Shulou(Shulou.com)06/03 Report--

This article mainly explains "how to prevent Cryakl blackmail virus from changing its name and changing its name to Crylock". The explanation in the article is simple and clear and easy to learn and understand. please follow the editor's train of thought to study and learn "how to prevent Cryakl blackmail virus from changing its name and changing its name to Crylock."

Background Overview

Recently, I am convinced that the terminal security team has captured a variant of Crylock blackmail software. As early as 2014, ransomware called Cryakl became operational, and after several iterations, it was renamed Crylock in 2020. According to the file binary information, the blackmail software may have been developed by the Bad Black Rabbit gang.

Sample analysis

Developed with Borland Dephi 7, using dynamic function address and dynamic decryption string as anti-killing soft means.

The called dynamic address function decrypts the string from the data segment

Randomly named copies of blackmail virus to% Temp% directory

Set administrator mode to run again

Add self-boot

Encrypted file suffix whitelist sys, dll, ini, log, bmp, bat

Encrypted folder whitelist recycle, windows, program files, program data, etc.

Whitelist of ending processes, including remote desktop software anydesk.exe in addition to system processes

End the process.

List of CMD commands executed to close / delete file backups

$vssadmin delete shadows / all / queit

$wbadmin DELETE SYSTEMSTATEBACKUP-keepVersions:0

$wbadmin DELETE BACKUP-keepVersions:0

$wmic SHADOWCOPY DELETE

$bcdedit / set {{default}} recoveryenabled No

$bcdedit / set {{default}} bootstatuspolicy ignoreallfailures

Traversing amurz disk, first encrypting non-system disk, and finally encrypting system disk

The encryption function chooses different encryption methods according to file size and type, and there are three encryption categories:

Types

Size

Encryption mode

0x10485760

(No. 14) encrypt 0x3D090 bytes

At the end of the encryption, {ENCRYPTSTART} and encrypted information are written at the end of each program, and the generated 128bit seeds are encrypted to the end of the program, ending with {ENCRYPTEND}.

Encryption process

(1) the blackmail virus divides the plaintext to be encrypted into a group of 512 bits, and the ciphertext is obtained after each 512-bit key is generated.

In the test, it is found that the keystream generated by the same key seed is the same and is not affected by plaintext or ciphertext.

(2) 512-bit key generator, which forms a key by diffusion and confusion of 128-bit seeds according to a fixed array.

(3) 128bit seed generator, which is generated according to randomSeed function

(4) randomSeed function. According to the 32-bit initial seed generation, the initial seed will change with a fixed algorithm for each execution.

(5) initial seed, which is generated by QueryPerformanceCounter and GetTickCount functions

The above analysis results show that:

The 512-bit keystream generated by the same initial seed is the same and is not affected by plaintext / ciphertext.

32-bit initial seed transforms 134775813*initSeed+1 with fixed algorithm

Plaintext gets ciphertext with 512-bit grouping and XOR 512-bit key.

Reinforcement suggestion

1. Set the appropriate access permissions for important data files and materials in daily life, turn off unnecessary file sharing functions and make regular non-local backups.

two。 Use high-strength host passwords, avoid multiple devices using the same password, and do not map ports such as 3389 directly to the external network to prevent violent cracking.

3. Avoid opening emails, links and URL attachments of unknown origin, try not to download unauthentic application software from unofficial channels, and first use security software to check and kill files when you find that the file type does not match the icon.

4. Regular detection of system vulnerabilities and timely patches.

Thank you for reading, the above is the content of "how to prevent Cryakl blackmail virus from changing its name and changing its name to Crylock". After the study of this article, I believe you have a deeper understanding of how to prevent Cryakl blackmail virus from changing its name and changing its name to Crylock, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.