前言
BlackHeart(黑心)勒索病毒家族是一款使用NET語言進行編寫的勒索病毒,之前深信服EDR安全團隊已經報道過它的變種家族樣本捆綁知名的遠程軟件AnyDesk進行傳播,此次深信服EDR安全團隊發現的是它的一個家族的最新的變種,加密算法仍然使用AES+RSA,加密後的文件無法還原,加密後的文件後綴名為mariacbc。
一、樣本簡介
BlackHeart(黑心)勒索病毒也是SF勒索病毒家族成員之一,SF家族的勒索病毒,一共有如下幾類:
Spartacus(斯巴達克斯勒索病毒)
Satyr(薩克斯勒索病毒)
BlackRouter(BlackRouter勒索病毒)
BlackHeart(黑心勒索病毒)
它們都採用NET語言進行編寫,並使用了相似的加密核心代碼進行勒索加密,統稱為SF勒索家族。
二、詳細分析
1、樣本仍然採用之前的B字圖標,同時也是使用NET語言進行編寫的,如下所示:
2、程序的入口函數,如下所示:
3、生成唯一的AES的KEY,如下所示:
4、再利用RSA2048的公鑰Key加密之後生成的AES的Key,然後再轉化為BASE64編碼,如下所示:
生成的加密的Key,如下所示:
"mox1nR9OkprIdiwITblhpiD0XclNiMcMMNaP18mqVN1bkmsALjPThj9ckRNKC1uriLkOzc9BqAsgdLcNpmAJ/OPZDzKZhLsNv5GZAZotlMPX/gZzXvNvXqzKIxTxBv5NLzawTeyQuOuZMeU6gcuZdPThNItes0oFGsozxzsZCWuJoQuoXlfVDHnJC8dNGJ1+/EswCIB9jl5Hov0j9BNnwqOaKaTDJWYqayvKY4dnt14moA2ZzODVarydgHOit7CcJLGjCEijXV4Shrz8LkiBfKcH+haDcNWtT4EXT+zGae4DiAUIrAm+FPwLOuodHdrJwflJgkfawnXZA/6Emv/Vbw=="
5、遍歷主機相關目錄,進行加密操作,如下所示:
遍歷的目錄,如下所示:
相應的目錄列表,如下所示:
%Desktop%
%Documents%
%Music%
%History%
%Downloads%
%Pictures%
%Videos%
%Favorites%
%UserProfile%
%ProgramData%
%SystemRoot%\Users
6、遍歷目錄下的文件,如下所示:
判斷文件的後綴名是否在相應的需要加密的文件的後綴名列表中,如下所示:
勒索病毒會加密的文件後綴名列表,如下所示:
".exe",".der",".pfx",".key",".crt",".csr",".p12",".pem",".odt",".sxw",".stw",".3ds",".max",".3dm",".ods",".sxc",".stc",".dif",".slk",".wb2",".odp",".sxd",".std",".sxm",".sqlite3",".sqlitedb",".sql",".accdb",".mdb",".dbf",".odb",".mdf",".ldf",".cpp",".pas",".asm",".cmd",".bat",".vbs",".sch",".jsp",".php",".asp",".java",".jar",".class",".mp3",".wav",".swf",".fla",".wmv",".mpg",".vob",".mpeg",".asf",".avi",".mov",".mp4",".mkv",".flv",".wma",".mid",".m3u",".m4u",".svg",".psd",".tiff",".tif",".raw",".gif",".png",".bmp",".jpg",".jpeg",".iso",".backup",".zip",".rar",".tgz",".tar",".bak",".ARC",".vmdk",".vdi",".sldm",".sldx",".sti",".sxi",".dwg",".pdf",".wk1",".wks",".rtf",".csv",".txt",".msg",".pst",".ppsx",".ppsm",".pps",".pot",".pptm",".pptx",".ppt",".xltm",".xltx",".xlc",".xlm",".xlt",".xlw",".xlsb",".xlsm",".xlsx",".xls",".dotm",".dot",".docm",".docx",".doc",".ndf",".pdf",".ib",".ibk"
7、加密文件,使用AES加密算法,密鑰KEY為之前通過RSA2048公鑰加密後的KEY,對文件進行加密,同時將文件的後綴名變為mariacbc,如下所示:
相應的加密算法,使用AESECB加密算法如下所示:
加密後的文件,如下所示:
8、遍歷主機磁盤文件目錄下的文件進行加密,如下所示:
9、刪除磁盤卷影操作,如下所示:
10、生成勒索信息對話框,如下所示:
相應的勒索對話框,如下所示:
11、遍歷主機磁盤,在相應的文件目錄下,生成勒索信息文本文件[email protected],如下所示:
三、解決方案
深信服安全團隊再次提醒廣大用戶,勒索病毒以防為主,目前大部分勒索病毒加密後的文件都無法解密,注意日常防範措施:
1、不要點擊來源不明的郵件附件,不從不明網站下載軟件
2、及時給主機打補丁(永恆之藍漏洞補丁),修復相應的高危漏洞
3、對重要的數據文件定期進行非本地備份
4、儘量關閉不必要的文件共享權限以及關閉不必要的端口,如:445,135,139,3389等
5、RDP遠程服務器等連接儘量使用強密碼,不要使用弱密碼
6、安裝專業的終端安全防護軟件,為主機提供端點防護和病毒檢測清理功能
閱讀更多 A1d2m3i4n5 的文章
