Dzimwe nguva iwe unoda chaizvo kutarisa mumaziso emumwe munyori wehutachiona uye kubvunza: sei uye nei? Tinogona kupindura mubvunzo wekuti "sei" isu pachedu, asi zvingave zvinonakidza kuziva kuti izvi kana kuti mugadziri wemarware aifungei. Kunyanya patinosangana ne "maparera" akadaro.
Gamba rechinyorwa chanhasi muenzaniso unonakidza wemufekitari. Zvinoita kunge zvakanambwa seimwewo "ransomware", asi kuita kwayo kwehunyanzvi kunotaridzika sejee remunhu ane hutsinye. Tichataura pamusoro pekushandiswa uku nhasi.
Nehurombo, hazvigoneke kuteedzera kutenderera kwehupenyu hweiyi encoder - kune mashoma mashoma manhamba pairi, sezvo, nerombo rakanaka, haina kupararira. Nokudaro, tichasiya kunze kwakabva, nzira dzehutachiona uye mamwe mareferensi. Ngatingotaura nezvenyaya yedu yekusangana nayo Wulfric Ransomware uye kuti takabatsira sei mushandisi kuchengetedza mafaera ake.
I. Zvakatanga sei
Vanhu vakambobatwa neransomware vanowanzobata anti-virus murabhoritari yedu. Isu tinopa rubatsiro zvisinei nekuti vakaisa antivirus zvigadzirwa. Panguva ino takafonerwa nemunhu ane mafaera akabatwa neencoder isingazivikanwe.
Masikati akanaka Mafaira akavharidzirwa pane faira rekuchengetedza (samba4) ine password isina password. Ini ndinofungidzira kuti hutachiona hwakauya kubva pakombuta yemwanasikana wangu (Windows 10 neyakajairwa Windows Defender dziviriro). Computer yemwanasikana haina kuzobatidzwa mushure meizvi. Mafaira acho akavharirwa zvakanyanya .jpg uye .cr2. File extension after encryption: .aef.
Takagamuchira kubva kumushandisi masampuli emafaira akavharidzirwa, chinyorwa chekudzikinura, uye faira rinogona kunge riri kiyi inodiwa nemunyori werudzikinuro kuti anyore mafaera.
Heano maitiro edu ese:
- 01c.aef (4481K)
- hacked.jpg (254K)
- hacked.txt (0K)
- 04c.aef (6540K)
- pass.kiyi (0K)
Ngatitarisei pane chinyorwa. Mangani ma bitcoins panguva ino?
Shanduro:
Chenjerera, mafaera ako akavharidzirwa!
Iyo password yakasarudzika kuPC yako.Bhadhara huwandu hwe0.05 BTC kukero yeBitcoin: 1ERtRjWAKyG2Edm9nKLLCzd8p1CjjdTiF
Mushure mekubhadhara, nditumire email, ichibatanidza pass.key faira ku [email inodzivirirwa] nechiziviso chekubhadhara.Mushure mekusimbisa, ini ndichakutumira decryptor yemafaira.
Unogona kubhadhara bitcoins online nenzira dzakasiyana:
- kubhadhara nekadhi rebhangi
Nezve Bitcoins:
Kana uine chero mibvunzo, ndapota ndinyorere pa [email inodzivirirwa]
Sebhonasi, ini ndichakuudza kuti komputa yako yakabiwa sei uye kuti ungaidzivirira sei mune ramangwana.
Mhumhi inonyepedzera, yakagadzirirwa kuratidza munhu akabatwa kukomba kwemamiriro ezvinhu. Zvisinei, zvingave zvakatoipisisa.
Mupunga. 1. -Sebhonasi, ini ndichakuudza kuti ungadzivirira sei kombiyuta yako mune ramangwana. - Zvinoita sezviri pamutemo.
II. Ngatitangei
Chokutanga pane zvose, takatarisa chimiro chemuenzaniso wakatumirwa. Sezvineiwo, zvaisaita senge faira rakanga rakuvadzwa neransomware. Vhura iyo hexadecimal editor uye tarisa. Iwo ekutanga 4 bytes ane yekutanga faira saizi, anotevera makumi matanhatu bytes akazadzwa ne zero. Asi chinonyanya kufadza chiri pamagumo:
Mupunga. 2 Ongorora faira yakakanganisika. Chii chinokurumidza kubata ziso rako?
Zvese zvakazove nyore zvinokatyamadza: 0x40 bytes kubva kumusoro akaendeswa kumagumo efaira. Kuti udzorere data, ingoidzosera kune yekutanga. Kuwana faira kwadzoreredzwa, asi zita rinoramba rakavharwa, uye zvinhu zviri kuwedzera kuoma nazvo.
Mupunga. 3. Iro zita rakavharidzirwa muBase64 rinotaridzika seti yemavara.
Ngatiedzei kuzvinzwisisa pass.kiyi, yakatumirwa nemushandisi. Mariri tinoona 162-byte kutevedzana kweASCII mavara.
Mupunga. 4. 162 mavara asara paPC yemunhu akabatwa.
Kana iwe ukanyatsotarisisa, iwe uchaona kuti zviratidzo zvinodzokororwa neimwe frequency. Izvi zvinogona kuratidza kushandiswa kweXOR, iyo inoratidzirwa nekudzokorora, iyo inowanzoenderana nehurefu hunokosha. Tapatsanura tambo kuita mavara matanhatu uye XORed nemamwe akasiyana eXOR kutevedzana, hatina kuwana chero mhedzisiro ine musoro.
Mupunga. 5. Ona zvinodzokorora zvinoramba zviri pakati?
