Shulou(Shulou.com)05/31 Report--

This article shows you the sample analysis of KrakenCryptor2.0.7 blackmail variants, which is concise and easy to understand, which will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Preface

Convinced that the security team in the analysis of security Yunnao network-wide threat data, found a new extortion family KrakenCryptor, found that the version is KrakenCryptor2.0.7. This version is the latest version found so far, but customers continue to test the sample through security cloud brain. The latest version of the ransomware uses the RSA+AES encryption algorithm and the encryption suffix is randomly generated.

Detailed analysis

1. The sample is written in. Net framework, and the sample is confused, as shown in the figure:

2. To confuse the sample, we begin to study it. Similar to general blackmail software, this version also sets a time limit for victims to pay ransom, and the price will rise more than a week later.

As the picture shows, this is a charging time for the victim, but it is not shown on the graphical interface, and this week's price increase is calculated as a natural week, not after the victim is encrypted.

Countdown to payment (extortion)

3. The sample will first decrypt some information about encryption, such as family, version, technical support mailbox and so on.

Family version number

Encrypted key length information

KrakenCryptor supports encrypted file suffixes, with a total of 422. The following figure shows some of the file suffixes.

File suffixes that support encryption

4. The sample will confirm the location of the victim's IP through the https://ipinfo.io website:

Collect the physical location of the victim's IP

5. Collect the victim's system version, mac address, local disk information, and generate RSA and AES keys:

Generate encryption key

6. Get the victim's default input method and immunize the specific default input method (not encrypted).

Get the default input method

Immune input method

Get the system language and be immune to a specific language. At present, the following countries are immunized:

Armenia (AM), Azerbaijan (AZ), Belarus (BY), Estonia (EE), Georgia (GE), Iran (IR), Kyrgyzstan (KG), Lithuania (LT), Moldova (MD), Russia (RU), Tajikistan (TJ), Ukraine (UA), Uzbekistan (UZ), Turkmenistan (TM), Syria (SY), Latvia (LV) Kazakhstan (KZ).

Immunized country

7. registry key, add a key of WordLoad, which is used as an encrypted record. If the value of Wordload is 1, exit.

Registry key

8. If it is not on the list of immunized countries, then the next step is to enter the encryption process. The sample sends its own IP physical address to https://2no.co/2SVJa5, the URL. Since this URL is a short link, it will be restored after https://www.bleepingcomputer.com/ recording computer is a website that provides security technology and information.

9. Generate a 256bit AES key and encrypt the file using CBC mode.

10. The encrypted file will directly overwrite the original file and then rename it.

Overwrite write after encrypting the original file

Rename encrypted files

11. After encryption, the sample will be deleted:

12. Finally, change the desktop background to give the victim a hint:

Solution

For the users who have been blackmailed, as there is no decryption tool for the time being, it is recommended that the infected host be cut off and isolated as soon as possible.

Convinced to provide free killing tools for the majority of users, you can download the following tools for testing and killing: http://edr.sangfor.com.cn/tool/SfabAntiBot.zip.

The above is an example analysis of KrakenCryptor2.0.7 blackmail variants. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.