警惕“黑心”勒索病毒再度来袭(二)

xiao1314wang
发表于 2018/11/21

5.遍历主机相关目录,进行加密操作,如下所示:



遍历的目录,如下所示:



相应的目录列表,如下所示:

%Desktop%
%Documents%  
%Music%
%History%
%Downloads%
%Pictures%
%Videos%
%Favorites%
%User Profile%
%Program Data%
%System Root%\Users

6.遍历目录下的文件,如下所示:


判断文件的后缀名是否在相应的需要加密的文件的后缀名列表中,如下所示:


勒索病毒会加密的文件后缀名列表,如下所示:

".exe",".der",".pfx",".key",".crt",".csr",".p12",".pem",".odt",".sxw",".stw",".3ds",".max",".3dm",".ods",".sxc",".stc",".dif",".slk",".wb2",".odp",".sxd",".std",".sxm",".sqlite3",".sqlitedb",".sql",".accdb",".mdb",".dbf",".odb",".mdf",".ldf",".cpp",".pas",".asm",".cmd",".bat",".vbs",".sch",".jsp",".php",".asp",".java",".jar",".class",".mp3",".wav",".swf",".fla",".wmv",".mpg",".vob",".mpeg",".asf",".avi",".mov",".mp4",".mkv",".flv",".wma",".mid",".m3u",".m4u",".svg",".psd",".tiff",".tif",".raw",".gif",".png",".bmp",".jpg",".jpeg",".iso",".backup",".zip",".rar",".tgz",".tar",".bak",".ARC",".vmdk",".vdi",".sldm",".sldx",".sti",".sxi",".dwg",".pdf",".wk1",".wks",".rtf",".csv",".txt",".msg",".pst",".ppsx",".ppsm",".pps",".pot",".pptm",".pptx",".ppt",".xltm",".xltx",".xlc",".xlm",".xlt",".xlw",".xlsb",".xlsm",".xlsx",".xls",".dotm",".dot",".docm",".docx",".doc",".ndf",".pdf",".ib",".ibk"

7.加密文件,使用AES加密算法,密钥KEY为之前通过RSA2048公钥加密后的KEY,对文件进行加密,同时将文件的后缀名变为mariacbc,如下所示:


相应的加密算法,使用AES ECB加密算法如下所示:


加密后的文件,如下所示:

8.遍历主机磁盘文件目录下的文件进行加密,如下所示:

9.删除磁盘卷影操作,如下所示:

10.生成勒索信息对话框,如下所示:

相应的勒索对话框,如下所示:

11.遍历主机磁盘,在相应的文件目录下,生成勒索信息文本文件ReadME-M@r1a.txt,如下所示:

三、解决方案

提醒广大用户,勒索病毒以防为主,目前大部分勒索病毒加密后的文件都无法解密,注意日常防范措施:

1.不要点击来源不明的邮件附件,不从不明网站下载软件

2.及时给主机打补丁(永恒之蓝漏洞补丁),修复相应的高危漏洞

3.对重要的数据文件定期进行非本地备份

4.尽量关闭不必要的文件共享权限以及关闭不必要的端口,如:445,135,139,3389等

5.RDP远程服务器等连接尽量使用强密码,不要使用弱密码

6.安装专业的终端安全防护软件,为主机提供端点防护和病毒检测清理功能


















© 66xianyu.com 咸鱼论坛
本站使用Catfish(鲶鱼) CMS之鲶鱼Blog系统

点击加咸鱼论坛QQ群 [881936765]

   留言 建议 投诉
Catfish(鲶鱼) Blog V 2.0.33