Hospit勒索变异看准加工制造业,网御星云先发解密工具
Hospit勒索病毒感染最开始于2020年12月被发觉,其关键根据RDP暴破等方法散播,具备较强的领域目的性。初期变异加密后缀名为”.guanhospit”,进攻总体目标均为诊疗企业。而本次发觉的变异加密后缀名为”.builder”,进攻总体目标均为加工制造业。从而能够看得出,Hospit勒索病毒感染身后的犯罪团伙好像有别于别的勒索犯罪团伙的任意挑选,该犯罪团伙每一次行動都具备较强的目标性,将来很有可能将有大量的领域变成其进攻总体目标。
网御星云网络安全审计精英团队根据对捕捉的样版开展剖析,其针对10M下列的文件加密存有系统漏洞,加密密匙存有被暴破的很有可能,第一时间开发设计了对该勒索病毒感染的解密工具,能够对被hospit勒索病毒感染加密的小于10M的文件开展破译,挽留一部分损害数据信息。
解密工具下载链接:
使用说明书:
1. 必须出示一个被加密前的原文件,及其其被加密后的文件,用以暴破密匙,尽可能挑选较为小且加密時间较早的文件;
2. 键入Key Identifier,可从勒索信息中开展拷贝;
3. 依据勒索产生后是不是重新启动过服务器等状况,开展相匹配的挑选;
4. 假如密匙暴破取得成功,键入必须破译的文件目录开展破译。
1.建立相互独立量,避免反复运作:
2.建立进程,当检验到以下过程时撤出并自删掉,用以反调节:
3.完毕并卸载掉Raccine:
4.打开Dnscache等服务项目,并完毕防护软件等服务项目,确保勒索顺利开展:
5.删掉硬盘卷影:
6.针对硬盘根目录下的虚拟磁盘、备份数据等文件,立即删掉:
7.设定C、D、Z盘为彻底访问限制:
8.清空回收站,配备服务器防火墙标准放通对共享资源文件的浏览:
9.应用Random转化成任意密匙,记为key_1,因为Random转化成的为伪随机数,種子为系统软件运作時间,因而假如可以测算出勒索时系统软件运作時间,则很有可能暴破出密匙:
10.在病毒感染所属目录生成以下txt文件,內容为终端设备IP、勒索時间及其RSA加密并base64编号的key_1:
11.将txt勒索信息载入temp文件目录:
在运行文件目录建立快捷方式图标,用以开启txt勒索信息,并配备键盘快捷键“Ctrl Shift X”:
12.加密以下文件后缀名的文件:
"dat","txt","jpeg","gif","jpg","png","php","cs","cpp","rar","zip","html","htm","xlsx","xls","avi","mp4","ppt","doc","docx","sxi","sxw","odt","hwp","tar","bz2","mkv","eml","msg","ost","pst","edb","sql","accdb","mdb","dbf","odb","myd","php","java","cpp","pas","asm","key","pfx","pem","p12","csr","gpg","aes","vsd","odg","raw","nef","svg","psd","vmx","vmdk","vdi","lay6","sqlite3","sqlitedb","java","class","mpeg","djvu","tiff","backup","pdf","cert","docm","xlsm","dwg","bak","qbw","nd","tlg","lgb","pptx","mov","xdw","ods","wav","mp3","aiff","flac","m4a","csv","sql","ora","mdf","ldf","ndf","dtsx","rdl","dim","mrimg","qbb","rtf","7z"
13.加密后缀名为“.builder”:
14.获得已准备好且非CD的硬盘:
15.免除以下文件目录:
"program files",":\\windows","perflogs","internet explorer", ":\\programdata", "appdata", "msocache","system volume information","boot","tor browser","mozilla","appdata", "google chrome", "application data"
16.假如文件尺寸超过10M,则对每一个文件应用RNGCryptoServiceProvider转化成的真随机数字做为加密密匙,记为key_n,并应用RSA加密key_n:
17.假如文件尺寸低于10M,则都应用key_1做为密匙,因而假如暴破出key_1,则能够用以破译10M下列文件:
18.应用Salsa20优化算法加密文件:
19.将RSA加密并base64编号的密匙及其标识符“GotAllDone”载入加密后的文件结尾:
20.加密进行后在桌面上转化成勒索信息文件:
21.勒索信息內容以下:
22.勒索完毕病毒感染文件自删掉:
网御星云安全性精英团队再度提示众多客户,勒索病毒感染防止为主导,现阶段绝大多数勒索病毒感染加密后的文件都没法破译,留意日常预防措施:
1、立即给系统软件和运用修复漏洞,修补普遍高风险系统漏洞;
2、对关键的数据信息文件按时开展非当地备份数据;
3、不必点一下来路不明的邮件附件,不从未知网址下载应用;
4、尽可能关掉多余的文件共享资源管理权限;
5、变更服务器帐户和数据库查询登陆密码,设定强登陆密码,防止应用统一的登陆密码,由于统一的登陆密码会造成 一台被攻克,几台殃及;
6、假如业务流程上不用应用RDP的,提议关掉RDP作用,并尽可能不必对外网映射RDP端口号和数据库端口。
