当前位置:网站首页>Sforthet: the decryption process of sodinokibi blackmail virus

Sforthet: the decryption process of sodinokibi blackmail virus

2020-11-10 19:09:53 osc_15464276

This virus is the one before Sodinokibi Blackmail virus . Before getting to the point , Let's give you science popularization first Sodinokibi Blackmail virus : It inherited GandCrab Code structure of , It is characterized by the use of random encryption suffixes , And after encryption, the desktop background of the host will be changed to dark blue , First appeared
This year 4 End of month , Early use Web Service related vulnerabilities spread , It turned out to be a tax unit 、 The judiciary , Use phishing scams to spread , But who doesn't have a hand to slide , As a result, many enterprises suffer from it .
that , How did they invade ?
Generally speaking , The virus found a breakthrough in the enterprise network , First use scanning, blasting, etc , Access to a relatively weak host in the intranet , Hackers upload passwords or scan the intranet , Choose important servers and PC To encrypt , Then try to move the content horizontally , Encrypt as many hosts or servers as possible throughout the enterprise intranet , It can be said that one is lost , The whole network suffered .
Last second the file can still be opened , Next second , I'm sorry , Pay to visit . It's a deep routine , Blackmail virus makers are the first .
 

But I never thought of that. , There's a gang behind this blackmail virus , that , How do they cooperate ?
 Sodinokibi The outbreak of blackmail virus is mainly due to the industrialization scale of its formation , It's distributed gangs , Everyone does his job , distribution according to work , Work more . First , Sodinokibi After the blackmail virus runs successfully , Will leave the following blackmail message on the host , Form like “ Random suffix - readme.txt ” Documents :

To make it easier for you to find him, pay , They also “ Intimate ” We've left a clue for you .......
One is the dark web chat page , One is an ordinary chat page , The injured enterprise can contact freely according to its own situation ( visit ) One of the links . After visiting the link , You can chat on the web , The design is very professional , Hackers can negotiate with the victim on ransom .

And when hackers have money , They also found their own online bodyguards , Specifically responsible for negotiations ,24 Hour online . Of course , Online customer service has no final pricing power , The final ransom price is decided by the superior boss , namely Sodinokibi The organization operator of the blackmail virus .
and Sodinokibi The price of blackmail virus is generally high , Most of them are in 3 To 6 Bitcoin , So the main target of attack is enterprises , And it's a medium and large enterprise , The purpose of the attack is to paralyze the core business network of the enterprise , Therefore, many injured enterprises have to pay a lot of ransom .
And because it's an industrial operation , So each participant has a corresponding share . When the victim company transfers bitcoin into the hacker's wallet , This wallet will be transferred to other members' wallets in batches .
for example , After a successful attack , Divide the ransom 2 It was approved to 4 Wallet , They're extortion virus authors' wallets 、 Integrated platform provider wallet 、 Online customer service wallet 、 Co ordinate the wallet .


Blackmail virus author 、 The integrated platform provider belongs to the low profit and high sales type , Every deal has a commission , Therefore, the proportion of Single Commission is low , But the total is very objective ; Online customer service is distributed according to work , Convince a client , There is a small Commission , Of course, they don't have the big head , Because they're replaceable
Relatively strong , The technical difficulty is not too big .


The ransom for each attack , Big heads are allocated to attackers and organization operators by CO ordinating wallets , So the contribution after a single success is relatively large , And any individual and team can participate in the attack activities of different customers , Similar to the sales team , Every single one , It's worth mentioning . Last big head , Of course, to the organization operator , It is responsible for connecting all links and resources , Guarantee the normal operation of platforms and gangs .
This is simply a black and black business with no loss , But sforthet ( official account :net911) Xiaobian is still very curious , Is it possible to solve the problem without ransom through security technology ?
“ Probably not , Most of the time , Hackers use RSA+AES , Symmetric and asymmetric composite encryption , It's very difficult to crack , It's not even possible .” Mr. Fan, a safety expert at sforthet, said .
that , As victims, we can only sit and die , Will you pay for it ?
Of course not , So for today's plan, enterprises have only two choices , One is security reinforcement , The second is to spend money to strengthen it safely .
How to reinforce it ?
When Mr. Fei, a safety expert of SFC, talks about how the enterprise should do itself , The main ways are :
a、 Patch the computer in time , Fix vulnerability .
b、 Regular non local backup of important data files .
c、 Don't click on email attachments from unknown sources , Don't download software from anonymous websites .
d、 Try to turn off unnecessary file sharing permissions .
e、 Change account password , Set strong password , Avoid unified passwords , Because a unified password can cause one to be broken , Many suffer .
f、 If not required for business RDP Of , Proposed closure RDP .
As for spending money to strengthen , We don't have to make up for it ( official account :net911) Say more , Previously released to you about the protection program of sforcet blackmail virus , Can be based on the blackmail virus infection transmission process analysis and protection , And link with the cloud to detect new threats , Realize active defense .
What's next , I believe you've heard countless security practitioners say , But it's still worth repeating :
Don't go to the wrong website , Don't click the wrong link , Don't drop anything .
Most Internet needs , Can be done on the regular website , If you don't feel safe enough , Don't just hang around .
otherwise , You can only pay the ransom .(net911)
 

版权声明
本文为[osc_15464276]所创,转载请带上原文链接,感谢