Ngamanye amaxesha ufuna ngokwenene ukujonga emehlweni omnye umbhali wentsholongwane kwaye ubuze: kutheni kwaye kutheni? Sinokuphendula umbuzo othi "njani" ngokwethu, kodwa kuya kuba mnandi kakhulu ukufumanisa ukuba le nto okanye umyili we-malware ucinga ntoni. Ngokukodwa xa sidibana "neeperile" ezinjalo.
Iqhawe lenqaku lanamhlanje ngumzekelo onomdla we-cryptographer. Kuyabonakala ukuba yathathwa njengenye "i-ransomware", kodwa ukuphunyezwa kwayo kobugcisa kujongeka ngathi liqhula elikhohlakeleyo lomntu. Siza kuthetha ngolu phunyezo namhlanje.
Ngelishwa, phantse akunakwenzeka ukulandelela umjikelo wobomi bale encoder - kukho izibalo ezimbalwa kakhulu kuyo, kuba, ngethamsanqa, ayizange isasazeke. Ngoko ke, siya kuyishiya imvelaphi, iindlela zokusuleleka kunye nezinye iireferensi. Makhe sithethe ngemeko yethu yokuhlangana nayo I-Wulfric Ransomware kunye nendlela esincede ngayo umsebenzisi ukugcina iifayile zakhe.
I. Yaqala njani yonke loo nto
Abantu ababengamaxhoba e-ransomware bahlala benxibelelana nelebhu yethu yokulwa nentsholongwane. Sibonelela ngoncedo nokuba zeziphi iimveliso ze-antivirus abazifakileyo. Ngeli xesha siye saqhagamshelwa ngumntu ofayile zakhe zachatshazelwa sisixhobo sokufaka iikhowudi esingaziwa.
Mholo Iifayile ziguqulelwe ngokuntsonkothileyo kwindawo yokugcina ifayile (samba4) ngokungena igama elingenagama lokugqitha. Ndiyakrokrela ukuba usulelo luvela kwikhompyuter yentombi yam (Windows 10 ngokhuseleko oluqhelekileyo lweWindows Defender). Ikhompyuter yentombi ayizange ivulwe emva koko. Iifayile ziguqulelwe ngokuntsonkothileyo ikakhulu .jpg kunye .cr2. Ukongezwa kwefayile emva koguqulelo oluntsonkothileyo: .aef.
Sifumene kwiisampulu zabasebenzisi beefayile ezifihliweyo, inqaku lentlawulelo, kunye nefayile ekusenokwenzeka ukuba isitshixo esidingwa ngumbhali wentlawulelo ukuze aguqule iifayile.
Nantsi yonke imikhondo yethu:
- 01c.aef (4481K)
- igqekeziwe.jpg (254K)
- igqekeziwe.txt (0K)
- 04c.aef (6540K)
- isitshixo sokugqitha (0K)
Makhe sijonge inqaku. Zingaphi iibitcoins ngeli xesha?
Ukuguqulelwa:
Qaphela, iifayile zakho zifihliwe!
Igama lokugqithisa lahlukile kwiPC yakho.Hlawula imali eyi-0.05 BTC kwidilesi yeBitcoin: 1ERtRjWAKyG2Edm9nKLLCzd8p1CjjdTiF
Emva kwentlawulo, ndithumele i-imeyile, encamathisela ifayile ye-pass.key kuyo [imeyile ikhuselwe] kunye nesaziso sentlawulo.Emva kokuqinisekiswa, ndiya kukuthumelela i-decryptor yeefayile.
Ungabhatala i-bitcoins kwi-intanethi ngeendlela ezahlukeneyo:
- intlawulo ngekhadi lebhanki
Malunga neBitcoins:
Ukuba unayo nayiphi na imibuzo, nceda ubhale kum [imeyile ikhuselwe]
Njengebhonasi, ndiza kukuxelela ukuba ikhompyuter yakho yaqhekezwa njani kwaye ungayikhusela njani kwixesha elizayo.
Ingcuka ekhohlisayo, eyenzelwe ukubonisa ixhoba ubunzulu bemeko. Noko ke, kwakunokuba kubi ngakumbi.
Irayisi. 1. -Njengebhonasi, ndiya kukuxelela indlela yokukhusela ikhomputha yakho kwixesha elizayo. -Ibonakala ingundoqo.
