [ã¡ãŒã«ä¿è·]
ããŸããšããŠãããªãã®ã³ã³ãã¥ãŒã¿ãã©ã®ããã«ãããã³ã°ãããã®ãããããŠä»åŸãããä¿è·ããæ¹æ³ã«ã€ããŠèª¬æããŸãã
被害è ã«ç¶æ³ã®æ·±å»ãã瀺ãããã«äœããããèŠæ ã£åŒµããªãªãªã«ãã ãã ããããã«æªåããå¯èœæ§ããããŸããã
ç±³ã 1. - ããŸããšããŠãä»åŸããªãã®ã³ã³ãã¥ãŒã¿ãä¿è·ããæ¹æ³ã説æããŸãã -ã¹ãžã¯éã£ãŠãããã ã
II. å§ããŸããã
ãŸããéãããŠãããµã³ãã«ã®æ§é ã調ã¹ãŸããã å¥åŠãªããšã«ãããã¯ã©ã³ãµã ãŠã§ã¢ã«ãã£ãŠç Žæãããã¡ã€ã«ã®ããã«ã¯èŠããŸããã§ããã 4 é²æ°ãšãã£ã¿ãéããŠç¢ºèªããŠãã ããã æåã® 60 ãã€ãã«ã¯å ã®ãã¡ã€ã« ãµã€ãºãå«ãŸãã次㮠XNUMX ãã€ãã¯ãŒãã§åããããŸãã ããããæãèå³æ·±ãã®ã¯æåŸã§ãã
ç±³ã 2 ç Žæãããã¡ã€ã«ãåæããŸãã ããã«ç®ã«çãŸããã®ã¯äœã§ããïŒ
ãã¹ãŠã¯ããããããã»ã©åçŽã§ããããšãå€æããŸãããããããŒã® 0x40 ãã€ãããã¡ã€ã«ã®æ«å°Ÿã«ç§»åãããŸããã ããŒã¿ã埩å ããã«ã¯ãããŒã¿ãæåã«æ»ãã ãã§ãã ãã¡ã€ã«ãžã®ã¢ã¯ã»ã¹ã¯åŸ©å ãããŸããããååã¯æå·åããããŸãŸã§ãããç¶æ³ã¯ããã«è€éã«ãªã£ãŠããŸãã
ç±³ã 3. Base64 ã§æå·åãããååã¯ããšããšãã®ãªãæåã®éåã®ããã«èŠããŸãã
ãããç解ããŠã¿ãŸããã pass.keyããŠãŒã¶ãŒã«ãã£ãŠéä¿¡ãããŸããã ãã®äžã«ã¯ã162 ãã€ãã® ASCII æåã·ãŒã±ã³ã¹ã衚瀺ãããŸãã
ç±³ã 4. 被害è
ã® PC ã«ã¯ 162 æåãæ®ã£ãŠããŸãã
ããèŠããšãã·ã³ãã«ãäžå®ã®é »åºŠã§ç¹°ãè¿ãããŠããããšãããããŸãã ããã¯ãç¹°ãè¿ããç¹åŸŽãšãã XOR ã®äœ¿çšã瀺ããŠããå¯èœæ§ãããããã®é »åºŠã¯ããŒã®é·ãã«äŸåããŸãã æååã 6 æåã«åå²ããXOR ã·ãŒã±ã³ã¹ã®ããã€ãã®ããªãšãŒã·ã§ã³ãš XOR ãå®è¡ããŸããããæå³ã®ããçµæã¯åŸãããŸããã§ããã
ç±³ã 5. äžå€®ã«å®æ°ãç¹°ãè¿ã衚瀺ãããŠããã®ãããããŸãã?