Isu takasarudza kuGoogle constants, nekuti hongu, zvinogoneka futi! Uye ivo vese vakazotungamira kune imwe algorithm - Batch Encryption. Mushure mekudzidza script, zvakava pachena kuti mutsara wedu hausi chimwe chinhu kunze kwechigumisiro chebasa rayo. Zvinofanira kutaurwa kuti iyi haisi encryptor zvachose, asi ingori encoder inotsiva mavara ne6-byte sequences. Hapana makiyi kana zvimwe zvakavanzika kwauri :)
Mupunga. 6. Chidimbu chealgorithm yepakutanga yevanyori vasingazivikanwe.
Iyo algorithm yaisazoshanda sezvainofanira kunge isiri yeruzivo rumwe chete:
Mupunga. 7. Morpheus akatenderwa.
Tichishandisa reverse substitution tinoshandura tambo kubva pass.kiyi muchinyorwa chine mavara 27. Iyo yemunhu (inowanzo) chinyorwa 'asmodat' inofanirwa kutariswa zvakanyanya.
Fig.8. USGFDG=7.
Google ichatibatsira zvakare. Mushure mekutsvaga zvishoma, tinowana chirongwa chinonakidza paGitHub - Folder Locker, yakanyorwa mu.Net uye kushandisa raibhurari ye'asmodat kubva kune imwe Git account.
Mupunga. 9. Folder Locker interface. Iva nechokwadi chekutarisa kune malware.
Iyo yekushandisa ndeye encryptor yeWindows 7 uye yepamusoro, iyo inogoverwa seyakavhurika sosi. Panguva yekuvharidzira, password inoshandiswa, iyo inodiwa kune inotevera decryption. Inokutendera kuti ushande zvese nemafaira ega uye nemadhairekitori ese.
Raibhurari yayo inoshandisa iyo Rijndael symmetric encryption algorithm muCBC modhi. Zvinokosha kuziva kuti saizi yebhuroka yakasarudzwa kuve 256 bits - mukupesana neyakagamuchirwa muyero yeAES. Mune yekupedzisira, saizi inogumira ku128 bits.
Kiyi yedu inogadzirwa zvinoenderana nePBKDF2 standard. Muchiitiko ichi, password ndeye SHA-256 kubva kune tambo yakapinda mukushandisa. Chasara kutsvaga tambo iyi kugadzira kiyi yekutsikisa.
Zvakanaka, ngatidzokere kune yedu yatove decoded pass.kiyi. Rangarira iwo mutsetse une seti yenhamba uye chinyorwa 'asmodat'? Ngatiedzei kushandisa ekutanga mabhayiti makumi maviri etambo sepassword yeFolder Locker.
Tarisa, zvinoshanda! Izwi rekodhi rakauya, uye zvese zvakatsanangurwa zvakakwana. Tichifunga nezvemavara ari papassword, iri HEX inomiririra yerimwe izwi muASCII. Ngatiedzei kuratidza izwi rekodhi mune zvinyorwa. Tinowana 'shadowwolf'. Watove kunzwa zviratidzo zve lycanthropy?
Ngatitarisei zvakare chimiro chefaira rakakanganisika, ikozvino tichiziva kuti iyo locker inoshanda sei:
- 02 00 00 00 - zita encryption mode;
- 58 00 00 00 - kureba kweiyo encrypted uye base64 encoded faira zita;
- 40 00 00 00 - saizi yemusoro wakatamiswa.
Iro zita rakavharidzirwa pacharo uye iyo inotamiswa musoro inosimbiswa mutsvuku uye yero, zvichiteerana.
Mupunga. .
Iye zvino ngatienzanisei mazita akavharidzirwa uye akadhindwa mune hexadecimal inomiririra.
Mamiriro e data rakadzikiswa:
- 78 B9 B8 2E - marara akagadzirwa nekushandisa (4 bytes);
- 0Π‘ 00 00 00 - kureba kwezita rakasvibiswa (12 bytes);
- Inotevera inouya iyo chaiyo faira zita uye padding ine zeros kune inodiwa block urefu (padding).
Mupunga. 11. IMG_4114 inotaridzika zvirinani.
III. Mhedziso uye Mhedziso
Kudzokera kumavambo. Hatizive kuti chii chakakurudzira munyori weWulfric.Ransomware uye chinangwa chaakatevera. Ehe, kune avhareji mushandisi, mhedzisiro yebasa reiyo encryptor ichaita senjodzi huru. Mafaira haavhurike. Mazita ose apera. Panzvimbo pemufananidzo wenguva dzose, pane mhumhi pahwindo. Vanokumanikidza kuti uverenge nezve bitcoins.
Ichokwadi, panguva ino, pasi pechifukidziro che "encoder inotyisa," pakanga pakavanzwa kuedza kwakadaro kusina maturo uye kupusa kwekupamba, apo anorwisa anoshandisa mapurogiramu akagadzirirwa uye anosiya makiyi panzvimbo yemhosva.
Nenzira, nezvekiyi. Takanga tisina script yakaipa kana Trojan yaigona kutibatsira kunzwisisa kuti izvi zvakaitika sei. pass.kiyi - iyo nzira iyo iyo faira inoonekwa paPC ine hutachiona inoramba isingazivikanwe. Asi, ndinorangarira, mutsamba yake munyori akataura nezvekusiyana kwepassword. Saka, iyo kodhi izwi rekuti decryption rakasiyana sezita rekushandisa mumvuri wolf rakasiyana :)
Uye zvakadaro, mhumhi mumvuri, nei uye nei?
Source: www.habr.com