Shulou(Shulou.com)06/03 Report--

This article mainly introduces "how to understand Hospitality extortion decryption". In daily operation, I believe many people have doubts about how to understand Hospitality extortion decryption. The editor has consulted all kinds of materials and sorted out simple and easy operation methods. I hope to help you answer the doubts about "how to understand Hospitality extortion decryption"! Next, please follow the small series to learn together!

summary of background data

Hospitality ransomware virus was first discovered in December 2020, which is mainly transmitted by RDP burst and other ways, with strong industry-specific. Early variants have the encryption suffix ". guanhospital" and attack targets are medical units. The variant encryption suffix found this time is ".builder," and the attack targets are manufacturers. It can be seen that the group behind Hospitality ransomware seems to be different from the random selection of other ransomware groups. Every action of this group is highly targeted, and more industries may become targets in the future.

Through the analysis of the captured samples, the security team of Deep Convinced Terminal found that there were loopholes in the encryption of files below 10M, and the encryption key might be broken. The decryption tool for the ransomware virus was developed at the first time, which could decrypt the files below 10M encrypted by the hospit ransomware virus and recover some lost data.

Extortion Decryption

Instructions for use:

You need to provide an original file before encryption and an encrypted file for breaking the key. Try to choose a smaller file with an earlier encryption time.

Enter Key Identifier, which can be copied from extortion information;

according to whether the host computer is restarted after extortion occurs;

If the key is broken successfully, enter the directory to be decrypted for decryption.

sample analysis

1. Create mutex to prevent duplicate runs:

2. Create threads, exit and delete when the following processes are detected, for anti-debugging:

3. End and uninstall Raccine:

4. Start Dnscache and other services, and end security software and other services to ensure that extortion proceeds smoothly:

5. Remove disk shadow:

6. For virtual disks, backups and other files under the disk root directory, delete them directly:

7. Set C, D and Z drives to full access:

8. Empty the Recycle Bin and configure firewall rules to allow access to shared files:

9. Use Random to generate a random key, marked as key_1. Since Random generates pseudo-random numbers and the seed is the system runtime, if the system runtime during extortion can be calculated, the key may be broken:

10. Generate the following txt file in the directory where the virus is located, with the contents of terminal IP, blackmail time and RSA encryption and base64 encoded key_1:

11. Write txt ransomware information to temp directory:

Create a shortcut in the launch directory for opening txt blackmail messages and configure the shortcut key "Ctrl+Shift+X":

12. Encrypt files with the following suffixes:

"dat","txt","jpeg","gif","jpg","png","php","cs","cpp","rar","zip","html","htm","xlsx","xls","avi","mp4","ppt","doc","docx","sxi","sxw","odt","hwp","tar","bz2","mkv","eml","msg","ost","pst","edb","sql","accdb","mdb","dbf","odb","myd","php","java","cpp","pas","asm","key","pfx","pem","p12","csr","gpg","aes","vsd","odg","raw","nef","svg","psd","vmx","vmdk","vdi","lay6","sqlite3","sqlitedb","java","class","mpeg","djvu","tiff","backup","pdf","cert","docm","xlsm","dwg","bak","qbw","nd","tlg","lgb","pptx","mov","xdw","ods","wav","mp3","aiff","flac","m4a","csv","sql","ora","mdf","ldf","ndf","dtsx","rdl","dim","mrimg","qbb","rtf","7z"

13. The encryption suffix is ".builder":

14. Get a prepared, non-CD disk:

15. Exemptions are listed below:

"program files",":\windows","perflogs","internet explorer", ":\programdata", "appdata", "msocache","system volume information","boot","tor browser","mozilla","appdata", "google chrome", "application data"

16. If the file size is larger than 10M, use the true random number generated by RNGCryptoServiceProvider as the encryption key for each file, denoted as key_n, and use RSA encryption key_n:

17. If the file size is less than 10M, key_1 is used as the secret key, so if key_1 is broken, it can be used to decrypt files below 10M:

18. Encrypt files using Salsa20 algorithm:

19. Write the RSA encrypted base64 encoded key and the identifier "GotAllDone" to the end of the encrypted file:

20. After encryption is complete, a blackmail information file is generated on the desktop:

21. The extortion message reads as follows:

22. Ransomware End Virus File Self-Delete:

Foundation reinforcement

Deep convinced security team once again remind the majority of users, ransomware prevention is the main, at present most ransomware encrypted files can not be decrypted, pay attention to daily precautions:

1. Patch the system and application in time to fix common high-risk vulnerabilities;

2. Non-local backup of important data files on a regular basis;

3. Do not click on email attachments from unknown sources and do not download software from unknown websites;

4. Try to close unnecessary file sharing permissions;

5, change the host account and database password, set a strong password, avoid using a unified password, because a unified password will lead to a breach, multiple suffer;

6, if the business does not need to use RDP, it is recommended to turn off the RDP function, and try not to map the RDP port and database port to the external network.

At this point, the study of "how to understand Hospitality blackmail decryption" is over, hoping to solve everyone's doubts. Theory and practice can better match to help everyone learn, go and try it! If you want to continue learning more relevant knowledge, please continue to pay attention to the website, Xiaobian will continue to strive to bring more practical articles for everyone!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.