ã¯ãããããå¯èœã§ãããããå®æ°ã Google ã§æ€çŽ¢ããããšã«ããŸããã ãããŠãããã¯ãã¹ãŠãæçµçã« 6 ã€ã®ã¢ã«ãŽãªãºã ã§ãããããæå·åã«ã€ãªãããŸããã å°æ¬ãèªãã åŸãç§ãã¡ã®ã»ãªãã¯ãã®äœåã®çµæã«ãããªãããšãæããã«ãªããŸããã ããã¯æå·åæ©èœã§ã¯ãªããæåã XNUMX ãã€ãã®ã·ãŒã±ã³ã¹ã«çœ®ãæããåãªããšã³ã³ãŒããŒã§ããããšã«æ³šæããŠãã ããã éµããã®ä»ã®ç§å¯ã¯ãããŸãã:)
ç±³ã 6. äœè
äžæã®ãªãªãžãã«ã®ã¢ã«ãŽãªãºã ã®äžéšã
次㮠XNUMX ã€ã®è©³çŽ°ããªããã°ãã¢ã«ãŽãªãºã ã¯æ£åžžã«æ©èœããŸããã
ç±³ã 7. ã¢ãŒãã£ã¢ã¹ãæ¿èªãããŸããã
é眮æã䜿çšããŠæååãå€æããŸãã pass.key 27æåã®ããã¹ãã«å€æããŸãã 人éã® (ãããã) ããã¹ããasmodatãã¯ç¹å¥ãªæ³šæã«å€ããŸãã
å³8. USGFDG=7ã
Google ããŸãç§ãã¡ãå©ããŠãããŸãã å°ãæ€çŽ¢ããçµæãGitHub ã§èå³æ·±ããããžã§ã¯ãã§ãã Folder Locker ãèŠã€ããŸããããã㯠.Net ã§æžãããå¥ã® Git ã¢ã«ãŠã³ãã®ãasmodatãã©ã€ãã©ãªã䜿çšããŠããŸãã
ç±³ã 9. ãã©ã«ããŒããã«ãŒã€ã³ã¿ãŒãã§ã€ã¹ã ãã«ãŠã§ã¢ããªããå¿
ã確èªããŠãã ããã
ãã®ãŠãŒãã£ãªãã£ã¯ Windows 7 以éçšã®æå·åããŒã«ã§ããããªãŒãã³ ãœãŒã¹ãšããŠé åžãããŠããŸãã æå·åäžã«ã¯ãã¹ã¯ãŒãã䜿çšãããŸããããã¯ãã®åŸã®åŸ©å·åã«å¿ èŠã§ãã åã ã®ãã¡ã€ã«ãšãã£ã¬ã¯ããªå šäœã®äž¡æ¹ãæäœã§ããŸãã
ãã®ã©ã€ãã©ãªã¯ãRijndael 察称æå·åã¢ã«ãŽãªãºã ã CBC ã¢ãŒãã§äœ¿çšããŸãã AES æšæºã§æ¡çšãããŠããããã㯠ãµã€ãºãšã¯å¯Ÿç §çã«ãããã㯠ãµã€ãºã 256 ãããã«éžæãããããšã¯æ³šç®ã«å€ããŸãã åŸè ã®å Žåããµã€ãºã¯ 128 ãããã«å¶éãããŸãã
ç§ãã¡ã®ããŒã¯ PBKDF2 æšæºã«åŸã£ãŠçæãããŸãã ãã®å Žåããã¹ã¯ãŒãã¯ãŠãŒãã£ãªãã£ã«å ¥åãããæååããã® SHA-256 ã§ãã æ®ã£ãŠããã®ã¯ããã®æååãèŠã€ããŠåŸ©å·åããŒãçæããããšã ãã§ãã
ããŠããã§ã«ãã³ãŒãããã話ã«æ»ããŸããã pass.keyã äžé£ã®æ°åãšãasmodatããšããããã¹ããå«ãŸããè¡ãèŠããŠããŸãã? æååã®æåã® 20 ãã€ãã Folder Locker ã®ãã¹ã¯ãŒããšããŠäœ¿çšããŠã¿ãŸãããã
èŠãŠãã ãããããŸããããŸãïŒ æå·èªãæµ®ãã³äžããããã¹ãŠãå®ç§ã«è§£èªãããŸããã ãã¹ã¯ãŒãå ã®æåããå€æãããšããã¹ã¯ãŒãã¯ç¹å®ã®åèªã ASCII ã§è¡šçŸãã XNUMX é²æ°ã§ãã ã³ãŒãã¯ãŒããããã¹ã圢åŒã§è¡šç€ºããŠã¿ãŸãããã æã ãåŸã 'ã·ã£ããŠãŠã«ã'ã ãã§ã«ç£äººæ§ã®çç¶ãæããŠããŸãã?
