AIDS trojan is the world's first ransomware to be recorded in history, thus opening the era of ransomware. ——In 1989, 20,000 floppy disks infected with the "AIDS Trojan" virus were distributed to the participants of the International AIDS Conference of the International Health Organization, resulting in a large number of files being encrypted.
Early ransomware was mainly spread through phishing emails, hacking horses, social networks, and payment of ransoms using transfers, etc. The scope of attacks and the ability to continue attacks were relatively limited, and they were relatively easy to track down.
The second stage: forming period
Beginning in the second half of 2013, the modern ransomware formally took shape. Ransomware uses AES and RSA to encrypt specific file types, making cracking almost impossible. At the same time, users are required to use virtual currency to pay to prevent their transaction process from being tracked.
Typical ransomware in this period include CryptoLocker, CTBLocker, etc. In most cases, these malicious software itself does not have the ability to actively spread.
The third stage
Since 2016, however, with the popularity of exploit kits, especially after "The ShadowBrokers" (Shadow Brokers) announced the tools of the equation hacker organization, the exploit tools have been widely used by hackers. Ransomware also spread widely. A typical example is the outbreak of the WannaCry ransomware worm. Two years ago, the worldwide destruction of the virus was a joint operation of destructive viruses and worms. The purpose was not to extort money, but to create a global impact. Large-scale sabotage.
At this stage, the ransomware has been industrialized, family-oriented and continues to operate. In the entire chain, each link has a clear division of labor, and a complete ransomware attack process may involve ransomware authors, ransomware implementers, communication channel providers, and agents.
The fourth stage
Since 2018, conventional blackmailing Trojan technology has become increasingly mature. The target of the attack has been changed from the initial large-area net indiscriminate attack to the precise attack of high-value targets. For example, direct attacks on the medical industry, servers of enterprises and institutions, government agencies, and traditional enterprises including the manufacturing industry are facing increasingly severe security situations.
The rapid increase in the number of programming populations, and more and more ransomware developed based on scripting languages have begun to emerge, which means that more black people will enter the field of ransomware, and it also means that the virus will continue to develop and spread.
Analysis of the principle of ransomware attack
The attacker sends phishing emails (exe programs disguised as office icons, files with viruses, players, etc.) to all users within the enterprise by compromising the corporate mail server. The user unintentionally opened the file in the phishing email and was extorted.
The attacker obtains the vpn account of corporate internal personnel through blasting and other methods, and scans the corporate intranet for system vulnerabilities/weak passwords. Once the user's host is not properly protected, it will be blackmailed.
。
The attacker compromised the Web server through business system/server vulnerabilities, encrypted it and blackmailed it.
The attacker obtains the corresponding database information by hacking the business system, and scans the database for vulnerabilities/weak passwords in the intranet. Once the database is not properly protected, it will be blackmailed.
Wanna Cry attack principle:
(1) The virus starts the installation
mssecsvc2.0-executes the infection function in the service function, scans the computers in the network, and uses the MS17-010 vulnerability and the DOUBLEPULSAR backdoor to spread malicious samples of ransomware.
taskche.exe-Set the corresponding registry key to realize self-starting after booting. Perform ransomware encryption.
(2) Collection of file information
Traverse directories, such as Program Files, Windows
Label the document classification and add it to the document container
(3) File encryption and decryption (simplified version)-asymmetric encryption
Demonstration of common ransomware methods
Attack machine: kali Linux
Target host: Windows 7
Process: The attacker directly obtains the system permissions of the target host through the ms17-010 vulnerability, uploads the virus program and runs, so that the target host is encrypted.
Host: Windows 7 has installed plsql, a database connection software with ransomware virus
Database: oracle 11g
Process: The user uses virus-carrying database connection software to connect to the database server, which causes the server to be encrypted.
Business system: an OA system
Database: mysql 8.0
Process: The user uploads the WebShell to the business system through vulnerabilities such as file upload, obtains the server system permissions, connects to the database through Ant Sword and executes the relevant encryption code to encrypt the database information.
Ransomware protection
Organizational level:
1. For computer networks, we need to manage the network in layers and domains, such as dividing security domains according to different functions and departments, and strictly controlling access to the boundaries of each area. It is called security boundary management in Isobao 2.0.
2. For networks and hosts, there must be a strict admission control system. Users and hosts not in the whitelist are not allowed to access the network, and processes and programs not in the whitelist are not allowed to run. If a suspicious host is found, it should be isolated and dealt with in time, and the corresponding emergency response mechanism should be started immediately when the suspicious process is found.
3. Once a virus is found, do not rush to format and reinstall the system. You must first obtain evidence and trace the source, analyze the attack process, look for attackers and possible infected persons, and prevent the second spread of the virus. This process is a very important but difficult process. Many hacker attacks are not directly invaded, but are carried out through some zombie hosts or springboards. Moreover, after the attack, not only one computer will be attacked, but many computers will be taken down at the same time, but only one or a few of them have been destroyed. If the others are not destroyed, it does not mean it is safe. By tracing back, you can discover which other computers were attacked.
4. Strengthen publicity and make everyone aware of the importance of network security through corresponding network security lectures, improve security awareness, enhance basic security skills, and develop good security habits. This can effectively reduce the risk of virus infection.
User level:
1. It is not necessary not to visit the Internet, especially some informal websites, to reduce file and directory sharing.
2. When using U disk and opening email attachments, you must scan for viruses before opening them.
3. Do not download and use pirated software and software of unknown origin.
4. Timely install security updates for the system/database, install a personal firewall, and control the inbound and outbound traffic.
5. Strengthen the prevention of computer ports, use the host firewall to close unnecessary ports.
6. If you find a problem, you should report it to the information center in time, and don't handle it yourself.
7. Understand the necessary virus knowledge.
8. Be aware of security. People are the most important and weakest link in network security.
Combine our products