First, the extortion virus consolidation analysis
Extortion virus spread, to businesses and individuals have brought a serious security threat, it becomes the network criminals most common and easiest means roughly vitality. May data from the analysis, the number of victims of extortion virus increased slightly, the number of victims among GlobeImposter the first place, the new GetCrypt extortion virus is also more concern.
But the macro point of view, there are more working days, relatively few holidays trends; in fact, found the situation machine poisoning during the working day, sooner or first time users.
On May blackmail family of viruses accounted analysis found that, GlobeImposter family this month, accounting for 31.4% in the first place, followed by accounting for 20.66% of GandCrab family and accounted for 12.4% of Crysis extortion virus family.
From the proportion of the infected system, accounting for this month is still among the top three Windows 7, Windows 10 and Windows Server 2008. Which, Windows 7 system accounted for 47.89% of all systems in the first place, compared to last month's 41.73% had a slight increase.
On the geographical distribution of May 2019 was made sampling systems *** owned IP, and a few months before the collected data to compare, regional rankings and accounting changes are not large. Information industry developed regions is still the main object of ***.
Through April and May data analysis *** weak passwords, weak passwords month (Remote Desktop RDP, database ports, etc.) *** amount has dropped significantly. Mainly from the decrease in the amount of blasting *** for weak passwords Mysql database, peak value dropped from more than 7000000-400 million, a return to the relatively "normal" *** peak.
二、近期影响最大的病毒类型
1、GlobeImposter 3.0病毒
特征后缀:
.China4444 .Help4444 .Rat4444 .Ox4444 .Tiger4444 .Rabbit4444.Dragon4444 .Snake4444 .Horse4444 .Goat4444 .Monkey4444.Rooster4444 .Dog4444 .all4444 .Pig4444 .Alco4444 .Rat4444 .Skunk4444等
2、X3m勒索病毒家族
特征后缀:
.firex3m .x3m
3、Globelmposterb 5.0病毒
特征后缀:
.{[email protected]}KBK
.{[email protected]}VC 等
4、Attention勒索病毒家族
特征后缀:
.OOOKJYHCTVDF、.GGGHJMNGFD、.YYYYBJQOQDU 等
5、Sodinokibi 勒索病毒
勒索文件:xxx-readme.txt xxx-HOW-TO-DECRYPT.txtbr/>勒索网站:decryptor.top
6、.actin后缀及.acute后缀病毒
特征后缀
.[[email protected]].actin
.[[email protected]].actin
.[[email protected]].acute 等
三、勒索邮箱整理收集
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected]
四、数据恢复方案
目前支持的数据恢复方案,只有两种,分别是数据库恢复和全盘解密
1、数据库恢复
这种方案仅限于恢复数据库文件,同时可能存在数据丢失。
由于数据库文件具备独特的数据结构特征,文件内部包含大量的校正数据和容错数据,有效的业务数据通常在数据库文件中占比很小,病毒在对数据库文件加密的时候,考虑到文件大小及加密的时间,通常会对文件进行间断性“点状”加密,而不是整体全部加密,所以可以根据对未被破坏的业务数据进行提取,同时参考校验数据和容错数据对已被破坏的业务数据进行恢复。
2、全盘解密
这种方案能对机器上所有类型文件进行100%解密恢复。
病毒加密都是采用公钥算法结合对称密钥算法,理论上是无法解密的,但是病毒程序可能存在编程或设计方面的漏洞,或者病毒的密钥服务器发生密钥泄漏等原因,这样很多被加密文件可以使用密钥解密。病毒的密钥被破解后,如果破解者选择公布出来,那用户就可以免费解密,如果破解者牟利,那只能购买密钥,但一般金额比赎金低很多;如果没有人能破解出密钥,也只能需要承担很大的风险去交付高昂的赎金换密钥。
这种方案还有一些风险是即使拥有密钥也无法保证解密,病毒也是一种程序,也可能出现执行异常,如果在加密某个文件时出现异常,那当前文件即使拥有密钥也无法解密成功,所以存在解密失败率。
Fifth, servers and personal security and defense recommended
extortion virus *** for the next server is still the main direction of extortion virus, companies need to strengthen their information security management capabilities - especially weak passwords, vulnerabilities, file sharing and remote desktop managed to cope with the threat of blackmail virus, here we give you some suggestions administrator:
1, more than one machine, do not use the same account and password
2, login passwords have enough length and complexity, and change them regularly Login password
3, shared file folder important information shall be provided access control, and make regular backups
- Periodic testing security systems and software vulnerabilities, patched in time.
- The server periodically to check for abnormalities. View include:
A) Is there a new account
b) whether the Guest is enabled
c) Windows system log for abnormal
d) the existence of anti-virus software to intercept abnormal situation
and for the re-emergence of this month and launched on PC *** blackmail virus, it is recommended customers:
1, installed security software, and ensure its proper operation.
2, install the software downloaded from the formal channels.
3, unfamiliar software, if it has been intercepted killing anti-virus software, do not add confidence to continue running.