ããã«ãŒãã©ã®ããã«æ©èœããããç解ããäžã§ã圱é¿ãåãããã¡ã€ã«ã®æ§é ãããäžåºŠèŠãŠã¿ãŸãããã
- 02 00 00 00 â ååæå·åã¢ãŒãã
- 58 00 00 00 â æå·åãããbase64 ã§ãšã³ã³ãŒãããããã¡ã€ã«åã®é·ãã
- 40 00 00 00 â 転éãããããããŒã®ãµã€ãºã
æå·åãããååèªäœãšè»¢éãããããããŒã¯ãããããèµ€ãšé»è²ã§åŒ·èª¿è¡šç€ºãããŸãã
ç±³ã 10. æå·åãããååã¯èµ€è²ã§åŒ·èª¿è¡šç€ºããã転éãããããããŒã¯é»è²ã§åŒ·èª¿è¡šç€ºãããŸãã
次ã«ãæå·åãããååãšåŸ©å·åãããååã XNUMX é²è¡šèšã§æ¯èŒããŠã¿ãŸãããã
埩å·åãããããŒã¿ã®æ§é :
- 78 B9 B8 2E â ãŠãŒãã£ãªãã£ã«ãã£ãŠäœæãããã¬ããŒãž (4 ãã€ã)ã
- 0С 00 00 00 â 埩å·åãããååã®é·ã (12 ãã€ã)ã
- 次ã«ãå®éã®ãã¡ã€ã«åãšãå¿ èŠãªãããã¯é·ã«ãªããŸã§ãŒããåã蟌ã¿ãŸã (ããã£ã³ã°)ã
ç±³ã 11. IMG_4114 ã¯ããªãè¯ããªããŸããã
â ¢ïŒ çµè«ãšçµè«
æåã«æ»ããŸãã Wulfric.Ransomware ã®äœæè ãäœãåæ©ã§ãã©ã®ãããªç®æšãè¿œæ±ããã®ãã¯ããããŸããã ãã¡ãããå¹³åçãªãŠãŒã¶ãŒã«ãšã£ãŠã¯ããã®ãããªæå·åããŒã«ã®äœæ¥ã®çµæããã倧æšäºã®ããã«èŠããã§ãããã ãã¡ã€ã«ãéããªãã ååã¯ãã¹ãŠæ¶ããŠããŸãã ãã€ãã®çµµã®ä»£ããã«ãç»é¢ã«ã¯ãªãªã«ããããŸãã ãããã³ã€ã³ã«ã€ããŠèªãããšã匷å¶ãããŸãã
確ãã«ãä»åã¯ãæããããšã³ã³ãŒããŒããè£ ã£ãŠãæ»æè ãæ¢è£œã®ããã°ã©ã ã䜿çšããç¯çœªçŸå Žã«ããŒãæŸçœ®ãããšãããã°ãã°ãããæããªæåã®è©Šã¿ãé ãããŠããŸããã
ãšããã§ãéµã«ã€ããŠã ãããã©ã®ããã«èµ·ãã£ãããç解ããã®ã«åœ¹ç«ã€æªæã®ããã¹ã¯ãªãããããã€ã®æšéŠ¬ã¯ãããŸããã§ããã pass.key â ææãã PC ã«ãã¡ã€ã«ãçŸããã¡ã«ããºã ã¯äžæã®ãŸãŸã§ãã ããããèè ãã¡ã¢ã®äžã§ãã¹ã¯ãŒãã®äžææ§ã«ã€ããŠèšåããŠããããšãèŠããŠããŸãã ã€ãŸãããŠãŒã¶ãŒå Shadow wolf ããŠããŒã¯ã§ããã®ãšåããããã埩å·åã®ããã®ã³ãŒãã¯ãŒãããŠããŒã¯ã§ã:)
ãããªã®ã«åœ±çŒããªãããããŠãªãïŒ
åºæïŒ habr.com