Server antivirus

Before discussing how to prevent blackmail virus , Let's first understand the blackmail virus .
What is blackmail virus ？
Blackmail virus is not a virus , It's a general term for a class of viruses , Mainly by mail 、 Program 、 Trojan horse 、 Web page hanging horse in the form of communication , Various encryption algorithms are used to encrypt files , Infected people are usually unable to decrypt , You have to get the decrypted Private key It is possible to crack .
The earliest known ransomware appeared in 1989 year , be known as “ AIDS information Trojan ”（Trojan/DOS.AidsInfo, Also known as “PC Cyborg Trojan horse ”）, The author is Joseph Popp. Early extortion viruses were mainly through phishing mail , Hang a horse , Social network communication , Payment of ransom by transfer, etc , Its attack scope and continuous attack ability are relatively limited , Relatively easy to trace .2006 Years of Redplus Blackmail （Trojan/Win32.Pluder）, It is the first blackmail software in China .2013 From the second half of the year , It was a time when the modern extortion virus took shape . Blackmail virus use AES and RSA Encrypt specific file types , Make cracking almost impossible . At the same time, users are required to pay in virtual currency , In case the transaction process is tracked . Typical extortion viruses in this period include CryptoLocker,CTBLocker etc. . since 2016 Year begins ,WannaCry Blackmail worm outbreak , And the purpose is not to extort money , But to create massive destruction that affects the world .
It's dramatic , At this stage , Blackmail virus has been industrialized 、 Family based continuous operation state .

Blackmail virus industrialization framework

since 2018 Year begins , Extortion virus technology is becoming more and more mature , The attack target has been cast a net from the initial large area without differential attack , Turn to precision attack high-value targets . For example, direct attacks in the medical industry , enterprises and institutions 、 Government server , Traditional enterprises, including manufacturing, are facing an increasingly severe security situation .

2018 The extortion virus has been active since

Blackmail virus 19 Industry distribution in the first quarter of

2019 The most representative blackmail virus family ranking in

How blackmail virus works
Once the blackmail virus file enters the local area of the attacker , It will run automatically , At the same time, delete the virus matrix , To avoid killing 、 Analyze and track （ Fast mutation , For conventional anti-virus software Immunity ）. Next, use the permission to connect to the hacker's server , Upload the local information and download the encrypted private key and public key , Use the private key and public key to encrypt the file （ First use AES-128 The encryption algorithm encrypts the important files on the computer , Get a key ; Reuse RSA-2048 The encryption algorithm encrypts the key asymmetrically .）. Except for the virus developer himself , It is almost impossible for others to decrypt . If you want to use computer brute force to crack , According to the current computing power , I can't figure it out for decades . If you can figure it out , It just solved a file .（ Of course , In theory , You can also try to crack the RSA-2048 General key of algorithm encryption , As for the time required to crack , I'm afraid the earth won't last until then .） Once the encryption is complete , It also locks the screen , Modify wallpaper , Generate blackmail prompt files in conspicuous places such as the desktop , Guide users to pay ransom .
It is worth mentioning that , Some ransom methods are bitcoin , If you don't know the trading process , May be ridiculed twice by the blackmailer ： Check the Internet by yourself ！( Ĭ ^ Ĭ )

The following is a APT Sandbox analysis to the main behavior of blackmail virus sample vector ：
1、 Call the encryption algorithm library ;
2、 Through script files Http request ;
3、 Download files through script files ;
4、 Read remote server files ;
5、 adopt wscript Executable files ;
6、 Collecting computer information ;
7、 Traversal file .
The main feature of this sample is to decrypt the back connected server address through its own decryption function , adopt HTTP GET Request access to encrypted data , Save encrypted data to TEMP Catalog , Then decrypt the data through the decryption function and save it as DLL, And then it runs again DLL ( That is, the blackmailer subject ). The DLL The sample is the key subject leading to data encryption , And the principal generates the key by calling the system file , Then realize the encryption of the specified type of files , That is, file encryption can be realized without online download key . meanwhile , In the process of sandbox analysis, a large number of anti debugging behaviors of the sample are found , Analysis against the debugger , It increases the difficulty of debugging and analysis .

Solution

Shenxinda MCK Host reinforcement system , Is to take over the operating system through the security container , Let the application run inside the container , The data is stored in a container , Inside the container through image technology , Implement the white list mechanism for working scenes , And encrypt and protect the core data , Realize the final defense of the server . Even hackers Attack as super administrator , Nothing can be done .

External can prevent trojan virus invasion , Prevent core data from being peeped 、 Be destroyed 、 Be tampered with 、 Be stolen ！

Internally, the operation and maintenance personnel can audit the log of server attacks .

Function list