今天下午,鸿萌数据安全中心接到客户王先生求助,他公司的文件服务器被一种后缀为.uggogh的勒索者病毒侵入,造成服务器内所有文件被加密,后缀同意被修改为.uggogh。
黑客预留文件信息如下:
---= GANDCRAB V5.0.4 =---
***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED***********************
*****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS*****
Attention!
All your files, documents, photos, databases and other important files are encrypted and have the extension: .UGGOGH
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
----------------------------------------------------------------------------------------
| 0. Download Tor browser - https://www.torproject.org/
| 1. Install Tor browser
| 2. Open Tor Browser
| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/a323ac3624b51ba1
| 4. Follow the instructions on this page
----------------------------------------------------------------------------------------
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
ATTENTION!
IN ORDER TO PREVENT DATA DAMAGE:
* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW
---BEGIN GANDCRAB KEY---
lAQAAPZFt3NAUqS5PH+KZIx6uQy5Pm7T6kwO6NK2A6ozouq+i3ZogVWu2XewmK0wMeP4H9DVRTFQE025ZSsHGy+UmcNJ+qjxhUyfVle67OjhsqmUhMFf4oMtQVri6/3Vy4qVD/T7/qeqiFlgveJuiHRpFORzgDABOj2m7JQj3Yvk0DrOgvRsq1Fub23G4mFmL8xY2BGpDtKmXVpZ7Vx730F9fDpbJCM97Q/3ja5MGds9Ryc1NhI1CgiH4Tl1XW0eT951SD0m7IQaqEMc5vjfmTjukPt9tNInfVmvP+0k2r6ShR7/r08Xy5gchFHG4zw9e4g1QbrDZvFKzrhc1TAp14HCVnPO/9S7iS8ONvM1ZLFTkku1wtBFuJVPV5uKyunFejJE78P9uZ8RNxXWmXph/dPJ1q8EI/VnCqDft4TUu3g02u/7FHL7HoJegXPCp5/0FABYOBz9IxEUvvQBw6UlNi8pZ/25t97rvkOimxT54H4Sg3iyUdi9hIkwv6Ej2TqMo2I3cu26hfMRMVhMkZBu5Z2mXvYOBRPGIa82G2qrp8kDR5ejCAYwSKmnl1WrGemaubhWFT4iI7y3PlhXpXoX1h2JjVhsuxGLAkL7GEyy/fdX7oKYEZ3Wa8dzvwDfZQRg4E52I4Obr74l6ia6g1kp9viDgkq2wHuzLAybKwFGr3Ed9RxFIo5q7CQqWWyyNexJkPLt7aCFlr5PBkNAyYAVQdHhsa5mrid0FBi0h4i8uBmKsRc/5X46qx33/OKDOT+kGjLbKO14izGCLGXNpdD8ZzD4dVUF06KNsu71FdxVqyMB562j2FXKn4cgnnSH0dxztZGXLjavB9V1TTkDksbcOYT/UOyx7eUccZ5R7Z/jHV17hdluu19eVv4lyTwB20+SH7EJRsSBdnfkazmQv6a++g+28DcDDrsRm4trbgaWwmVOl+f86ePgm4gbQCH8NhGEGBaQLKA+pDaC75MeAhdkWj4n9BgFM7oa+eIYyq2gFnmdOlwv9i3vRzOIxEDpNXIeubl6RxPbEzJIBv4ZnEIws4iB4MnkbX4bwoCYBPkr+vx9x2GZbZBb10XrIrmyN9SWP7LbsrH7hidSNN/QcMMsj8vNDn1IpUrYfDo+WzYFiCN/+Nad53vuy10wZZ05N1sfR2wH1oiRs3Lp5xynJoGkCqxf5TIiwZBcKQsSV9mkpMdL1qCbuGRvXObmv56AMRGZJhhjmLVfcU/B3QteusqDvsKAb6cTH+22/MOcBGKrtjGBFqTz1wRwgmIwLd4ig2sREJFWyS3dsj7AsdPnOl4CPT/P9sJ3Y0J/1/K5LZS9zW95iWbf7k+3z3RDfeeuMcOh4y8nddCJV0H9udMqOgbuZkCvMzCbpx70VJdDOPDud7Kurfd06JLOrCXOp4ZBqxRkGP7EExcN05VNTfMGUEdLDeOr8YItjvGD0/M+IYVKiIwuvJgJQU/oWLXsoEwPNMsFxE8Q9AgdHgimh8dWs5ENd0lEMkO9QdgaU16O1/I2mHe3m15jk8OoHQ2WRWTYwVZJrN6vWTJSkIPWZ1oCY+SEh4pdNuFF/kASjJCF1vHc+lRV1oDkizvMZlxiGNI5WdprasMTGScqTYWGS2cGdsBrK+fCaAvKnuFZt22OPDJNiLZuiCu+nPlFncmHTyRrfuiFpYaZPS+KcH4giVqkQkI6Yb5FYRu//xorIKY7SkgAb6p/D1avEa+hdUhJ15OTMoUwiu0IOay068u+O6iIimUVQsYbSODzjfKxo2iYSzRylbay5OIqsxnik9iqIfEAN50MKxKM7slykfce8Nf3wHbLk84uSPUbix72n63JY0IqqtDo/GTsTNiOirM15wfI5LyOa7yIfgCYP1b+jEWkHZgVu7g0hBSegbp5cVOrPB4kUwnluS+z/HSGiw8tZtHOgwl5S6ty6JfbRlCut4wUDjrEClmiFJsZk5JJP7ph66gziYcy7A7yiXvcya9zzhufvVpMQQhWgPO4IJQYx726mu1A1eimZ99CMWvFHyB8D/9npYk5wK8XFzU5P4TKXN7HF94949xZ5ucbiSCsO/+R7dFPXt/CcXdH0r7VsRuumgqylvEwEC8U45/Zb006lRoPc9wr3oZPFtopseuiP6p+a+9VCVWJdiBOHgQ0rUObsi6Ycr00U5rlsg+lvjsdr+YxEfwrAoRVAOhQIWvuKta1bIzlH/vSZtvvv2FApYkkqFFmZRrT4aSGh2aG3FCS8sRuQtX8PfcTPzo+GuA=
---END GANDCRAB KEY---
---BEGIN PC DATA---
wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDxpOrf13FY7vOeWJh5EYbNdppZnTrRRoXYx7llWiLfwTByH7B5dBNLz3tNV7/76C0HXDHriXZIp8/jFC//7mHuodZA5Lruj6Pxc2UjxPJKUir6hEkSOApAAqbZgOMGX0rn7bWUkWnRxbZiWqMCRYZJYT6SYxsUpS45925SAS1KkZCRV7APKuUTcNCJk2K+MB0OyMKUPxYpSLE2TBJxamsAoAHZaP74/V/rH1shzkzb2jY9ALHgfl9dnWN0lCD4xdg7bDNQrvH1xSiPFCQ+6kfktKtizqdynr7r154JiurEmkUXBseKn/2Q2Eut3GohYb1qFBiXtqRGEEdwboCdA4oi4Oqb3Y5NyPYz32XaispQRTRkqF1PXJPcJ15EHwNEoAhPPnK8+C+5eALmfjmEzg65rKA32xAtKxA7xZi/pABFM3v3LM+au1wQZLXRiRl+KCjmo1jngAX95mSffnSzwQU1nn7Iplsew4nIGVYbpdDf0fAscfsBhP35NgH9TQ3DC26ZFEuftKUiuBZVMGJH/HuwOBb+mRawP0IkRV6Tu5rPBzMb9OXYNh8kz4+xPRfVtWv/FbjvWtuIVXpNeOtQq9EFhOFLc2rhghGmDLQMzlAsNfm75CGEdiXoEnLJsT+nbQAF/Kd7/yDNudGM39G5QfemUonI9La+8BB0DXa4DWdYijTnfmgqIwnUuwMVumNLgloqqOnBtQysqDmxI+hs=
---END PC DATA---
从黑客留下的预留信息看,这种病毒属于GANDCRAB家族最新变种 V5.0.4。这种病毒一般通过3389端口侵入或者通过邮件等方式传播。
GandCrab勒索病毒是2018年1月份以来,在全球各地快速泛滥的一种加密病毒,截至目前,恶意软件已经出现多种攻击性变种,包括 .uggogh.GDCB,.KRAB,.CRAB,GandCrab 2,GandCrab 3,GandCrab 4,GandCrab v4.1,GanCrab v4.1.2和GanCrab v5。最近,第5个病毒版本被分为几个变种:GandCrab 5.0.1,GandCrab 5.0.2,GandCrab 5.0.3,GandCrab 5.0.4,GandCrab 5.0.5。所有这些版本都使用Salsa20和RSA-2048对数据进行编码,并附加.gdcb,.crab,.KRAB,.lock和[随机5-10]文件扩展名。
鸿萌数据安全工程师接到业务后,认真分析了客户中毒文件特征码。通过与行业内专业人士交流,采用专业算法,目前已经可以成功解密该文件。
为了防范勒索者病毒,我们建议客户:
1、安装正版杀毒软件和部署硬件防火墙;
2、不慎中毒后,断网自查,不建议支付赎金解锁文件。
3、平时不要点别人发给你的不明链接
4、关闭服务器445或者3389端口
5、为电脑更新安全补丁
6、关闭电脑共享
7、及时备份公司重要文件,特别是增加回滚策略的备份方式。以便中毒后可以将数据会滚到文件未中病毒前。
关于防范勒索者病毒,鸿萌也有专业的解决方案。欢迎大家咨询交流。
