勒索病毒种类分析(.amnesia勒索病毒分析报告)

背景:

amnesia勒索病毒在2017年中旬曾经出现过,不过随后Emsisoft就发布了解密工具,至今年,amnesia重新发布了第二版,完善了加密算法。

运行过程:

该勒索病毒搜索电脑上的每一个文件,每遇到一个文件,将会判断是否为文件,如果是,则进行跳转

勒索病毒种类分析(.amnesia勒索病毒分析报告)(1)

当找到文件夹的时候,该勒索病毒将会判断是否为以下的文件夹,并对相应的文件夹实施跳过处理:

Microsoft\Exchange Server\

Microsoft SQL Server\

Firebird\

MSSQL.1\

并继续判断相应的系统路径,如果为关键的系统路径,将会跳过(加冒号的为根目录下文件):

:\$RECYCLE.BIN\

\All Users\

\AppData\

\Application Data\

:\Program Files (x86)\

:\Program Files\

:\System Volume information\

:\Windows\

:\intel\

:\nvidia\

当文件夹符合加密要求时,从当前文件夹里继续搜索。

勒索病毒种类分析(.amnesia勒索病毒分析报告)(2)

当开始加密文件时,勒索病毒将会判断文件名后几个字节是否为.animes如果是,则跳过

勒索病毒种类分析(.amnesia勒索病毒分析报告)(3)

在进行判断文件名是否为 HOW TO RECOVER ENCRYPTED FILES.txt,如果是,则跳过:

勒索病毒种类分析(.amnesia勒索病毒分析报告)(4)

该勒索病毒将加密以下后缀名的文件:

