Ransomware detection report analysis

Source: Internet
Author: User

Ransomware detection report analysis

The ransomware virus sample (Locky) is captured by the security team of Green League technology. After analysis, the ransomware will be transmitted by email. Once the user is infected with the virus, the computer files are automatically encrypted. There is no Decryption Method in addition to paying ransom. In view of the serious consequences of ransomware, aligreennet issued this urgent announcement to remind users to take precautions to avoid infection.

Defense methods

1. For individual customers:

1) Upgrade anti-virus software to the latest virus database.
2) regularly back up important files in different regions.
3) do not open attachments in unknown emails at will.
4) Enable display extension settings in windows for executable (. EXE ,. COM ,. SCR ,. PIF), script (. BAT ,. CMD ,. JS ,. JSE ,. VBS ,. VBE ,. WSF ,. WSH ,. PS1 ,. PSC1.
5) run the command in the high-Permission cmd to change the file with the following suffixes to notepad by default:

1 2 3 4 5 6 7 ftype JSFile = C: \ Windows \ System32 \ Notepad.exe % 1 ftype JSEFile = C: \ Windows \ System32 \ Notepad.exe % 1 ftype VBSFile = C: \ Windows \ System32 \ Notepad.exe % 1 ftype VBEFile = C: \ Windows \ System32 \ Notepad.exe % 1 ftype WSFFile = C: \ Windows \ System32 \ Notepad.exe % 1 ftype WSHFile = C: \ Windows \ System32 \ Notepad.exe % 1

2. For enterprise customers

1) upgrade enterprise anti-virus to the latest virus database.
2) regular remote backup of file data.
3) Remind employees not to open emails of unknown origins.
4) Deploy the SAS advanced Threat Analysis System (TAC.
5) Upgrade the email filtering system.
6) run the command in the high-Permission cmd to change the file with the following suffixes to notepad by default:

1 2 3 4 5 6 7 ftype JSFile = C: \ Windows \ System32 \ Notepad.exe % 1 ftype JSEFile = C: \ Windows \ System32 \ Notepad.exe % 1 ftype VBSFile = C: \ Windows \ System32 \ Notepad.exe % 1 ftype VBEFile = C: \ Windows \ System32 \ Notepad.exe % 1 ftype WSFFile = C: \ Windows \ System32 \ Notepad.exe % 1 ftype WSHFile = C: \ Windows \ System32 \ Notepad.exe % 1 virus analysis

Ransomware is transmitted by email attachment. The attachment is a zip package that contains the execution script and ends with the js file format.

Js files

After you click "run", the ransomware will be downloaded to encrypt the local file after infection.

Business logic of ransomware

 

Virus Infection process:

1. ransomware is usually hidden in emails as attachments in a compressed package, and users are tempted to open and run in various forms.
2. After running the program, the real ransomware samples will be downloaded from the Network (here the file is a PE file, and the file name is random and constantly updated ).
3. After running, the public key content downloaded from the network will be written to the Registry.
4. Use the public key to Encrypt Key Files, change the desktop background, and pop up a ransom message box, requiring paid decryption.
5. Finally, ransomware samples will be deleted to avoid detection and analysis.

Green Alliance detection report

Test results of Green League TAC sandbox Products Detailed analysis and solutions:

For ransomware attacks, on the evening of June 14, March 22, the official website of lumeng technology has released IDS/IPS (567, 568, 569) and NF (600, 601) Rule packages. Please download them by yourself. The Green Alliance technology security team will release detailed analysis reports, product upgrades and solutions in the future. Please pay attention to them at any time.

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.