Kwesinye isikhathi ufuna nje ukubheka emehlweni omunye umbhali wegciwane bese ubuza: kungani futhi ngani? Singawuphendula umbuzo othi “kanjani” ngokwethu, kodwa kungajabulisa kakhulu ukuthola ukuthi lokhu noma lowo mdali we-malware ubecabangani. Ikakhulukazi lapho sithola "amaparele" anjalo.
Iqhawe lendatshana yanamuhla uyisibonelo esithokozisayo somdwebi we-cryptographer. Ngokusobala yacatshangwa njengenye “i-ransomware”, kodwa ukuqaliswa kwayo kobuchwepheshe kubukeka njengehlaya lothile elinonya. Sizokhuluma ngalokhu kuqaliswa namuhla.
Ngeshwa, cishe akunakwenzeka ukulandelela umjikelezo wempilo yalesi sishumeki - kunezibalo ezimbalwa kuso, ngoba, ngenhlanhla, asikaze sande. Ngakho-ke, sizoshiya imvelaphi, izindlela zokutheleleka nezinye izinkomba. Ake sikhulume nje ngodaba lwethu lokuhlangana no I-Wulfric Ransomware nokuthi simsize kanjani umsebenzisi ukuthi agcine amafayela akhe.
I. Kwaqala kanjani konke
Abantu abaye baba izisulu ze-ransomware bavame ukuxhumana nelabhorethri yethu yokulwa namagciwane. Sihlinzeka ngosizo kungakhathaliseki ukuthi yimiphi imikhiqizo ye-antivirus abayifakile. Kulokhu sithintwe umuntu amafayela akhe athintwe isifaki khodi esingaziwa.
Sawubona Amafayela abethelwe endaweni yokugcina ifayela (samba4) ngokungena ngemvume okungenaphasiwedi. Ngisola ukuthi ukutheleleka kwavela kukhompuyutha yendodakazi yami (Windows 10 ngokuvikelwa okujwayelekile kweWindows Defender). Ikhompyutha yendodakazi ayizange ivulwe ngemva kwalokho. Amafayela abethelwe ikakhulukazi .jpg kanye ne-.cr2. Isandiso sefayela ngemva kokubethela: .aef.
Sithole kumasampula omsebenzisi wamafayela abethelwe, inothi lesihlengo, kanye nefayela okungenzeka liwukhiye umlobi we-ransomware ayewudinga ukuze asuse ukubethela kwamafayela.
Nansi yonke imikhondo yethu:
- 01c.aef (4481K)
- i-hacked.jpg (254K)
- I-hacked.txt (0K)
- 04c.aef (6540K)
- pass.key (0K)
Ake sibheke inothi. Mangaki ama-bitcoins ngalesi sikhathi?
Ukuhumusha:
Qaphela, amafayela akho abethelwe!
Iphasiwedi ihlukile ku-PC yakho.Khokha inani elingu-0.05 BTC ekhelini le-Bitcoin: 1ERtRjWAKyG2Edm9nKLLCzd8p1CjjdTiF
Ngemva kokukhokha, ngithumele i-imeyili, enamathisela ifayela elithi pass.key [i-imeyili ivikelwe] ngesaziso senkokhelo.Ngemva kokuqinisekisa, ngizokuthumelela i-decryptor yamafayela.
Ungakhokhela ama-bitcoins ku-inthanethi ngezindlela ezahlukene:
— inkokhelo ngekhadi lasebhange
Mayelana nama-Bitcoins:
Uma unemibuzo, ngicela ungibhalele ku [i-imeyili ivikelwe]
Njengebhonasi, ngizokutshela ukuthi ikhompuyutha yakho yagqekezwa kanjani nokuthi ungayivikela kanjani ngokuzayo.
Impisi ekhohlisayo, eklanyelwe ukukhombisa isisulu ubucayi besimo. Nokho, kwakungase kubi nakakhulu.
Ilayisi. 1. -Njengebhonasi, ngizokutshela ukuthi ungayivikela kanjani ikhompyutha yakho esikhathini esizayo. -Kubonakala kungokoqobo.