.$efs .000 .001 .1 .101 .103 .108 .110 .123 .128 .1cd .1sp .1st .3 .3d .3d4 .3dd .3df .3df8 .3dm .3dr .3ds .3dxml .3fr .3g2 .3ga .3gp .3gp2 .3mm .3pr .3w .4w7 .602 .7z .7zip .8 .89t .89y .8ba .8bc .8be .8bf .8bi8 .8bl .8bs .8bx .8by .8li .8svx .8xt .9xt .9xy .a$v .a2c .aa .aa3 .aac .aaf .aah .aaui .ab4 .ab65 .abc .abk .abt .abw .ac2 .ac3 .ac5 .acc .accdb .accde .accdr .accdt .ace .acf .ach .acp .acr .acrobatsecuritysettings .acrodata .acroplugin .acrypt .act .ad .ada .adb .adc .add .ade .adi .adoc .ados .adox .adp .adpb .adr .ads .adt .aea .aec .aep .aepx .aes .aet .afdesign .afm .afp .agd1 .agdl .age3rec .age3sav .age3scn .age3xrec .age3xsav .age3xscn .age3yrec .age3ysav .age3yscn .ahf .ai .aif .aiff .aim .aip .ais .ait .ak .al .al8 .ala .alb3 .alb4 .alb5 .alb6 .ald .ali .allet .alt3 .alt5 .amf .aml .amr .amt .amu .amx .amxx .anl .ann .ans .ansr .anx .aoi .ap .apa .apd .ape .apf .api .apj .apk .apnx .apo .app .approj .apr .apt .apw .apxl .arc .arch00 .arff .ari .arj .aro .arr .ars .arw .as .as$ .as3 .asa .asc .ascm .ascx .asd .ase .asf .ashx .ask .asl .asm .asmx .asn .asnd .asp .aspx .asr .asset .ast .asv .asvx .asx .ath .atl .atomsvc .atw .automaticdestinations-ms .aux .av .avi .avn .avs .awd .awe .awg .awp .aws .awt .aww .awwp .ax .azf .azs .azw .azw1 .azw3 .azw4 .b .b27 .b2a .back .backup .backupdb .bad .bak .bak~ .bamboopaper .bank .bar .bau .bax .bay .bbcd .bbl .bbprojectd .bbs .bbxt .bc5 .bc6 .bc7 .bcd .bck .bcp .bdb .bdb2 .bdp .bdr .bdt2 .bdt3 .bean .bfa .bgt .bgv .bi8 .bib .bibtex .bic .big .bik .bil .bin .bina .bizdocument .bjl .bk .bk! .bk1 .bk2 .bk3 .bk4 .bk5 .bk6 .bk7 .bk8 .bk9 .bkf .bkg .bkp .bks .bkup .bld .blend .blend2 .blg .blk .blm .blob .blp .bmc .bmf .bmk .bml .bmm .bmml .bmp .bmpr .bna .boc .book .bop .bp1 .bp2 .bp3 .bpf .bpk .bpl .bpm .bpmc .bps .bpw .brd .breaking_bad .brh .brl .brs .brx .bsa .bsk .bso .bsp .bst .btd .btf .btoa .btx .burn .burntheme .bvd .bwd .bwf .bwp .bxx .bzabw .c .c2e .c6 .cadoc .cae .cag .calca .cam .camproj .cap .capt .car .caro .cas .cat .catproduct .cawr .cbf .cbor .cbr .cbz .cc .ccc .ccd .ccf .cch .ccitt .cd .cd1 .cd2 .cdc .cdd .cddz .cdf .cdi .cdk .cdl .cdm .cdml .cdmm .cdmz .cdpz .cdr .cdr3 .cdr4 .cdr5 .cdr6 .cdrw .cds .cdt .cdtx .cdx .cdxml .ce1 .ce2 .cef .cer .cert .cf5 .cfd .cfg .cfp .cfr .cgf .cgfiletypetest .cgi .cgm .cgp .chi .chk .chm .chml .chmprj .chp .chpscrap .cht .chtml .cib .cida .cif .cipo .civ4worldbuildersave .civbeyondswordsave .cl2arc .cl2doc .clam .clarify .class .clb .clkd .clkt .clp .clr .cls .clx .cmf .cml .cmp .cms .cmt .cmu .cnf .cng .cnt .cnv .cod .col .comicdoc .comiclife .compositionmodel .compositiontemplate .con .conf .config .contact .converterx .cp .cpc .cpd .cpdt .cphd .cpi .cpio .cpp .cpy .cr2 .crashed .craw .crb .crd .creole .cri .crjoker .crs .crs3 .crt .crtr .crw .crwl .crypt .crypted .cryptowall .cryptra .cs .cs8 .csa .cse .csh .csi .csl .cso .csp .csr .css .cst .csv .ctbl .ctd .cte .ctf .ctl .ctt .ctxt .cty .cue .current .cvj .cvl .cvw .cw3 .cwf .cwk .cwn .cwr .cws .cwwp .cyi .cys .d .d3dbsp .dac .dadx .dag .dal .dap .das .dash .dat .database .datx .dayzprofile .dazip .db .db_journal .db0 .db3 .dba .dbb .dbc .dbf .dbfv .db-journal .dbk .dbr .dbs .dbx .dc2 .dc4 .dca .dcd .dcf .dch .dco .dcp .dcr .dcs .dct5 .dcu .ddc .ddcx .ddd .ddif .ddoc .ddrw .dds .deb .debian .dec .ded .default .del .dem .der .des .desc .description .design .desklink .det .deu .dev .dex .dfe .dfl .dfm .dft .dfti .dgc .dgm .dgpd .dgr .dgrh .dgs .dhe .dic .did .dif .dii .dim .dime .dip .dir .directory .disc .disco .disk .dit .divx .diz .djbz .djv .djvu .dk@p .dlc .dlg .dmbk .dmg .dmp .dmtemplate .dmv .dna .dng .dnl .dob .doc .doc# .docb .doce .docenx .dochtml .docl .docm .docmhtml .docs .docset .docstates .doct .documentrevisions-v100 .docx .docxl .docxml .dok .dot .dothtml .dotm .dotmenx .dotx .dotxenx .dox .doxy .doz .dp .dpd .dpi .dpk .dpl .dpr .drd .dream .drf .drm .drmx .drmz .drw .dsc .dsd .dsdic .dsf .dsg .dsk .dsl .dsn .dsp .dsy .dtd .dtm .dtml .dtp .dtx .dump .dvb .dvd .dvi .dvs .dvx .dvz .dwd .dwdoc .dwf .dwfx .dwg .dwlibrary .dwp .dwt .dxb .dxd .dxe .dxf .dxg .dxn .dxr .dxstudio .dzp .e3s .e4a .easmx .ebk .ebs .ec4 .ecc .ecr .edb .edd .edf .edl .edml .edn .edoc .edrwx .edt .edz .efa .efax .eff .efl .efm .efr .eftx .efu .efx .egr .egt .ehp .eif .eip .ekm .el6 .eld .elf .elfo .eln .emc .emf .eml .emlxpart .emm .enc .enciphered .encrypted .enfpack .ent .enx .enyd .eob .eot .ep .epdf .epf .epk .eprtx .eps .epsf .ept .epub .eql .erbsql .erd .ere .erf .err .es .es3 .esc .esd .esf .esm .esp .ess .esv .et .ete .etng .etnt .ets .etx .euc .evo .evy .ewl .ex .exc .exd .exf .exif .exprwdhtml .exprwdxml .exx .ez .ezc .ezm .ezs .ezz .f4v .f90 .f96 .fac .fadein .fae .faq .fax .fbd .fbp6 .fbs .fcd .fcf .fcstd .fd .fdb .fdf .fdoc .fdr .fds .fdseq .fdw .fdx .fed .feed-ms .feedsdb-ms .ff .ffa .ffd .ffdata .fff .ffl .ffo .fft .ffx .fh .fhd .fig .fin .fl .fla .flac .flag .flat .flf .flib .flka .flkb .flm .flp .fls .flt .fltr .flv .flvv .fly .fm .fm3 .fmc .fmd .fmf .fml .fmp .fmp3 .fnf .fo .fodg .fodp .fods .fodt .folio .for .forge .fos .fountain .fp .fpage .fpdoclib .fpenc .fphomeop .fpk .fplinkbar .fpp .fpt .fpx .fra .frag .frdat .frdoc .freepp .frelf .frm .fs .fsc .fsd .fsf .fsh .fsp .fss .ft10 .ft11 .ft7 .ft8 .ft9 .ftil .ftr .fwk .fwtemplate .fxd .fxg .fxo .fxr .fzh .fzip .ga3 .gam .gan .gcsx .gct .gdb .gdc .gdoc .ged .gev .gevl .gfe .gform .gfx .ggb .ghe .gho .gif .gil .giw .glink .glk .glo .glos .gly .gml .gmp .gnd .gno .gofin .gp4 .gpd .gpf .gpg .gpn .gpx .gpz .gra .grade .gray .grey .grf .grk .grle .groups .gry .gs .gsa .gsf .gsheet .gslides .gsm .gthr .gui .gul .gvi .gxk .gxl .gz .gzig .gzip .h .h1q .h1s .h1w .h2o .h3m .h4r .haml .hbk .hbl .hbx .hcl .hcw .hda .hdd .hdl .hdt .hdx .hed .help .helpindex .hex .hfd .hft .hhs .hkdb .hkx .hlf .hlp .hlx .hlx2 .hlz .hm2 .hmskin .hnd .hoi4 .hot .hp2 .hpd .hpj .hplg .hpo .hpp .hps .hpt .hpw .hqx .hrx .hs .hsm .hsx .hta .htm .htm~ .html .htmls .htmlz .htms .htpasswd .htz5 .hvpl .hw3 .hwp .hwpml .hwt .hxe .hxi .hxq .hxr .hxs .hyp .hype .iab .iaf .ial .ibank .ibcd .ibd .ibk .ibz .icalevent .icaltodo .icc .icml .icmt .ico .ics .icst .icxs .idap .idc .idd .idl .idml .idp .idx .ie5 .ie6 .ie7 .ie8 .ie9 .iff .ifp .ign .igr .ihf .ihp .iif .iiq .iks .ila .ildoc .img .imp .imr .incp .incpas .ind .indb .indd .indl .indp .indt .inf .info .ink .inld .inlk .inp .inprogress .inrs .inss .installhelper .insx .internetconnect .inx .ioca .iof .ipa .ipf .ipr .ish1 .ish2 .ish3 .iso .ispx .isu .isz .itdb .ite .itl .itm .itmz .itp .its .ivt .iw44 .iwa .iwd .iwi .iwprj .iwtpl .ix .ixv .jac .jar .jav .java .jb2 .jbc .jbig .jbig2 .jc .jdd .jfif .jge .jgz .jhd .jiaf .jias .jif .jiff .jnt .joe .jp1 .jpc .jpe .jpeg .jpf .jpg .jpgx .jpm .jpw .jrf .jrl .jrprint .js .jsd .json .jsp .jspa .jspx .jtd .jtdc .jtt .jtx .just .jw .jwl .jww .k25 .kbd .kbf .kc2 .kdb .kdbx .kdc .kde .kdf .kes .key .keynote .key-tef .kf .kfm .kfp .kid .klq .klw .kmz .knt .kos .kpdx .kpr .ksd .ksp .kss .ksw .kuip .kwd .kwm .kwp .laccdb .lastlogin .lat .latex .lax .lay .lay6 .layout .lbf .lbi .lbl .lcd .lcf .lcn .ldb .ldf .lfe .lgp .lhd .lib .lit .litemod .ll3 .llv .lmd .lngttarch2 .lnk .localstorage .log .logonxp .lok .lot .lp .lp2 .lp7 .lpa .lpc .lpd .lpdf .lpx .lrf .ls5 .lst .ltcx .ltm .ltr .ltx .lua .lvd .lvivt .lvl .lvw .lwd .lwo .lwp .lyx .m .m13 .m14 .m2 .m2ts .m3u .m3u8 .m4a .m4p .m4u .m4v .m7p .maca .mag .maker .maml .man .manu .map .mapimail .marc .markdn .mars .mass .max .maxfr .maxm .mbbk .mbox .mbx .mc9 .mcd .mcdx .mcf .mcgame .mcmac .mcmeta .mcrp .mcw .md .md0 .md1 .md2 .md3 .md5 .mdb .mdbackup .mdbhtml .mdc .mdccache .mddata .mdf .mdg .mdi .mdk .mdl .mdn .mds .mecontact .med .mef .meh .mell .mellel .menu .meo .met .metadata_never_index .mf .mfa .mfp .mfw .mga .mgmt .mgourmet .mgourmet3 .mhp .mht .mhtenx .mhtmlenx .mi .mic .mid .mif .mim .mime .mindnode .mip .mission .mix .mjd .mjdoc .mke .mkv .mla .mlb .mlj .mlm .mls .mlsxml .mlx .mm .mm6 .mm7 .mm8 .mmap .mmc .mmd .mme .mmjs .mml .mmo .mmsw .mmw .mny .mo .mobi .mod .moneywell .mos .mov .movie .moz .mp1 .mp2 .mp3 .mp4 .mp4v .mpa .mpe .mpeg .mpf .mpg .mph .mpj .mpq .mpqge .mpr .mpt .mpv .mpv2 .mrd .mru .mrw .mrwref .ms .msd .mse .msg .mshc .msi .msie .msl .mso .msor .msp .msq .ms-tnef .msw .mswd .mtdd .mtml .mto .mtp .mts .mtx .mug .mui .mvd .mvdx .mvex .mwd .mwii .mwpd .mwpp .mws .mxd .mxg .mxp .myd .mydocs .myi .mz .n3 .narrative .nav .navmap .nb .nbak .nbf .nbp .ncd .ncf .nd .ndd .ndf .ndl .ndr .nds .ne1 .ne3 .nef .nfo .nfs11save .ng .njx .nk2 .nmbtemplate .nmu .nokogiri .nop .note .now .npd .npdf .npp .npt .nrbak .nrg .nri .nrl .nrmlib .nrw .ns2 .ns3 .ns4 .nsd .nsf .nsg .nsh .nst .ntf .ntl .ntp .nts .number .numbers .nvd .nvdl .nvram .nwb .nwbak .nwcab .nwcp .nx^d .nx__ .nx1 .nx2 .nxl .nyf .oa2 .oa3 .oab .oad .oas .obd .obj .obr .obt .obx .obz .ocdc .ocs .oda .odb .odc .odccubefile .odf .odg .odh .odi .odif .odm .odo .odp .ods .odt .odt# .odttf .odz .officeui .ofn .oft .oga .ogc .ogg .oil .ojz .okm .ole .ole2 .olf .olv .oly .omlog .omp .onb .one .oos .oot .opd .opf .opj .oplx .opn .opt .opx .opxs .orf .ort .osd .osdx .ost .otc .otf .otg .oth .oti .otn .otp .ots .ott .otw .out .ovd .owl .oxps .oxt .p10 .p12 .p2s .p3x .p65 .p7b .p7c .p7z .pab .pack .pad .pages .pages-tef .pak .paq .pas .pat .paux .pbd .pbf .pbk .pbp .pbr .pbs .pbx5script .pbxscript .pcd .pcf .pcj .pct .pcv .pcw .pd .pdb .pdc .pdcr .pdd .pdf .pdf_ .pdf_profile .pdf_tsid .pdfa .pdfe .pdfenx .pdfl .pdfua .pdfvt .pdfx .pdfxml .pdfz .pdg .pdp .pdz .peb .pef .pem .pez .pf .pfc .pfd .pfl .pfm .pfsx .pft .pfx .pg .pgs .php .phr .phs .pih .pixexp .pj2 .pj4 .pj5 .pk .pkb .pkey .pkg .pkh .pkpass .pl .plan .plb .plc .pld .pli .pln .plus_muhd .pm .pm3 .pm4 .pm5 .pm6 .pm7 .pmd .pmt .pmv .pmx .png .pnu .po .pod .pool .pot .pothtml .potm .potx .pp3 .ppam .ppd .ppdf .ppf .ppj .ppp .pps .ppsenx .ppsm .ppsx .ppt .ppte .ppthtml .pptl .pptm .pptmhtml .pptt .pptx .ppws .ppx .prc .prd .pref .prel .prf .prj .prn .pro .pro4 .pro4dvd .pro5 .pro5dvd .pro5plx .pro5x .proofingtool .props .proqc .prproj .prr .prs .prt .prtc .prv .ps .ps2 .ps3 .psa .psafe3 .psb .psd .pse8db .psf .psg .psi2 .psip .psk .psm .psmd .pspimage .pst .psw .psw6 .pswx .psz .pt3 .pt6 .ptc .ptf .pth .ptk .ptn .ptn2 .pts .ptx .pub .pubf .pubhtml .pubmhtml .pubx .puz .pvd .pve .pvf .pw .pwd .pwe .pwf .pwi .pwm .pwp .pwre .pxd .pxl .pxp .py .pys .pzc .pzf .pzt .qba .qbb .qbl .qbm .qbr .qbw .qbx .qby .qch .qcow .qcow2 .qct .qdf .qed .qel .qfl .qfxx .qhp .qht .qhtm .qic .qif .qlgenerator .qpx .qrt .qt .qtq .qtr .qtw .quox .qvw .qwd .qwt .qxb .qxd .qxl .qxp .qxt .r00 .r01 .r02 .r03 .r0f .r0z .r3d .ra .ra2 .raf .ram .ramd .rap .rar .rat .raw .razy .rb .rbc .rcb .rd .rd1 .rdb .rdf .rdfs .rdi .rdo .rdoc .rdoc_options .rdz .re4 .rec .rels .res .resbuild .rest .result .rev .rf .rf1 .rft .rgn .rgo .rgss3a .rha .rhif .rim .rit .rlf .rll .rm .rm5 .rmd .rmf .rmh .rna .rng .rnt .rnw .ro3 .rofl .roi .ros .rov .row .rox .rpf .rpt .rptr .rrd .rrpa .rrt .rrx .rs .rsdf .rsdoc .rsm .rsp .rsrc .rst .rsw .rt .rt_ .rtdf .rte .rtf .rtf_ .rtfd .rtk .rtpi .rts .rtsl .rtsx .rtx .rum .run .rv .rvf .rvt .rw2 .rwl .rwlibrary .rwz .rxdoc .rzk .rzx .s3db .s8bn .sa5 .sa7 .sa8 .saas .sad .saf .safe .safetext .sam .sas7bdat .sav .save .say .sb .sbn .sbo .sbpf .sbsc .sbst .sc2save .scd .scdoc .sce .sch .scm .scmt .scn .scr .scriv .scrivx .scs .scspack .scssc .sct .scw .scx .sd .sd0 .sd1 .sda .sdb .sdc .sdd .sddraft .sdf .sdi .sdl .sdmdocument .sdn .sdo .sdoc .sdp .sdr .sds .sdt .sdv .sdw .search-ms .secure .sef .sel .sen .seq .sequ .server .ses .set .setup .sev .sff .sfs .sfx .sgf .sgi .sgl .sgm .sgml .sgz .sh .sh6 .shar .shb .show .shr .shs .shtml .shw .shy .sic .sid .sidd .sidn .sie .sik .sis .sky .sla .sldm .sldx .slf .slk .slm .slt .slz .sm .smd .sme .smf .smh .smlx .smn .smp .sms .smwt .smx .smz .snb .snf .sng .snk .snp .snt .snx .so .soi .spb .spd .spdf .spk .spl .spm .spml .sppt .spr .sprt .sprz .sql .sqlite .sqlite3 .sqlitedb .sqllite .sqx .sr2 .src .srf .srfl .srs .srt .srw .ssa .ssh .ssi .ssiw .ssm .ssx .st4 .st5 .st6 .st7 .st8 .stc .std .sti .stm .stp .stpz .struct .stt .stw .stx .stxt .sty .sud .suf .sum .surf .svd .svdl .svg .svi .svm .svn .svp .svr .svs .swd .swdoc .sweb .swf .switch .swp .sxc .sxd .sxe .sxg .sxi .sxl .sxm .sxml .sxw .syn .syncdb .t .t01 .t03 .t05 .t10 .t12 .t13 .t14 .t2 .t2k .t2t .t4g .t80 .ta1 .ta2 .ta9 .tabula-doc .tabula-docstyle .tah .tar .tax .tax2009 .tax2013 .tax2014 .tb .tbb .tbd .tbk .tbkx .tbz2 .tcd .tch .tck .tcx .tdg .tdl .tdoc .tdr .te1 .template .tex .texi .texinfo .text .textclipping .textile .tfd .tfm .tfr .tfrd .tg .tga .tgz .thm .thml .thmx .thr .tib .tif .tiff .tjp .tk3 .tlb .tld .tlg .tlt .tlx .tlz .tm .tm3 .tmb .tmd .tml .tmlanguage .tmv .tmz .tns .tnsp .toast .toc .topx .tor .torrent .totalslayout .tp .tpl .tpo .tpsdb .tpu .tpx .trashinfo .trif .trp .ts .tsc .tt11 .tt2 .ttax .ttxt .tu .tur .tvd .twdi .twdx .tww .tx .txd .txe .txf .txm .txn .txt .txtrpt .u3d .uax .ubz .ucd .udb .udf .udl .uea .uhtml .ukr .ulf .uli .ulys .ump .umx .unity3d .unr .unx .uof .uop .uos .uot .updf .upk .upoi .upp .urd-journal .urf .url .urp .usa .usx .ut2 .ut3 .utc .utd .ute .utf8 .uti .utm .uts .utx .uu .uud .uue .uvx .uxx .v .v2t .val .vault .vbadoc .vbd .vbk .vbox .vbs .vc .vcal .vcd .vce .vcf .vdf .vdi .vdo .vdoc .vdt .ver .vf .vfs0 .vhd .vhdx .view .viz .vlc .vlt .vmbx .vmdk .vmf .vmg .vmm .vmsd .vmt .vmx .vmxf .vob .voprefs .vor .vp .vpk .vpl .vpp_pc .vs .vsd .vsdx .vsf .vsi .vspolicy .vst .vstx .vtf .vthought .vtv .vtx .vw .vw3 .w .w2p .w3g .w3x .w51 .w52 .w60 .w61 .w6bn .w6w .w8bn .w8tn .wab .wad .waff .wallet .war .wav .wave .waw .wb .wb2 .wb3 .wbk .wbt .wbxml .wbz .wcf .wcl .wcn .wcp .wcst .wd0 .wd1 .wd2 .wdbn .wdgt .wdl .wdn .wdoc .wdx9 .web .webdoc .webpart .wep .wflx .wht .wiz .wk! .wk1 .wk3 .wk4 .wkb .wki .wkl .wks .wlb .wld .wll .wls .wlxml .wm .wma .wmd .wmdb .wmf .wmga .wmk .wml .wmlc .wmmp .wmo .wms .wmv .wmx .wn .wolf .word .wordlist .wotreplay .wow .wp .wp42 .wp5 .wp50 .wp6 .wp7 .wpa .wpc2 .wpd .wpd0 .wpd1 .wpd2 .wpd3 .wpe .wpf .wpk .wpl .wpost .wps .wpt .wpw .wr1 .wrf .wri .wrlk .ws .ws1 .ws2 .ws3 .ws4 .ws5 .ws6 .ws7 .wsd .wsf .wsh .wsp .wtbn .wtd .wtf .wtmp .wtp .wts .wtt .wtx .wvw .wvx .wwcx .wwi .wwl .wws .wwt .wxmx .wxp .wyn .wzn .wzs .x11 .x16 .x3f .x3g .xamlx .xar .xav .xbd .xbrl .xci .xda .xdc .xdf .xdo .xdoc .xdw .xf .xfd .xfdf .xfi .xfl .xfn .xfo .xfp .xfx .xgml .xht .xhtm .xhtml .xif .xig .xis .xjf .xl .xla .xlam .xlb .xlc .xle .xlf .xline .xlist .xlk .xll .xlm .xlnk .xlr .xls .xlsb .xlse .xlshtml .xlsl .xlsm .xlst .xlsx .xlsxl .xlt .xlthtml .xltm .xltx .xlv .xlw .xlwx .xma .xmdf .xml .xmmap .xmn .xmp .xms .xmt_bin .xmta .xpd .xpi .xpm .xps .xpse .xpt .xpwe .xqm .xqr .xqx .xrdml .xsc .xsd .xsig .xsl .xslt .xtbl .xtd .xtg .xtml .xtps .xtrl .xv0 .xv2 .xv3 .xvg .xvid .xvl .xwd .xweb3htm .xweb3html .xweb4stm .xweb4xml .xwf .xwp .xxe .xxx .xy .xy3 .xy4v .xyd .yab .ycbcra .yenc .yml .ync .yps .yuv .z02 .z04 .zap .zip .zipx .zoo .zps .ztmp

