Blackmail virus of industrial control security

Blackmail virus is not a virus , It's a general term for a class of viruses , Mainly by mail 、 Program 、 Trojan horse 、 Web page hanging horse in the form of communication , Various encryption algorithms are used to encrypt files , Infected people are usually unable to decrypt , You have to get the decrypted private key to crack it .

The earliest known ransomware appeared in 1989 year , be known as “ AIDS information Trojan ”（Trojan/DOS.AidsInfo, Also known as “PC Cyborg Trojan horse ”）, The author is Joseph Popp. Early extortion viruses were mainly through phishing mail , Hang a horse , Social network communication , Payment of ransom by transfer, etc , Its attack scope and continuous attack ability are relatively limited , Relatively easy to trace .2006 Years of Redplus Blackmail （Trojan/Win32.Pluder）, It is the first blackmail software in China .2013 From the second half of the year , It was a time when the modern extortion virus took shape . Blackmail virus use AES and RSA Encrypt specific file types , Make cracking almost impossible . At the same time, users are required to pay in virtual currency , In case the transaction process is tracked . Typical extortion viruses in this period include CryptoLocker,CTBLocker etc. . since 2016 Year begins ,WannaCry Blackmail worm outbreak , And the purpose is not to extort money , But to create massive destruction that affects the world .

It's dramatic , At this stage , Blackmail virus has been industrialized 、 Family based continuous operation state .

since 2018 Year begins , Blackmail Trojan horse technology is becoming more and more mature , The attack target has been cast a net from the initial large area without differential attack , Turn to precision attack high-value targets . For example, direct attacks in the medical industry , enterprises and institutions 、 Government server , Traditional enterprises, including manufacturing, are facing an increasingly severe security situation .

How blackmail virus works

Once the blackmail virus file enters the local area of the attacker , It will run automatically , At the same time, delete the virus matrix , To avoid killing 、 Analyze and track （ Fast mutation , It is immune to conventional anti-virus software ）. Next, use the permission to connect to the hacker's server , Upload the local information and download the encrypted private key and public key , Use the private key and public key to encrypt the file （ First use AES-128 The encryption algorithm encrypts the important files on the computer , Get a key ; Reuse RSA-2048 The encryption algorithm encrypts the key asymmetrically .）. Except for the virus developer himself , It is almost impossible for others to decrypt . If you want to use computer brute force to crack , According to the current computing power , I can't figure it out for decades . If you can figure it out , It just solved a file .（ Of course , In theory , You can also try to crack the RSA-2048 General key of algorithm encryption , As for the time required to crack , I'm afraid the earth won't last until then .） Once the encryption is complete , It also locks the screen , Modify wallpaper , Generate blackmail prompt files in conspicuous places such as the desktop , Guide users to pay ransom .

It is worth mentioning that , Some ransom methods are bitcoin , If you don't know the trading process , May be ridiculed twice by the blackmailer ： Check the Internet by yourself ！( Ĭ ^ Ĭ )

The following is a APT Sandbox analysis to the main behavior of blackmail virus sample vector ：

1、 Call the encryption algorithm library ;

2、 Through script files Http request ;

3、 Download files through script files ;

4、 Read remote server files ;

5、 adopt wscript Executable files ;

6、 Collecting computer information ;

7、 Traversal file .

The main feature of this sample is to decrypt the back connected server address through its own decryption function , adopt HTTP GET Request access to encrypted data , Save encrypted data to TEMP Catalog , Then decrypt the data through the decryption function and save it as DLL, And then it runs again DLL ( That is, the blackmailer subject ). The DLL The sample is the key subject leading to data encryption , And the principal generates the key by calling the system file , Then realize the encryption of the specified type of files , That is, file encryption can be realized without online download key . meanwhile , In the process of sandbox analysis, a large number of anti debugging behaviors of the sample are found , Analysis against the debugger , It increases the difficulty of debugging and analysis .

