3 分析
当我们拿到一个恶意软件,且知道是勒索样本时,如何去着手获取需要的信息呢?
3.1 判断勒索家族
首先是需要判断该勒索是否已经出现过,并是否有被分析人员给分析后归类了,这里的话主要是通过搜索勒索核心样本的 hash 值(有些勒索软件会通过外壳程序进行伪装)。举例的话就拿文章给的例子举例吧,hash 为:DBD5BEDE15DE51F6E5718B2CA470FC3F
通过 virustotal 搜索到样本如下:
https://www.virustotal.com/gui/file/9651d0cbca5c0affc47229c33be182b67e7bfbc09d08fd2d1c3eb2185bb29cdf
很多引擎标记出了 TeslaCrypt 勒索,此时并不能完全相信给出的标记,很有概率会存在误判,因为后续还需要很多信息结合后才能进一步判定。
3.1.1 加密后缀
勒索软件加密文件后,大部分情况下会对源文件名进行重命名,所以新的文件后缀(加密后缀)通常也是判断勒索软件属于哪个家族的指标。
3.1.2 联系邮箱
邮箱是非常重要的指标,因为大部分情况下想解密都得通过邮箱与黑客取得联系。
3.1.3 勒索信
勒索信的信息也是分类勒索软件的指标之一,由于勒索软件是由不同制作者制作的,所以会有不同的个人习惯,但勒索信它会给出很详细的信息,并给出相应的联系方式与用户自己本地生成的个人 ID 值。
3.1.4 代码相似度
代码相似度的话要求分析人的水平较高,需要有相关的一定量的家族样本收集,这里就不再介绍了。
以上信息收集完毕后,就进行下一阶段,针对性的在搜索引擎中搜索是否有相应的勒索病毒。如果搜到相关符合的家族后,就搜索是否有相关的解密工具已发布。上述纯手工去采集信息与进行搜索,效率上会比较慢,前期学习的话可以多试试,后期的话这里推荐一个国外的勒索识别站点
https://id-ransomware.malwarehunterteam.com/identify.php?case=c541fccfde0350c891261a5059ff0e4e7be1da21
3.2 搜索解密工具
拿上面的 TeslaCrypt 勒索进行举例,通过搜索引擎搜索到了思科发布了有关的文章与解密工具,Threat Spotlight: TeslaCrypt - Decrypt It Yourself - Cisco Blogs https://blogs.cisco.com/security/talos/teslacrypt
最后描述写道,更新了开发者释放的加密密钥 3.x/4,随后发现也能在刚刚识别出的勒索家族站点里找到解密参考链接,如下:
TeslaCrypt shuts down and Releases Master Decryption Key https://www.bleepingcomputer.com/news/security/teslacrypt-shuts-down-and-releases-master-decryption-key/ 文章里写道,解密密钥已公开发布,可以将TeslaDecoder 更新到 1.0 版,以便它可以解密 3.0 版和 4.0 版 TeslaCrypt 加密的文件。这意味着被 TeslasCrypt 加密文件后,后缀带有.xxx,.ttt,.micro,.mp3 或没有扩展名的加密文件现在都可以免费解密文件。
经过对比,思科发布的没有相关的解密工具使用流程,而在 bleepingcomputer 站点介绍了解密工具的使用方式,所以这里就考虑选择该站点的工具进行下载,思科的作为备用。
4 解密演示
拿到样本后,本地运行后让系统被加密,模拟受害者,加密完成后,生成的勒索信如下:
文字版勒索信,如下:
----------------------------------------------------
NOT YOUR LANGUAGE? USE https://translate.google.com
What's the matter with your files?
Your data was secured using a strong encryption with RSA4096.
Use the link down below to find additional information on the encryption keys using RSA-4096 https://en.wikipedia.org/wiki/RSA_(cryptosystem)
What exactly that means?
It means that on a structural level your files have been transformed . You won't be able to use , read , see or work with them anymore .
In other words they are useless , however , there is a possibility to restore them with our help .
What exactly happened to your files ???
*** Two personal RSA-4096 keys were generated for your PC/Laptop; one key is public, another key is private.
*** All your data and files were encrypted by the means of the public key , which you received over the web .
*** In order to decrypt your data and gain access to your computer you need a private key and a decryption software, which can be found on one of our secret servers.
What should you do next ?
There are several options for you to consider :
*** You can wait for a while until the price of a private key will raise, so you will have to pay twice as much to access your files or
*** You can start getting BitCoins right now and get access to your data quite fast .
In case you have valuable files , we advise you to act fast as there is no other option rather
than paying in order to get back your data.
In order to obtain specific instructions , please access your personal homepage by choosing one of the few addresses down below :
http://uj5nj.onanwhit.com/B9B74EF16D0C198
http://2gdb4.leoraorage.at/B9B74EF16D0C198
http://9hrds.wolfcrap.at/B9B74EF16D0C198
If you can't access your personal homepage or the addresses are not working, complete the following steps:
*** Download TOR Browser - http://www.torproject.org/projects/torbrowser.html.en
*** Install TOR Browser and open TOR Browser
*** Insert the following link in the address bar: k7tlx3ghr3m4n2tu.onion/B9B74EF16D0C198
*** Read instructions !!!
*** *** *** *** *** *** *** IMPORTANT INFORMATION *** *** *** *** *** ***
Your personal homepages
http://uj5nj.onanwhit.com/B9B74EF16D0C198
http://2gdb4.leoraorage.at/B9B74EF16D0C198
http://9hrds.wolfcrap.at/B9B74EF16D0C198
Your personal homepage Tor-Browser k7tlx3ghr3m4n2tu.onion/B9B74EF16D0C198
Your personal ID B9B74EF16D0C198
删除卷影,防止恢复文件。
每个目录下,都会存在这两个勒索信文件。
找一个已经被加密的文件,进行查看。
接下来就使用上述下载的解密工具对其解密,先设置 key,如下:
由于该样本加密后,不会改变文件名后缀,所以选择扩展名为初始。
设置完 key 后,就可以解密文件了,如下:
为了防止解密失败,最好是备份一下原文件。
查看刚刚的文件,确实解密成功了,如下:
5 总结
幸好该勒索的开发者良心发现,公布了加密密钥,不然确实无法解密,后来想了想,即使勒索软件来势凶猛,我们也要努力去分析,尽力去攻破并阻止它,相信正义终会胜利的。
6 参考
https://zh.wikipedia.org/zh-cn/TeslaCrypt