II. Masiqalise
Okokuqala, sijonge isakhiwo sesampuli esithunyelwe. Okumangalisayo kukuba, yayingabonakali njengefayile eyonakaliswe yi-ransomware. Vula umhleli we-hexadecimal kwaye ujonge. I-4 bytes yokuqala iqulethe ubungakanani befayile yokuqala, i-bytes elandelayo ye-60 izaliswe ngo-zero. Kodwa eyona nto inomdla kakhulu ekugqibeleni:
Irayisi. 2 Hlalutya ifayile eyonakeleyo. Yintoni etsala amehlo ngokukhawuleza?
Yonke into yabonakala ilula ngokucaphukisayo: ii-byte ze-0x40 ezivela kwi-header zihanjiswe ekupheleni kwefayile. Ukubuyisela idatha, yibuyisele ngokulula ekuqaleni. Ukufikelela kwifayile kubuyiselwe, kodwa igama lihlala lifihliwe, kwaye izinto ziya zisiba nzima ngayo.
Irayisi. 3. Igama elifihliweyo kwi-Base64 lijongeka njengeseti ebalekayo yabalinganiswa.
Masizame ukuyiqonda isitshixo sokugqitha, ithunyelwe ngumsebenzisi. Kuyo sibona ukulandelelana kwe-162-byte yeempawu ze-ASCII.
Irayisi. 4. Abalinganiswa be-162 bashiye kwi-PC yexhoba.
Ukuba ujonga ngokusondeleyo, uya kuqaphela ukuba iisimboli ziphindaphindwa ngokuphindaphindiweyo. Oku kungabonisa ukusetyenziswa kwe-XOR, ebonakaliswa ngokuphindaphinda, ukuphindaphinda okuxhomekeke kubude obuphambili. Emva kokwahlula umtya kwiimpawu ezi-6 kunye ne-XORed kunye neentlobo ezithile ze-XOR zolandelelwano, asifumananga ziphumo zinentsingiselo.
Irayisi. 5. Jonga izigxina eziphinda-phindayo embindini?
Sigqibe kwelokuba sisebenzise i-google constants, kuba ewe, nayo inokwenzeka! Kwaye bonke ekugqibeleni bakhokelela kwi-algorithm enye-iBatch Encryption. Emva kokufunda iskripthi, kwacaca ukuba umgca wethu awukho nto ngaphandle kwesiphumo somsebenzi wawo. Kufuneka kukhankanywe ukuba oku akusiyo i-encryptor konke konke, kodwa nje i-encoder ethatha indawo yabalinganiswa ngolandelelwano lwe-6-byte. Akukho zitshixo okanye ezinye iimfihlo zakho :)
Irayisi. 6. Isiqwenga se-algorithm yokuqala yombhali ongaziwayo.
I-algorithm ayinakusebenza njengoko ifanele ukuba ibingekho kwinkcukacha enye:
Irayisi. 7. UMorpheus uvunyiwe.
Ukusebenzisa ukubuyisela umva siguqula umtya ukusuka isitshixo sokugqitha kwisicatshulwa esinamagama angama-27. Isicatshulwa sabantu (esinokwenzeka kakhulu) 'asmodat' sifanelwe ingqalelo ekhethekileyo.
Isazobe.8. USGFDG=7.
UGoogle uza kusinceda kwakhona. Emva kokukhangela okuncinci, sifumana iprojekthi enomdla kwi-GitHub - i-Folder Locker, ebhalwe kwi-.Net kunye nokusebenzisa ilayibrari 'ye-asmodat' kwenye i-akhawunti ye-Git.
Irayisi. 9. I-Folder Locker interface. Qiniseka ukuba ujonge i-malware.
Usetyenziso luyi-encryptor ye-Windows 7 nangaphezulu, esasazwa njengomthombo ovulekileyo. Ngexesha loguqulelo oluntsonkothileyo, igama lokugqitha liyasetyenziswa, nto leyo eyimfuneko kwidecryption elandelayo. Ikuvumela ukuba usebenze zombini ngeefayile ezizimeleyo kunye nabalawuli abapheleleyo.