II. Ake siqale
Okokuqala, sibheke isakhiwo sesampula esithunyelwe. Ngokudabukisayo, bekungabonakali njengefayela elonakaliswe yi-ransomware. Vula isihleli se-hexadecimal bese ubheka. Amabhayithi angu-4 okuqala aqukethe usayizi wefayela wangempela, amabhayithi angu-60 alandelayo agcwaliswa ngoziro. Kodwa into ethakazelisa kakhulu isekupheleni:
Ilayisi. 2 Hlaziya ifayela elimele. Yini ebamba iso lakho ngokushesha?
Konke kuvele kwaba lula ngendlela ecasulayo: amabhayithi angu-0x40 ukusuka kunhlokweni athuthelwe ekupheleni kwefayela. Ukuze ubuyisele idatha, vele uyibuyisele ekuqaleni. Ukufinyelela kufayela kubuyisiwe, kodwa igama lihlala libethelwe, futhi izinto ziya ziba nzima kakhulu ngalo.
Ilayisi. 3. Igama elibethelwe ku-Base64 libukeka njengesethi yezinhlamvu.
Ake sizame ukukuqonda dlula.ukhiye, ithunyelwe umsebenzisi. Kuyo sibona ukulandelana kwe-162-byte kwezinhlamvu ze-ASCII.
Ilayisi. 4. Izinhlamvu ezingu-162 ezisele ku-PC yesisulu.
Uma ubhekisisa kahle, uzobona ukuthi izimpawu ziphindaphindwa ngobuningi obuthile. Lokhu kungase kubonise ukusetshenziswa kwe-XOR, ebonakala ngokuphindaphinda, imvamisa yayo encike kubude obuyisihluthulelo. Ngemva kokuhlukanisa iyunithi yezinhlamvu ibe izinhlamvu ezingu-6 futhi i-XOR ifakwe kwezinye izinhlobo zokulandelana kwe-XOR, asizange sithole noma yimuphi umphumela obalulekile.
Ilayisi. 5. Bona ama-constants aphindaphindayo phakathi?
Sinqume ukwenza i-google constants, ngoba yebo, lokho kungenzeka futhi! Futhi zonke ekugcineni ziholele ku-algorithm eyodwa - Ukubethelwa Kweqoqo. Ngemva kokufunda iskripthi, kwacaca ukuthi umugqa wethu awuyona into engaphezu komphumela womsebenzi wawo. Kufanele kukhulunywe ukuthi lena akuyona i-encryptor nhlobo, kodwa i-encoder nje ethatha indawo yezinhlamvu ngokulandelana kwe-6-byte. Azikho okhiye noma ezinye izimfihlo zakho :)
Ilayisi. 6. Ucezu lwe-algorithm yokuqala yombhali ongaziwa.
I-algorithm ibingeke isebenze ngendlela efanele uma kungenjalo ngemininingwane eyodwa:
Ilayisi. 7. UMorpheus ugunyazwe.
Ngokusebenzisa ukubuyisela emuva siguqula iyunithi yezinhlamvu ukusuka kuyo dlula.ukhiye embhalweni onezinhlamvu ezingama-27. Umbhalo womuntu (okungenzeka kakhulu) 'asmodat' udinga ukunakwa okukhethekile.
Fig.8. USGFDG=7.
I-Google izosisiza futhi. Ngemva kokusesha kancane, sithola iphrojekthi ethokozisayo ku-GitHub - Locker Yefolda, ebhalwe ku-.Net futhi isebenzisa umtapo wezincwadi 'we-asmodat' osuka kwenye i-akhawunti ye-Git.
Ilayisi. 9. I-Folder Locker interface. Qiniseka ukuthi uhlola uhlelo olungayilungele ikhompuyutha.
Insiza i-encryptor ye-Windows 7 nangaphezulu, esatshalaliswa njengomthombo ovulekile. Ngesikhathi sokubethela, kusetshenziswa igama-mfihlo, elidingekayo ekubhalweni kwemfihlo okulandelayo. Ikuvumela ukuthi usebenze ngokubili ngamafayela ngamanye kanye nezinkhombandlela zonke.
