Ransomware detection report analysis

Ransomware detection report analysis

The ransomware virus sample (Locky) is captured by the security team of Green League technology. After analysis, the ransomware will be transmitted by email. Once the user is infected with the virus, the computer files are automatically encrypted. There is no Decryption Method in addition to paying ransom. In view of the serious consequences of ransomware, aligreennet issued this urgent announcement to remind users to take precautions to avoid infection.

Defense methods

1. For individual customers:

1) Upgrade anti-virus software to the latest virus database.
2) regularly back up important files in different regions.
3) do not open attachments in unknown emails at will.
4) Enable display extension settings in windows for executable (. EXE ,. COM ,. SCR ,. PIF), script (. BAT ,. CMD ,. JS ,. JSE ,. VBS ,. VBE ,. WSF ,. WSH ,. PS1 ,. PSC1.
5) run the command in the high-Permission cmd to change the file with the following suffixes to notepad by default:

1 2 3 4 5 6 7 ftype JSFile = C: \ Windows \ System32 \ Notepad.exe % 1 ftype JSEFile = C: \ Windows \ System32 \ Notepad.exe % 1 ftype VBSFile = C: \ Windows \ System32 \ Notepad.exe % 1 ftype VBEFile = C: \ Windows \ System32 \ Notepad.exe % 1 ftype WSFFile = C: \ Windows \ System32 \ Notepad.exe % 1 ftype WSHFile = C: \ Windows \ System32 \ Notepad.exe % 1

2. For enterprise customers

1) upgrade enterprise anti-virus to the latest virus database.
2) regular remote backup of file data.
3) Remind employees not to open emails of unknown origins.
4) Deploy the SAS advanced Threat Analysis System (TAC.
5) Upgrade the email filtering system.
6) run the command in the high-Permission cmd to change the file with the following suffixes to notepad by default:

1 2 3 4 5 6 7 ftype JSFile = C: \ Windows \ System32 \ Notepad.exe % 1 ftype JSEFile = C: \ Windows \ System32 \ Notepad.exe % 1 ftype VBSFile = C: \ Windows \ System32 \ Notepad.exe % 1 ftype VBEFile = C: \ Windows \ System32 \ Notepad.exe % 1 ftype WSFFile = C: \ Windows \ System32 \ Notepad.exe % 1 ftype WSHFile = C: \ Windows \ System32 \ Notepad.exe % 1 virus analysis

Ransomware is transmitted by email attachment. The attachment is a zip package that contains the execution script and ends with the js file format.

Js files

After you click "run", the ransomware will be downloaded to encrypt the local file after infection.

Business logic of ransomware

 

Virus Infection process:

1. ransomware is usually hidden in emails as attachments in a compressed package, and users are tempted to open and run in various forms.
2. After running the program, the real ransomware samples will be downloaded from the Network (here the file is a PE file, and the file name is random and constantly updated ).
3. After running, the public key content downloaded from the network will be written to the Registry.
4. Use the public key to Encrypt Key Files, change the desktop background, and pop up a ransom message box, requiring paid decryption.
5. Finally, ransomware samples will be deleted to avoid detection and analysis.

Green Alliance detection report

Test results of Green League TAC sandbox Products Detailed analysis and solutions:

For ransomware attacks, on the evening of June 14, March 22, the official website of lumeng technology has released IDS/IPS (567, 568, 569) and NF (600, 601) Rule packages. Please download them by yourself. The Green Alliance technology security team will release detailed analysis reports, product upgrades and solutions in the future. Please pay attention to them at any time.