Ithala layo leencwadi lisebenzisa iRijndael symmetric encryption algorithm kwimo yeCBC. Kuyaphawuleka ukuba ubungakanani bebhloko bukhethwe ukuba bube ngamabhithi angama-256 - ngokungafaniyo nokwamkelwa kumgangatho we-AES. Ekugqibeleni, ubungakanani bukhawulelwe kwiibhithi ze-128.
Isitshixo sethu senziwa ngokomgangatho wePBKDF2. Kule meko, igama eligqithisiweyo ngu-SHA-256 ukusuka kumtya ongeniswa kwinto eluncedo. Ekuphela kwento eseleyo kukufumana lo mtya ukuvelisa iqhosha le-decryption.
Kulungile, masibuyele kweyethu esele ihlaziywe isitshixo sokugqitha. Khumbula laa mgca oneseti yamanani kunye nesicatshulwa 'asmodat'? Makhe sizame ukusebenzisa iibyte zokuqala ezingama-20 zomtya njenge-password ye-Folder Locker.
Khangela, iyasebenza! Igama lekhowudi lavela, kwaye yonke into yaqondwa ngokugqibeleleyo. Ngokujonga abalinganiswa kwigama lokugqitha, luphawu lwe-HEX lwegama elithile kwi-ASCII. Masizame ukubonisa igama lekhowudi kwifom yokubhaliweyo. Sifumana 'ingcuka'. Ngaba sele uziva iimpawu ze-lycanthropy?
Masiphinde sijonge kwisakhiwo sefayile echaphazelekayo, ngoku sisazi ukuba isitshixo sisebenza njani:
- 02 00 00 00 - indlela yokufihla igama;
- 58 00 00 00 β ubude begama lefayile efihliweyo kunye nesiseko64;
- 40 00 00 00 - ubungakanani besihloko esigqithiselweyo.
Igama elifihliweyo ngokwalo kunye nesihloko esigqithiselweyo ziphawulwe ngombala obomvu kunye notyheli, ngokulandelelanayo.
Irayisi. 10. Igama elifihliweyo ligxininiswe ngombala obomvu, i-header edlulisiweyo igxininiswe emthubi.
Ngoku makhe sithelekise amagama afihliweyo nakhutshiweyo kwihexadecimal emele.
Ubume bedatha engaguqulelwanga kwikhowudi:
- 78 B9 B8 2E - inkunkuma eyenziwe ngumsebenzi (4 bytes);
- 0Π‘ 00 00 00 - ubude begama elifihliweyo (i-12 bytes);
- Okulandelayo kuza igama lokwenyani lefayile kunye ne-padding ene-zero kubude obufunekayo bebhloko (i-padding).
Irayisi. 11. IMG_4114 ibonakala ingcono kakhulu.
III. Izigqibo kunye neZiphetho
Buyela ekuqaleni. Asazi ukuba yintoni eyakhuthaza umbhali weWulfric.Ransomware kunye neyiphi injongo ayilandelayo. Ngokuqinisekileyo, kumsebenzisi oqhelekileyo, umphumo womsebenzi we-encryptor onjalo uya kubonakala ngathi yintlekele enkulu. Iifayile azivuli. Onke amagama aphelile. Esikhundleni somfanekiso oqhelekileyo, kukho ingcuka kwisikrini. Bakunyanzela ukuba ufunde malunga ne-bitcoins.
Enyanisweni, ngeli xesha, phantsi kwengubo "ye-encoder eyoyikekayo," kwakufihlwe umzamo onjalo ongenangqondo kunye nobudenge bokuphanga, apho umhlaseli esebenzisa iinkqubo ezilungiselelwe kwaye eshiya izitshixo ngqo kwindawo yolwaphulo-mthetho.
Ngendlela, malunga nezitshixo. Besingenaso iskripthi esikhohlakeleyo okanye iTrojan enokusinceda siqonde ukuba kwenzeke njani oku. isitshixo sokugqitha β indlela apho ifayile ibonakala ngayo kwiPC eyosulelekileyo ayikaziwa. Kodwa, ndiyakhumbula, kwinqaku lakhe umbhali ukhankanye ububodwa begama eliyimfihlo. Ke, igama lekhowudi yokuguqulelwa kokuntsonkotha likhethekile njengoko igama lomsebenzisi elithi shadow wolf lahlukile :)
Kwaye kunjalo, ingcuka yesithunzi, kutheni kwaye kutheni?
umthombo: www.habr.com