In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-02 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Development >
Share
Shulou(Shulou.com)06/03 Report--
This article mainly explains "how to prevent Cryakl blackmail virus from changing its name and changing its name to Crylock". The explanation in the article is simple and clear and easy to learn and understand. please follow the editor's train of thought to study and learn "how to prevent Cryakl blackmail virus from changing its name and changing its name to Crylock."
Background Overview
Recently, I am convinced that the terminal security team has captured a variant of Crylock blackmail software. As early as 2014, ransomware called Cryakl became operational, and after several iterations, it was renamed Crylock in 2020. According to the file binary information, the blackmail software may have been developed by the Bad Black Rabbit gang.
Sample analysis
Developed with Borland Dephi 7, using dynamic function address and dynamic decryption string as anti-killing soft means.
The called dynamic address function decrypts the string from the data segment
Randomly named copies of blackmail virus to% Temp% directory
Set administrator mode to run again
Add self-boot
Encrypted file suffix whitelist sys, dll, ini, log, bmp, bat
Encrypted folder whitelist recycle, windows, program files, program data, etc.
Whitelist of ending processes, including remote desktop software anydesk.exe in addition to system processes
End the process.
List of CMD commands executed to close / delete file backups
$vssadmin delete shadows / all / queit
$wbadmin DELETE SYSTEMSTATEBACKUP-keepVersions:0
$wbadmin DELETE BACKUP-keepVersions:0
$wmic SHADOWCOPY DELETE
$bcdedit / set {{default}} recoveryenabled No
$bcdedit / set {{default}} bootstatuspolicy ignoreallfailures
Traversing amurz disk, first encrypting non-system disk, and finally encrypting system disk
The encryption function chooses different encryption methods according to file size and type, and there are three encryption categories:
Types
Size
Encryption mode
< 0x100000 (编号15)(默认)加密Filesize/2+1字节 >0x10485760
(No. 14) encrypt 0x3D090 bytes
< 0x30000 (编号18) 加密补成0x100000大小 加密15(默认)At the end of the encryption, {ENCRYPTSTART} and encrypted information are written at the end of each program, and the generated 128bit seeds are encrypted to the end of the program, ending with {ENCRYPTEND}.
Encryption process
(1) the blackmail virus divides the plaintext to be encrypted into a group of 512 bits, and the ciphertext is obtained after each 512-bit key is generated.
In the test, it is found that the keystream generated by the same key seed is the same and is not affected by plaintext or ciphertext.
(2) 512-bit key generator, which forms a key by diffusion and confusion of 128-bit seeds according to a fixed array.
(3) 128bit seed generator, which is generated according to randomSeed function
(4) randomSeed function. According to the 32-bit initial seed generation, the initial seed will change with a fixed algorithm for each execution.
(5) initial seed, which is generated by QueryPerformanceCounter and GetTickCount functions
The above analysis results show that:
The 512-bit keystream generated by the same initial seed is the same and is not affected by plaintext / ciphertext.
32-bit initial seed transforms 134775813*initSeed+1 with fixed algorithm
Plaintext gets ciphertext with 512-bit grouping and XOR 512-bit key.
Reinforcement suggestion
1. Set the appropriate access permissions for important data files and materials in daily life, turn off unnecessary file sharing functions and make regular non-local backups.
two。 Use high-strength host passwords, avoid multiple devices using the same password, and do not map ports such as 3389 directly to the external network to prevent violent cracking.
3. Avoid opening emails, links and URL attachments of unknown origin, try not to download unauthentic application software from unofficial channels, and first use security software to check and kill files when you find that the file type does not match the icon.
4. Regular detection of system vulnerabilities and timely patches.
Thank you for reading, the above is the content of "how to prevent Cryakl blackmail virus from changing its name and changing its name to Crylock". After the study of this article, I believe you have a deeper understanding of how to prevent Cryakl blackmail virus from changing its name and changing its name to Crylock, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.