How to prevent blackmail virus ？

Bronze rank

Don't open a stranger or an unknown email , Anti blackmail virus attacks via email ;

Required software from regular （ Official website ） Download via ;

Upgrade antivirus software to the latest version , Prevent existing virus sample attacks ;

Win7、Win 8.1、Win 10 user , Install Microsoft as soon as possible MS17-010 Official patch for ;

Back up the important data and files in the computer regularly , In case the virus can recover ;

Regular safety training , Daily safety management can refer to “ Three no three ”（ Three No ： No hook 、 Don't open 、 Don't click . The third is to ： To back up 、 To confirm 、 To update ） Ideas .

Diamond rank

1. Physics , Network isolation poisoning machine ;

2. For other non poisoned computers on the intranet , Check the potential safety hazards of the system ：

a） Whether there are loopholes in the system and software

b） Whether the sharing and risk service or port is enabled , Such as 135、137、139、445、3389

c） Only office computers are allowed , Access a dedicated file server . Use FTP, Replace folder sharing .

d） Check the machine ipc Whether the empty connection and default sharing are enabled

e） Check whether the unified login password or weak password is used

3. Try not to click office Macro run prompt , Avoid from office Virus infection of components ;

4. Try not to double-click to open .js、.vbs Equal suffix file ;

5. After the fact

Without direct support from security professionals , The following measures can be considered ：

Search through housekeeper blackmail virus search engine , Get virus related information . Search engine address （ Blackmail virus interception | File recovery _ Document guardians protect documents - Tencent computer Butler

If decryption is supported , You can directly click the download tool to decrypt the file

King's rank

In the topic of how to prevent blackmail virus , To sum up, people's conventional defensive thinking . Although there's nothing wrong , But it looks like “ Lay down and die ”, Passively beaten . But there's nothing wrong with it , After all, it's a habitual thinking to see a move and break it down .

The right anti extortion virus means , It must be constant in response to changes .

Take a chestnut ：

The farmer keeps a flock of sheep , Glossy hair , are plump and sturdy , Very good looking , The farmer was very pleased .

One day the farmer found a few sheep missing , Also found traces of wolves , Then I realized that a wolf stole a sheep .

The farmer followed the trail of the wolf , Set traps , Day and night supervision , Both body and mind are tired , But I still didn't catch the wolf , The number of sheep is decreasing .

Last , The farmer replaced the thatched sheepfold with a granite sheepfold , There are no fewer sheep , Farmers no longer have to look for wolves .

The concept of host reinforcement is like this .

So how to prevent blackmail virus , The idea of host reinforcement is a good strategy .

The core points of host reinforcement ：

System reinforcement

Lock the debugged system , Become a trusted system .

In a trusted system , Illegal procedure 、 Scripts can't run . And it will not affect data access .

Even if the system has vulnerabilities , Even administrator privileges are lost , This trusted system is secure .

Program reinforcement

The executable program is signed by trusted signature 、 Start the script in real time hash Value verification , Verification failed

Refuse to start , And trusted programs cannot be disguised .

Document reinforcement

Protect files of the specified type from tampering .

Disk encryption

Create a safe sandbox , The sandbox is isolated from the outside , Encrypt the data in the sandbox , Ensure that the data can only be used under the premise of effective authorization management , To be decrypted . If there is no authorization , Even administrators cannot copy and use this data , Even system cloning does not work .

Database hardening

first floor ： Database files are forbidden to be accessed and tampered with by unfamiliar programs . Ensure database file level security .

The second floor ： Database port access trusted filtering , Only business programs are allowed to connect to the database port , In company

Followed by string IP+ port + In the account password , Append process identification .

The third level ： Database connection SQL Intelligent filtering of text , Prevent critical data from being retrieved and accessed , Prevent database

Illegal access to internal data , Prevent dangerous operations of database forms .

Many problems can be easily solved by changing one way of thinking . How to prevent blackmail virus , Obviously, the strategy of host reinforcement is better . As for the selection of host reinforcement products , Different people have different opinions. Wise people have different opinions . Personal recommendations MCK Mainframe reinforcement . The company to which this product belongs is a veteran in the field of data security , And their other product SDC Sandbox is very good in the field of source code security .