Ilabhulali yakhona isebenzisa i-algorithm ye-Rijndael yokubhala ngemfihlo kumodi ye-CBC. Kuyaphawuleka ukuthi usayizi webhulokhi ukhethwe ukuthi ube ngamabhithi angama-256 - ngokungafani nalokho okwamukelwe kuzinga le-AES. Ekugcineni, usayizi ukhawulelwe kumabhithi ayi-128.
Ukhiye wethu ukhiqizwa ngokwezinga le-PBKDF2. Kulokhu, igama eliyimfihlo lithi SHA-256 kusuka kuchungechunge olufakwe kuhlelo lokusebenza. Okusele ukuthola le yunithi yezinhlamvu ukuze ukhiqize ukhiye wokukhipha ukubethela.
Hhayi-ke, ake sibuyele kwesethu esivele siqoshwe dlula.ukhiye. Uyawukhumbula lowomugqa onesethi yezinombolo kanye nombhalo othi 'asmodat'? Ake sizame ukusebenzisa amabhayithi okuqala angu-20 ochungechunge njengephasiwedi Yelokha Yefolda.
Bheka, kuyasebenza! Igama lekhodi lavela, futhi yonke into yaqondwa kahle. Uma ubheka izinhlamvu zephasiwedi, imelela i-HEX yegama elithile ku-ASCII. Ake sizame ukuveza igama lekhodi ngendlela yombhalo. Sithola'i-shadowwolf'. Usuvele uzizwa izimpawu ze-lycanthropy?
Ake sibheke futhi ukwakheka kwefayela elithintekile, manje sazi ukuthi ilokha isebenza kanjani:
- 02 00 00 00 - imodi yokubethela igama;
- 58 00 00 00 – ubude begama lefayela elibethelwe kanye nesisekelo64;
- 40 00 00 00 - usayizi wesihloko esidlulisiwe.
Igama elibethelwe ngokwalo kanye nesihloko esidlulisiwe kugqanyiswe ngokubomvu nokuphuzi, ngokulandelana.
Ilayisi. 10. Igama elibethelwe ligqanyiswe ngokubomvu, unhlokweni odlulisiwe ugqanyiswe ngophuzi.
Manje ake siqhathanise amagama abethelwe futhi ahlukanisiwe ekumeleleni kwe-hexadecimal.
Isakhiwo sedatha esusiwe:
- 78 B9 B8 2E - udoti owenziwe yi-utility (4 bytes);
- 0С 00 00 00 - ubude begama elifihliwe (amabhayithi angu-12);
- Okulandelayo kuza igama langempela lefayela kanye nokupheda ngoziro kubude obudingekayo bebhulokhi (i-padding).
Ilayisi. 11. IMG_4114 ibukeka ingcono kakhulu.
III. Iziphetho kanye nesiphetho
Emuva ekuqaleni. Asazi ukuthi yini egqugquzele umbhali we-Wulfric.Ransomware nokuthi iyiphi inhloso ayilandela. Yiqiniso, kumsebenzisi ojwayelekile, umphumela womsebenzi we-encryptor onjalo uzobonakala njengenhlekelele enkulu. Amafayela awavuleki. Wonke amagama aphelile. Esikhundleni sesithombe esijwayelekile, kunempisi esikrinini. Bakuphoqa ukuthi ufunde ngama-bitcoins.
Yiqiniso, kulokhu, ngaphansi kwesithunzi "se-encoder esesabekayo," kwakufihlwe umzamo onjalo ongenangqondo futhi oyisiphukuphuku wokuphanga, lapho umhlaseli esebenzisa khona izinhlelo esenziwe ngomumo futhi eshiya okhiye khona kanye endaweni yobugebengu.
Ngendlela, mayelana nezihluthulelo. Besingenaso iskripthi esinonya noma i-Trojan engasisiza siqonde ukuthi lokhu kwenzeke kanjani. dlula.ukhiye – indlela ifayela elivela ngayo ku-PC ethelelekile ayikaziwa. Kodwa, ngiyakhumbula, encwadini yakhe umbhali ukhulume ngokuhlukile kwephasiwedi. Ngakho-ke, igama lekhodi le-decryption lihlukile njengoba igama lomsebenzisi elithi shadow wolf lihlukile :)
Futhi nokho, impisi yesithunzi, kungani futhi ngani?
Source: www.habr.com