大家好,我是考100分的小小码 ,祝大家学习进步,加薪顺利呀。今天说一说.amnesia勒索病毒分析报告[亲测有效],希望您对编程的造诣更进一步.
背景:
amnesia勒索病毒在2017年中旬曾经出现过,不过随后Emsisoft就发布了解密工具,至今年,amnesia重新发布了第二版,完善了加密算法。
运行过程:
该勒索病毒搜索电脑上的每一个文件,每遇到一个文件,将会判断是否为文件,如果是,则进行跳转
当找到文件夹的时候,该勒索病毒将会判断是否为以下的文件夹,并对相应的文件夹实施跳过处理:
Microsoft\Exchange Server\
Microsoft SQL Server\
Firebird\
MSSQL.1\
Microsoft SQL Server Compact Edition\
Adobe\
Oracle\
ALLUSERSPROFILE
APPDATA
ProgramData
ProgramFiles
ProgramFiles(x86)
WINDIR
并继续判断相应的系统路径,如果为关键的系统路径,将会跳过(加冒号的为根目录下文件):
:\$RECYCLE.BIN\
\All Users\
\AppData\
\Application Data\
:\Program Files (x86)\
:\Program Files\
:\System Volume Information\
:\Windows\
:\intel\
:\nvidia\
当文件夹符合加密要求时,从当前文件夹里继续搜索。
当开始加密文件时,勒索病毒将会判断文件名后几个字节是否为.animes如果是,则跳过
在进行判断文件名是否为 HOW TO RECOVER ENCRYPTED FILES.txt,如果是,则跳过:
该勒索病毒将加密以下后缀名的文件:
.$efs .000 .001 .1 .101 .103 .108 .110 .123 .128 .1cd .1sp .1st .3 .3d .3d4 .3dd .3df .3df8 .3dm .3dr .3ds .3dxml .3fr .3g2 .3ga .3gp .3gp2 .3mm .3pr .3w .4w7 .602 .7z .7zip .8 .89t .89y .8ba .8bc .8be .8bf .8bi8 .8bl .8bs .8bx .8by .8li .8svx .8xt .9xt .9xy .a$v .a2c .aa .aa3 .aac .aaf .aah .aaui .ab4 .ab65 .abc .abk .abt .abw .ac2 .ac3 .ac5 .acc .accdb .accde .accdr .accdt .ace .acf .ach .acp .acr .acrobatsecuritysettings .acrodata .acroplugin .acrypt .act .ad .ada .adb .adc .add .ade .adi .adoc .ados .adox .adp .adpb .adr .ads .adt .aea .aec .aep .aepx .aes .aet .afdesign .afm .afp .agd1 .agdl .age3rec .age3sav .age3scn .age3xrec .age3xsav .age3xscn .age3yrec .age3ysav .age3yscn .ahf .ai .aif .aiff .aim .aip .ais .ait .ak .al .al8 .ala .alb3 .alb4 .alb5 .alb6 .ald .ali .allet .alt3 .alt5 .amf .aml .amr .amt .amu .amx .amxx .anl .ann .ans .ansr .anx .aoi .ap .apa .apd .ape .apf .api .apj .apk .apnx .apo .app .approj .apr .apt .apw .apxl .arc .arch00 .arff .ari .arj .aro .arr .ars .arw .as .as$ .as3 .asa .asc .ascm .ascx .asd .ase .asf .ashx .ask .asl .asm .asmx .asn .asnd .asp .aspx .asr .asset .ast .asv .asvx .asx .ath .atl .atomsvc .atw .automaticdestinations-ms .aux .av .avi .avn .avs .awd .awe .awg .awp .aws .awt .aww .awwp .ax .azf .azs .azw .azw1 .azw3 .azw4 .b .b27 .b2a .back .backup .backupdb .bad .bak .bak~ .bamboopaper .bank .bar .bau .bax .bay .bbcd .bbl .bbprojectd .bbs .bbxt .bc5 .bc6 .bc7 .bcd .bck .bcp .bdb .bdb2 .bdp .bdr .bdt2 .bdt3 .bean .bfa .bgt .bgv .bi8 .bib .bibtex .bic .big .bik .bil .bin .bina .bizdocument .bjl .bk .bk! .bk1 .bk2 .bk3 .bk4 .bk5 .bk6 .bk7 .bk8 .bk9 .bkf .bkg .bkp .bks .bkup .bld .blend .blend2 .blg .blk .blm .blob .blp .bmc .bmf .bmk .bml .bmm .bmml .bmp .bmpr .bna .boc .book .bop .bp1 .bp2 .bp3 .bpf .bpk .bpl .bpm .bpmc .bps .bpw .brd .breaking_bad .brh .brl .brs .brx .bsa .bsk .bso .bsp .bst .btd .btf .btoa .btx .burn .burntheme .bvd .bwd .bwf .bwp .bxx .bzabw .c .c2e .c6 .cadoc .cae .cag .calca .cam .camproj .cap .capt .car .caro .cas .cat .catproduct .cawr .cbf .cbor .cbr .cbz .cc .ccc .ccd .ccf .cch .ccitt .cd .cd1 .cd2 .cdc .cdd .cddz .cdf .cdi .cdk .cdl .cdm .cdml .cdmm .cdmz .cdpz .cdr .cdr3 .cdr4 .cdr5 .cdr6 .cdrw .cds .cdt .cdtx .cdx .cdxml .ce1 .ce2 .cef .cer .cert .cf5 .cfd .cfg .cfp .cfr .cgf .cgfiletypetest .cgi .cgm .cgp .chi .chk .chm .chml .chmprj .chp .chpscrap .cht .chtml .cib .cida .cif .cipo .civ4worldbuildersave .civbeyondswordsave .cl2arc .cl2doc .clam .clarify .class .clb .clkd .clkt .clp .clr .cls .clx .cmf .cml .cmp .cms .cmt .cmu .cnf .cng .cnt .cnv .cod .col .comicdoc .comiclife .compositionmodel .compositiontemplate .con .conf .config .contact .converterx .cp .cpc .cpd .cpdt .cphd .cpi .cpio .cpp .cpy .cr2 .crashed .craw .crb .crd .creole .cri .crjoker .crs .crs3 .crt .crtr .crw .crwl .crypt .crypted .cryptowall .cryptra .cs .cs8 .csa .cse .csh .csi .csl .cso .csp .csr .css .cst .csv .ctbl .ctd .cte .ctf .ctl .ctt .ctxt .cty .cue .current .cvj .cvl .cvw .cw3 .cwf .cwk .cwn .cwr .cws .cwwp .cyi .cys .d .d3dbsp .dac .dadx .dag .dal .dap .das .dash .dat .database .datx .dayzprofile .dazip .db .db_journal .db0 .db3 .dba .dbb .dbc .dbf .dbfv .db-journal .dbk .dbr .dbs .dbx .dc2 .dc4 .dca .dcd .dcf .dch .dco .dcp .dcr .dcs .dct5 .dcu .ddc .ddcx .ddd .ddif .ddoc .ddrw .dds .deb .debian .dec .ded .default .del .dem .der .des .desc .description .design .desklink .det .deu .dev .dex .dfe .dfl .dfm .dft .dfti .dgc .dgm .dgpd .dgr .dgrh .dgs .dhe .dic .did .dif .dii .dim .dime .dip .dir .directory .disc .disco .disk .dit .divx .diz .djbz .djv .djvu .dk@p .dlc .dlg .dmbk .dmg .dmp .dmtemplate .dmv .dna .dng .dnl .dob .doc .doc# .docb .doce .docenx .dochtml .docl .docm .docmhtml .docs .docset .docstates .doct .documentrevisions-v100 .docx .docxl .docxml .dok .dot .dothtml .dotm .dotmenx .dotx .dotxenx .dox .doxy .doz .dp .dpd .dpi .dpk .dpl .dpr .drd .dream .drf .drm .drmx .drmz .drw .dsc .dsd .dsdic .dsf .dsg .dsk .dsl .dsn .dsp .dsy .dtd .dtm .dtml .dtp .dtx .dump .dvb .dvd .dvi .dvs .dvx .dvz .dwd .dwdoc .dwf .dwfx .dwg .dwlibrary .dwp .dwt .dxb .dxd .dxe .dxf .dxg .dxn .dxr .dxstudio .dzp .e3s .e4a .easmx .ebk .ebs .ec4 .ecc .ecr .edb .edd .edf .edl .edml .edn .edoc .edrwx .edt .edz .efa .efax .eff .efl .efm .efr .eftx .efu .efx .egr .egt .ehp .eif .eip .ekm .el6 .eld .elf .elfo .eln .emc .emf .eml .emlxpart .emm .enc .enciphered .encrypted .enfpack .ent .enx .enyd .eob .eot .ep .epdf .epf .epk .eprtx .eps .epsf .ept .epub .eql .erbsql .erd .ere .erf .err .es .es3 .esc .esd .esf .esm .esp .ess .esv .et .ete .etng .etnt .ets .etx .euc .evo .evy .ewl .ex .exc .exd .exf .exif .exprwdhtml .exprwdxml .exx .ez .ezc .ezm .ezs .ezz .f4v .f90 .f96 .fac .fadein .fae .faq .fax .fbd .fbp6 .fbs .fcd .fcf .fcstd .fd .fdb .fdf .fdoc .fdr .fds .fdseq .fdw .fdx .fed .feed-ms .feedsdb-ms .ff .ffa .ffd .ffdata .fff .ffl .ffo .fft .ffx .fh .fhd .fig .fin .fl .fla .flac .flag .flat .flf .flib .flka .flkb .flm .flp .fls .flt .fltr .flv .flvv .fly .fm .fm3 .fmc .fmd .fmf .fml .fmp .fmp3 .fnf .fo .fodg .fodp .fods .fodt .folio .for .forge .fos .fountain .fp .fpage .fpdoclib .fpenc .fphomeop .fpk .fplinkbar .fpp .fpt .fpx .fra .frag .frdat .frdoc .freepp .frelf .frm .fs .fsc .fsd .fsf .fsh .fsp .fss .ft10 .ft11 .ft7 .ft8 .ft9 .ftil .ftr .fwk .fwtemplate .fxd .fxg .fxo .fxr .fzh .fzip .ga3 .gam .gan .gcsx .gct .gdb .gdc .gdoc .ged .gev .gevl .gfe .gform .gfx .ggb .ghe .gho .gif .gil .giw .glink .glk .glo .glos .gly .gml .gmp .gnd .gno .gofin .gp4 .gpd .gpf .gpg .gpn .gpx .gpz .gra .grade .gray .grey .grf .grk .grle .groups .gry .gs .gsa .gsf .gsheet .gslides .gsm .gthr .gui .gul .gvi .gxk .gxl .gz .gzig .gzip .h .h1q .h1s .h1w .h2o .h3m .h4r .haml .hbk .hbl .hbx .hcl .hcw .hda .hdd .hdl .hdt .hdx .hed .help .helpindex .hex .hfd .hft .hhs .hkdb .hkx .hlf .hlp .hlx .hlx2 .hlz .hm2 .hmskin .hnd .hoi4 .hot .hp2 .hpd .hpj .hplg .hpo .hpp .hps .hpt .hpw .hqx .hrx .hs .hsm .hsx .hta .htm .htm~ .html .htmls .htmlz .htms .htpasswd .htz5 .hvpl .hw3 .hwp .hwpml .hwt .hxe .hxi .hxq .hxr .hxs .hyp .hype .iab .iaf .ial .ibank .ibcd .ibd .ibk .ibz .icalevent .icaltodo .icc .icml .icmt .ico .ics .icst .icxs .idap .idc .idd .idl .idml .idp .idx .ie5 .ie6 .ie7 .ie8 .ie9 .iff .ifp .ign .igr .ihf .ihp .iif .iiq .iks .ila .ildoc .img .imp .imr .incp .incpas .ind .indb .indd .indl .indp .indt .inf .info .ink .inld .inlk .inp .inprogress .inrs .inss .installhelper .insx .internetconnect .inx .ioca .iof .ipa .ipf .ipr .ish1 .ish2 .ish3 .iso .ispx .isu .isz .itdb .ite .itl .itm .itmz .itp .its .ivt .iw44 .iwa .iwd .iwi .iwprj .iwtpl .ix .ixv .jac .jar .jav .java .jb2 .jbc .jbig .jbig2 .jc .jdd .jfif .jge .jgz .jhd .jiaf .jias .jif .jiff .jnt .joe .jp1 .jpc .jpe .jpeg .jpf .jpg .jpgx .jpm .jpw .jrf .jrl .jrprint .js .jsd .json .jsp .jspa .jspx .jtd .jtdc .jtt .jtx .just .jw .jwl .jww .k25 .kbd .kbf .kc2 .kdb .kdbx .kdc .kde .kdf .kes .key .keynote .key-tef .kf .kfm .kfp .kid .klq .klw .kmz .knt .kos .kpdx .kpr .ksd .ksp .kss .ksw .kuip .kwd .kwm .kwp .laccdb .lastlogin .lat .latex .lax .lay .lay6 .layout .lbf .lbi .lbl .lcd .lcf .lcn .ldb .ldf .lfe .lgp .lhd .lib .lit .litemod .ll3 .llv .lmd .lngttarch2 .lnk .localstorage .log .logonxp .lok .lot .lp .lp2 .lp7 .lpa .lpc .lpd .lpdf .lpx .lrf .ls5 .lst .ltcx .ltm .ltr .ltx .lua .lvd .lvivt .lvl .lvw .lwd .lwo .lwp .lyx .m .m13 .m14 .m2 .m2ts .m3u .m3u8 .m4a .m4p .m4u .m4v .m7p .maca .mag .maker .maml .man .manu .map .mapimail .marc .markdn .mars .mass .max .maxfr .maxm .mbbk .mbox .mbx .mc9 .mcd .mcdx .mcf .mcgame .mcmac .mcmeta .mcrp .mcw .md .md0 .md1 .md2 .md3 .md5 .mdb .mdbackup .mdbhtml .mdc .mdccache .mddata .mdf .mdg .mdi .mdk .mdl .mdn .mds .mecontact .med .mef .meh .mell .mellel .menu .meo .met .metadata_never_index .mf .mfa .mfp .mfw .mga .mgmt .mgourmet .mgourmet3 .mhp .mht .mhtenx .mhtmlenx .mi .mic .mid .mif .mim .mime .mindnode .mip .mission .mix .mjd .mjdoc .mke .mkv .mla .mlb .mlj .mlm .mls .mlsxml .mlx .mm .mm6 .mm7 .mm8 .mmap .mmc .mmd .mme .mmjs .mml .mmo .mmsw .mmw .mny .mo .mobi .mod .moneywell .mos .mov .movie .moz .mp1 .mp2 .mp3 .mp4 .mp4v .mpa .mpe .mpeg .mpf .mpg .mph .mpj .mpq .mpqge .mpr .mpt .mpv .mpv2 .mrd .mru .mrw .mrwref .ms .msd .mse .msg .mshc .msi .msie .msl .mso .msor .msp .msq .ms-tnef .msw .mswd .mtdd .mtml .mto .mtp .mts .mtx .mug .mui .mvd .mvdx .mvex .mwd .mwii .mwpd .mwpp .mws .mxd .mxg .mxp .myd .mydocs .myi .mz .n3 .narrative .nav .navmap .nb .nbak .nbf .nbp .ncd .ncf .nd .ndd .ndf .ndl .ndr .nds .ne1 .ne3 .nef .nfo .nfs11save .ng .njx .nk2 .nmbtemplate .nmu .nokogiri .nop .note .now .npd .npdf .npp .npt .nrbak .nrg .nri .nrl .nrmlib .nrw .ns2 .ns3 .ns4 .nsd .nsf .nsg .nsh .nst .ntf .ntl .ntp .nts .number .numbers .nvd .nvdl .nvram .nwb .nwbak .nwcab .nwcp .nx^d .nx__ .nx1 .nx2 .nxl .nyf .oa2 .oa3 .oab .oad .oas .obd .obj .obr .obt .obx .obz .ocdc .ocs .oda .odb .odc .odccubefile .odf .odg .odh .odi .odif .odm .odo .odp .ods .odt .odt# .odttf .odz .officeui .ofn .oft .oga .ogc .ogg .oil .ojz .okm .ole .ole2 .olf .olv .oly .omlog .omp .onb .one .oos .oot .opd .opf .opj .oplx .opn .opt .opx .opxs .orf .ort .osd .osdx .ost .otc .otf .otg .oth .oti .otn .otp .ots .ott .otw .out .ovd .owl .oxps .oxt .p10 .p12 .p2s .p3x .p65 .p7b .p7c .p7z .pab .pack .pad .pages .pages-tef .pak .paq .pas .pat .paux .pbd .pbf .pbk .pbp .pbr .pbs .pbx5script .pbxscript .pcd .pcf .pcj .pct .pcv .pcw .pd .pdb .pdc .pdcr .pdd .pdf .pdf_ .pdf_profile .pdf_tsid .pdfa .pdfe .pdfenx .pdfl .pdfua .pdfvt .pdfx .pdfxml .pdfz .pdg .pdp .pdz .peb .pef .pem .pez .pf .pfc .pfd .pfl .pfm .pfsx .pft .pfx .pg .pgs .php .phr .phs .pih .pixexp .pj2 .pj4 .pj5 .pk .pkb .pkey .pkg .pkh .pkpass .pl .plan .plb .plc .pld .pli .pln .plus_muhd .pm .pm3 .pm4 .pm5 .pm6 .pm7 .pmd .pmt .pmv .pmx .png .pnu .po .pod .pool .pot .pothtml .potm .potx .pp3 .ppam .ppd .ppdf .ppf .ppj .ppp .pps .ppsenx .ppsm .ppsx .ppt .ppte .ppthtml .pptl .pptm .pptmhtml .pptt .pptx .ppws .ppx .prc .prd .pref .prel .prf .prj .prn .pro .pro4 .pro4dvd .pro5 .pro5dvd .pro5plx .pro5x .proofingtool .props .proqc .prproj .prr .prs .prt .prtc .prv .ps .ps2 .ps3 .psa .psafe3 .psb .psd .pse8db .psf .psg .psi2 .psip .psk .psm .psmd .pspimage .pst .psw .psw6 .pswx .psz .pt3 .pt6 .ptc .ptf .pth .ptk .ptn .ptn2 .pts .ptx .pub .pubf .pubhtml .pubmhtml .pubx .puz .pvd .pve .pvf .pw .pwd .pwe .pwf .pwi .pwm .pwp .pwre .pxd .pxl .pxp .py .pys .pzc .pzf .pzt .qba .qbb .qbl .qbm .qbr .qbw .qbx .qby .qch .qcow .qcow2 .qct .qdf .qed .qel .qfl .qfxx .qhp .qht .qhtm .qic .qif .qlgenerator .qpx .qrt .qt .qtq .qtr .qtw .quox .qvw .qwd .qwt .qxb .qxd .qxl .qxp .qxt .r00 .r01 .r02 .r03 .r0f .r0z .r3d .ra .ra2 .raf .ram .ramd .rap .rar .rat .raw .razy .rb .rbc .rcb .rd .rd1 .rdb .rdf .rdfs .rdi .rdo .rdoc .rdoc_options .rdz .re4 .rec .rels .res .resbuild .rest .result .rev .rf .rf1 .rft .rgn .rgo .rgss3a .rha .rhif .rim .rit .rlf .rll .rm .rm5 .rmd .rmf .rmh .rna .rng .rnt .rnw .ro3 .rofl .roi .ros .rov .row .rox .rpf .rpt .rptr .rrd .rrpa .rrt .rrx .rs .rsdf .rsdoc .rsm .rsp .rsrc .rst .rsw .rt .rt_ .rtdf .rte .rtf .rtf_ .rtfd .rtk .rtpi .rts .rtsl .rtsx .rtx .rum .run .rv .rvf .rvt .rw2 .rwl .rwlibrary .rwz .rxdoc .rzk .rzx .s3db .s8bn .sa5 .sa7 .sa8 .saas .sad .saf .safe .safetext .sam .sas7bdat .sav .save .say .sb .sbn .sbo .sbpf .sbsc .sbst .sc2save .scd .scdoc .sce .sch .scm .scmt .scn .scr .scriv .scrivx .scs .scspack .scssc .sct .scw .scx .sd .sd0 .sd1 .sda .sdb .sdc .sdd .sddraft .sdf .sdi .sdl .sdmdocument .sdn .sdo .sdoc .sdp .sdr .sds .sdt .sdv .sdw .search-ms .secure .sef .sel .sen .seq .sequ .server .ses .set .setup .sev .sff .sfs .sfx .sgf .sgi .sgl .sgm .sgml .sgz .sh .sh6 .shar .shb .show .shr .shs .shtml .shw .shy .sic .sid .sidd .sidn .sie .sik .sis .sky .sla .sldm .sldx .slf .slk .slm .slt .slz .sm .smd .sme .smf .smh .smlx .smn .smp .sms .smwt .smx .smz .snb .snf .sng .snk .snp .snt .snx .so .soi .spb .spd .spdf .spk .spl .spm .spml .sppt .spr .sprt .sprz .sql .sqlite .sqlite3 .sqlitedb .sqllite .sqx .sr2 .src .srf .srfl .srs .srt .srw .ssa .ssh .ssi .ssiw .ssm .ssx .st4 .st5 .st6 .st7 .st8 .stc .std .sti .stm .stp .stpz .struct .stt .stw .stx .stxt .sty .sud .suf .sum .surf .svd .svdl .svg .svi .svm .svn .svp .svr .svs .swd .swdoc .sweb .swf .switch .swp .sxc .sxd .sxe .sxg .sxi .sxl .sxm .sxml .sxw .syn .syncdb .t .t01 .t03 .t05 .t10 .t12 .t13 .t14 .t2 .t2k .t2t .t4g .t80 .ta1 .ta2 .ta9 .tabula-doc .tabula-docstyle .tah .tar .tax .tax2009 .tax2013 .tax2014 .tb .tbb .tbd .tbk .tbkx .tbz2 .tcd .tch .tck .tcx .tdg .tdl .tdoc .tdr .te1 .template .tex .texi .texinfo .text .textclipping .textile .tfd .tfm .tfr .tfrd .tg .tga .tgz .thm .thml .thmx .thr .tib .tif .tiff .tjp .tk3 .tlb .tld .tlg .tlt .tlx .tlz .tm .tm3 .tmb .tmd .tml .tmlanguage .tmv .tmz .tns .tnsp .toast .toc .topx .tor .torrent .totalslayout .tp .tpl .tpo .tpsdb .tpu .tpx .trashinfo .trif .trp .ts .tsc .tt11 .tt2 .ttax .ttxt .tu .tur .tvd .twdi .twdx .tww .tx .txd .txe .txf .txm .txn .txt .txtrpt .u3d .uax .ubz .ucd .udb .udf .udl .uea .uhtml .ukr .ulf .uli .ulys .ump .umx .unity3d .unr .unx .uof .uop .uos .uot .updf .upk .upoi .upp .urd-journal .urf .url .urp .usa .usx .ut2 .ut3 .utc .utd .ute .utf8 .uti .utm .uts .utx .uu .uud .uue .uvx .uxx .v .v2t .val .vault .vbadoc .vbd .vbk .vbox .vbs .vc .vcal .vcd .vce .vcf .vdf .vdi .vdo .vdoc .vdt .ver .vf .vfs0 .vhd .vhdx .view .viz .vlc .vlt .vmbx .vmdk .vmf .vmg .vmm .vmsd .vmt .vmx .vmxf .vob .voprefs .vor .vp .vpk .vpl .vpp_pc .vs .vsd .vsdx .vsf .vsi .vspolicy .vst .vstx .vtf .vthought .vtv .vtx .vw .vw3 .w .w2p .w3g .w3x .w51 .w52 .w60 .w61 .w6bn .w6w .w8bn .w8tn .wab .wad .waff .wallet .war .wav .wave .waw .wb .wb2 .wb3 .wbk .wbt .wbxml .wbz .wcf .wcl .wcn .wcp .wcst .wd0 .wd1 .wd2 .wdbn .wdgt .wdl .wdn .wdoc .wdx9 .web .webdoc .webpart .wep .wflx .wht .wiz .wk! .wk1 .wk3 .wk4 .wkb .wki .wkl .wks .wlb .wld .wll .wls .wlxml .wm .wma .wmd .wmdb .wmf .wmga .wmk .wml .wmlc .wmmp .wmo .wms .wmv .wmx .wn .wolf .word .wordlist .wotreplay .wow .wp .wp42 .wp5 .wp50 .wp6 .wp7 .wpa .wpc2 .wpd .wpd0 .wpd1 .wpd2 .wpd3 .wpe .wpf .wpk .wpl .wpost .wps .wpt .wpw .wr1 .wrf .wri .wrlk .ws .ws1 .ws2 .ws3 .ws4 .ws5 .ws6 .ws7 .wsd .wsf .wsh .wsp .wtbn .wtd .wtf .wtmp .wtp .wts .wtt .wtx .wvw .wvx .wwcx .wwi .wwl .wws .wwt .wxmx .wxp .wyn .wzn .wzs .x11 .x16 .x3f .x3g .xamlx .xar .xav .xbd .xbrl .xci .xda .xdc .xdf .xdo .xdoc .xdw .xf .xfd .xfdf .xfi .xfl .xfn .xfo .xfp .xfx .xgml .xht .xhtm .xhtml .xif .xig .xis .xjf .xl .xla .xlam .xlb .xlc .xle .xlf .xline .xlist .xlk .xll .xlm .xlnk .xlr .xls .xlsb .xlse .xlshtml .xlsl .xlsm .xlst .xlsx .xlsxl .xlt .xlthtml .xltm .xltx .xlv .xlw .xlwx .xma .xmdf .xml .xmmap .xmn .xmp .xms .xmt_bin .xmta .xpd .xpi .xpm .xps .xpse .xpt .xpwe .xqm .xqr .xqx .xrdml .xsc .xsd .xsig .xsl .xslt .xtbl .xtd .xtg .xtml .xtps .xtrl .xv0 .xv2 .xv3 .xvg .xvid .xvl .xwd .xweb3htm .xweb3html .xweb4stm .xweb4xml .xwf .xwp .xxe .xxx .xy .xy3 .xy4v .xyd .yab .ycbcra .yenc .yml .ync .yps .yuv .z02 .z04 .zap .zip .zipx .zoo .zps .ztmp
开始加密文件后,首先勒索病毒将会保存文件的修改时间,以及设置文件的属性:
打开文件后,判断文件的长度,如果大于0x80000则加密0x80000大小,如果小于,则加密文件全部:
随后,分别随机生成0x20、0x10个字节的随机数,分别用做AES密钥以及IV:
读取文件,并对文件进行加密(读取内容头部有4字节长度):
将文件被加密后的内容写入到文件中(头部有长度):
写入被加密快的大小:
写入1(作用不详):
将AES密钥与IV进行拼接,并使用ECC进行加密,并将加密结果写入文件中:
获取文件名,使用ECC加密结果生成新的密钥后对文件名进行加密,拼接文件名后对文件进行重命名:
设置原有的时间以及原有的属性:
文件被加密后的结构示意图:
勒索病毒还会在每个被加密的文件夹下生成HOW TO RECOVER ENCRYPTED FILES.txt文件,文件内容为:
Your files are now encrypted!
—–BEGIN PERSONAL IDENTIFIER—–
%你的个人ID%
—–END PERSONAL IDENTIFIER—–
All your files have been encrypted due to a security problem with your PC.
Now you should send us email with your personal identifier.
This email will be as confirmation you are ready to pay for decryption key.
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
Contact us using this email address: bitkick@protonmail.com
If you don’t get a reply or if the email dies, then contact us using Bitmessage.
Register it form here: https://bitmessage.org/
Run it, click New Identity and then send us a message at BM
BM-2cVXsen2VfP29zQmAF2F5xf9cWbKBxUzVC
Free decryption as guarantee!
Before paying you can send us up to 3 files for free decryption.
The total size of files must be less than 10Mb (non archived), and files should not contain
valuable information (databases, backups, large excel sheets, etc.).
How to obtain Bitcoins?
-
Create a Bitcoin purse: https://blockchain.info/wallet/new
-
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click
‘Buy bitcoins’, and select the seller by payment method and price:
https://localbitcoins.com/buy_bitcoins (Visa/MasterCard, Perfect Money, WU etc.)
-
Also you can find other places to buy Bitcoins and beginners guide here:
http://www.coindesk.com/information/how-can-i-buy-bitcoins
Attention!
-
Do not rename encrypted files.
-
Do not try to decrypt your data using third party software, it may cause permanent data loss.
-
Decryption of your files with the help of third parties may cause increased price
(they add their fee to our) or you can become a victim of a scam.
机器感染勒索病毒后的截图:
*作者:奇虎360技术博客
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。
转载请注明出处: https://daima100.com/11627.html