Shulou(Shulou.com)06/02 Report--

Today, I will talk to you about how to guard against the x3m blackmail virus CryptON, which may not be well understood by many people. in order to make you understand better, the editor has summarized the following contents for you. I hope you can get something according to this article.

First, the sample introduction

The CryptON blackmail virus first appeared around February 2017, and a number of enterprises were attacked. Recently, we are convinced that the security service team received customer feedback, and the host was encrypted and blackmailed with an encryption suffix of x3m. After tracking and analysis, we got the corresponding sample, confirmed that the sample was a variant of the CryptON blackmail virus, and conducted in-depth analysis of the blackmail virus sample.

II. Characteristics of blackmail

1. The encrypted file is suffixed with id- [number] _ [x3m-pro@protonmail.com] _ [x3m@usa.com] .x3m, as follows:

two。 Extortion information, picture information CVZRPKPA59ZMCHK9B.bmp, as follows:

3. The extortion hypertext file information # HOW TO DECRYPT FILES # .html is as follows:

Third, detailed analysis

1. Obtain part of the function address through the decryption function, as shown below:

two。 Decrypt the data related to the extortion information in memory, as follows:

The decrypted data is as follows:

3. Obtain the address of the function through multiple decryption functions, as follows:

4. Get the variable values of host APPDATA, LOCALAPPDATA, USERNAME, and USERPROFILE, as shown below:

5. Determine whether the process running permissions are administrator privileges, as follows:

6. Get the host zone information, as follows:

If the host area is: RU (Russian Federation), KZ (Kazakhstan), BY (Belarus), UA (Ukraine), exit the program as follows:

7. Set the self-startup registry key as follows:

8. Determine whether the host is connected, and if not, exit the program, as follows:

Then generate a batch file of [original file] + [bat] for self-deletion, as shown below:

Batch content, as follows:

9. Create a mutex to prevent the program from running multiple times, as follows:

10. Create a thread and encrypt the file, as follows:

11. Create a thread, obtain the information about the host, and upload it to the remote server, as shown below:

twelve。 Read the data of the resource file ID number CVZRPKPA59ZMCHK9T, as follows:

Decrypt the data of the resource and write it to the generated extortion information hyperfile, as shown below:

13. Traverse the disk catalog file as follows:

Enumerate the shared directory files as follows:

14. Encrypt the file, as follows:

The encrypted file is suffixed with the name id- [number] _ [x3m-pro@protonmail.com] _ [x3m@usa.com] .x3m, as follows:

15. Decrypt the data whose resource ID is CVZRPKPA59ZMCHK9T, get the extortion information, and write it to the text file CVZRPKPA59ZMCHK9T, as shown below:

16. Decrypt the data in which the resource ID is CVZRPKPA59ZMCHK9B, get the blackmail information, and write it to the picture file.

CVZRPKPA59ZMCHK9B, as follows:

17. Upload the information about the host to the remote server address using POST, and the server URL address: http://paris-style.ru/forum/clientscript/ie7/graphic/qp50x.php, as shown below:

The packet information obtained is as follows:

IV. Solution

For the users who have been blackmailed, as there is no decryption tool for the time being, it is recommended that the infected host be cut off and isolated as soon as possible. Convinced to remind the majority of users to do a good job of virus detection and defense measures as soon as possible to prevent the virus family of extortion attacks.

Virus detection and killing

1. Convinced to provide free inspection and killing tools for the majority of users, you can download the following tools for testing and killing.

64-bit system download link: http://edr.sangfor.com.cn/tool/SfabAntiBot_X64.7z

32-bit system download link: http://edr.sangfor.com.cn/tool/SfabAntiBot_X86.7z

Virus defense

Convinced that the security team once again reminds users that blackmail viruses are mainly for prevention. At present, most of the encrypted files of extortion viruses cannot be decrypted. Pay attention to daily preventive measures:

1. Patch the computer in time to fix the loophole.

2. Make regular non-local backups of important data files.

3. Do not click on email attachments from unknown sources and do not download software from unknown websites.

4. Try to turn off unnecessary file sharing permissions.

5. Change the account password, set a strong password, and avoid using a unified password, because a unified password will cause one to be breached and more than one to suffer.

6. If you do not need to use RDP in business, it is recommended to close RDP.

After reading the above, do you have any further understanding of how to guard against the x3m blackmail virus CryptON? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.