开始加密文件后,首先勒索病毒将会保存文件的修改时间,以及设置文件的属性:

勒索病毒种类分析(.amnesia勒索病毒分析报告)(5)

打开文件后,判断文件的长度,如果大于0x80000则加密0x80000大小,如果小于,则加密文件全部:

勒索病毒种类分析(.amnesia勒索病毒分析报告)(6)

随后,分别随机生成0x20、0x10个字节的随机数,分别用做AES密钥以及IV:

勒索病毒种类分析(.amnesia勒索病毒分析报告)(7)

读取文件,并对文件进行加密(读取内容头部有4字节长度):

勒索病毒种类分析(.amnesia勒索病毒分析报告)(8)

将文件被加密后的内容写入到文件中(头部有长度):

勒索病毒种类分析(.amnesia勒索病毒分析报告)(9)

写入被加密快的大小:

勒索病毒种类分析(.amnesia勒索病毒分析报告)(10)

写入1(作用不详):

勒索病毒种类分析(.amnesia勒索病毒分析报告)(11)

将AES密钥与IV进行拼接,并使用ECC进行加密,并将加密结果写入文件中:

勒索病毒种类分析(.amnesia勒索病毒分析报告)(12)

获取文件名,使用ECC加密结果生成新的密钥后对文件名进行加密,拼接文件名后对文件进行重命名:

勒索病毒种类分析(.amnesia勒索病毒分析报告)(13)

设置原有的时间以及原有的属性:

勒索病毒种类分析(.amnesia勒索病毒分析报告)(14)

文件被加密后的结构示意图:

勒索病毒种类分析(.amnesia勒索病毒分析报告)(15)

勒索病毒还会在每个被加密的文件夹下生成HOW TO RECOVER ENCRYPTED FILES.txt文件,文件内容为:

Your files are now encrypted!

—–BEGIN PERSONAL IDENTIFIER—–

%你的个人ID%

—–END PERSONAL IDENTIFIER—–

All your files have been encrypted due to a security problem with your PC.

Now you should send us email with your personal identifier.

This email will be as confirmation you are ready to pay for decryption key.

You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.

After payment we will send you the decryption tool that will decrypt all your files.

Contact us using this email address: bitkick@protonmail.com

If you don’t get a reply or if the email dies, then contact us using Bitmessage.

Register it form here: https://bitmessage.org/

Run it, click New Identity and then send us a message at BM

BM-2cVXsen2VfP29zQmAF2F5xf9cWbKBxUzVC

Free decryption as guarantee!

Before paying you can send us up to 3 files for free decryption.

The total size of files must be less than 10Mb (non archived), and files should not contain

valuable information (databases, backups, large excel sheets, etc.).

How to obtain Bitcoins?

  • Create a Bitcoin purse: https://blockchain.info/wallet/new

  • The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click

‘Buy bitcoins’, and select the seller by payment method and price:

https://localbitcoins.com/buy_bitcoins (Visa/MasterCard, Perfect Money, WU etc.)

  • Also you can find other places to buy Bitcoins and beginners guide here:

http://www.coindesk.com/information/how-can-i-buy-bitcoins

Attention!

  • Do not rename encrypted files.

  • Do not try to decrypt your data using third party software, it may cause permanent data loss.

  • Decryption of your files with the help of third parties may cause increased price

(they add their fee to our) or you can become a victim of a scam.

机器感染勒索病毒后的截图:

勒索病毒种类分析(.amnesia勒索病毒分析报告)(16)

*作者:奇虎360技术博客

,

免责声明:本文仅代表文章作者的个人观点,与本站无关。其原创性、真实性以及文中陈述文字和内容未经本站证实,对本文以及其中全部或者部分内容文字的真实性、完整性和原创性本站不作任何保证或承诺,请读者仅作参考,并自行核实相关内容。文章投诉邮箱:anhduc.ph@yahoo.com

    分享
    投诉
    首页