{"id":74,"date":"2020-01-10T14:44:55","date_gmt":"2020-01-10T06:44:55","guid":{"rendered":"https:\/\/blog.billows.com.tw\/2020\/01\/10\/snake%e5%8b%92%e7%b4%a2%e8%bb%9f%e9%ab%94%e6%98%af%e4%b8%8b%e4%b8%80%e5%80%8b%e9%87%9d%e5%b0%8d%e4%bc%81%e6%a5%ad%e7%b6%b2%e8%b7%af%e7%9a%84%e5%a8%81%e8%84%85\/"},"modified":"2020-05-12T15:06:33","modified_gmt":"2020-05-12T07:06:33","slug":"snake%e5%8b%92%e7%b4%a2%e8%bb%9f%e9%ab%94%e6%98%af%e4%b8%8b%e4%b8%80%e5%80%8b%e9%87%9d%e5%b0%8d%e4%bc%81%e6%a5%ad%e7%b6%b2%e8%b7%af%e7%9a%84%e5%a8%81%e8%84%85","status":"publish","type":"post","link":"https:\/\/blog.billows.com.tw\/?p=74","title":{"rendered":"SNAKE\u52d2\u7d22\u8edf\u9ad4\u662f\u4e0b\u4e00\u500b\u91dd\u5c0d\u4f01\u696d\u7db2\u8def\u7684\u5a01\u8105\u2026\u2026"},"content":{"rendered":"

Snake<\/span>\u52d2\u7d22\u8edf\u9ad4\u662f\u4e0b\u4e00\u500b\u91dd\u5c0d\u4f01\u696d\u7db2\u8def\u7684\u5a01\u8105<\/span><\/span>\u2026\u2026<\/span><\/p>\n

 <\/p>\n

\u7db2\u8def\u7ba1\u7406\u54e1<\/span><\/span>\u5011\u53ef\u80fd\u9700\u8981\u958b\u59cb\u64d4\u5fc3<\/span>\u4e00\u7a2e\u540d\u70ba<\/span>SNAKE<\/span>\u7684\u65b0\u52d2\u7d22\u8edf\u9ad4\uff0c\u8a72\u8edf\u9ad4\u91dd\u5c0d\u4ed6\u5011\u7684\u7db2\u8def\u4e26\u65e8\u5728\u52a0\u5bc6\u8207\u5176\u9023\u63a5\u7684\u6240\u6709\u8a2d\u5099\u3002<\/span><\/span><\/p>\n

 <\/p>\n

\u6ef2\u900f\u5230\u4f01\u696d\u7db2\u8def\u7684\u5a01\u8105\u53c3\u8207\u8005\u91dd\u5c0d\u70ba\u4f01\u696d\u6216\u4f7f\u7528\u5927\u578b\u7375\u6bba\u52d2\u7d22\u8edf\u9ad4\uff0c\u6536\u96c6\u7ba1\u7406\u54e1\u6191\u64da\uff0c\u7136\u5f8c\u4f7f\u7528\u6f0f\u6d1e\u5229\u7528\u5de5\u5177\u5c0d\u7db2\u8def\u4e0a\u6240\u6709\u96fb\u8166\u4e0a\u7684\u6587\u4ef6\u9032\u884c\u52a0\u5bc6\u3002<\/span><\/span><\/p>\n

 <\/p>\n

\u91dd\u5c0d\u4f01\u696d\u7684\u52d2\u7d22\u8edf\u9ad4\u5217\u8868\u6b63\u5728\u7de9\u6162\u5730\u589e\u9577\uff0c\u5305\u62ec<\/span><\/span>Ryuk<\/span>\uff0c<\/span><\/span>BitPaymer<\/span>\uff0c<\/span><\/span>DoppelPaymer<\/span>\uff0c<\/span><\/span>Sodinokibi<\/span>\uff0c<\/span><\/span>Maze<\/span>\uff0c<\/span><\/span>MegaCortex<\/span>\uff0c<\/span><\/span>LockerGoga<\/span>\u4ee5\u53ca\u73fe\u5728\u7684<\/span><\/span>SNAKE Ransomware<\/span>\u3002<\/span><\/span><\/p>\n

 <\/p>\n

\u6211\u5011\u5c0d<\/span><\/span>SNAKE<\/span>\u52d2\u7d22\u8edf\u9ad4\u7684\u4e86\u89e3<\/span><\/span><\/p>\n

 \u4e0a\u9031\uff0c<\/span><\/span>MalwareHunterTeam<\/span>\u767c\u73fe\u4e86<\/span><\/span>Snake Ransomware<\/span>\uff0c\u5f8c\u8005\u8207<\/span><\/span>Vitali Kremez<\/span>\u5206\u4eab\u4e86\u8a72\u4fe1\u606f\uff0c\u4ee5\u9032\u884c\u53cd\u5411\u5de5\u7a0b\u4e26\u4e86\u89e3\u6709\u95dc\u611f\u67d3\u7684\u66f4\u591a\u4fe1\u606f\u3002<\/span><\/span><\/p>\n

 <\/p>\n

\u6839\u64da<\/span><\/span>Kremez<\/span>\u9032\u884c\u7684\u5206\u6790\uff0c\u9019\u7a2e\u52d2\u7d22\u8edf\u9ad4\u662f\u7528<\/span><\/span>Golang<\/span>\u7de8\u5beb\u7684\uff0c\u4e26\u4e14\u5305\u542b\u7684\u6df7\u6dc6\u7a0b\u5ea6\u9060\u9ad8\u65bc\u9019\u4e9b\u985e\u578b\u7684\u611f\u67d3\u3002<\/span><\/span><\/p>\n

 <\/p>\n

SentinelLabs<\/span>\u8ca0\u8cac\u4eba<\/span><\/span>Kremez<\/span>\u5728\u4e00\u6b21\u8ac7\u8a71\u4e2d\u5c0d<\/span><\/span>BleepingComputer<\/span>\u8868\u793a\uff1a\u201c\u52d2\u7d22\u8edf\u9ad4\u5305\u542b\u4e86\u67d0\u7a2e\u7a0b\u5ea6\u7684\u5e38\u898f\u6df7\u6dc6\uff0c\u901a\u5e38\u4e0d\u6703\u8207\u76ee\u6a19\u65b9\u6cd5\u7d50\u5408\u4f7f\u7528\u3002\u201d<\/span><\/span><\/p>\n

 <\/p>\n

\u555f\u52d5\u5f8c\uff0c<\/span><\/span>SNAKE<\/span>\u5c07\u522a\u9664\u96fb\u8166\u7684\u78c1\u789f\u5340\u9670\u5f71\u8907\u88fd\u526f\u672c\uff0c\u7136\u5f8c\u7d42\u6b62\u8207<\/span><\/span>SCADA<\/span>\u7cfb\u7d71\uff0c\u865b\u64ec\u6a5f\uff0c\u5de5\u696d\u63a7\u5236\u7cfb\u7d71\uff0c\u9060\u7a0b\u7ba1\u7406\u5de5\u5177\uff0c\u7db2\u8def\u7ba1\u7406\u8edf\u9ad4\u7b49\u6709\u95dc\u7684\u8a31\u591a\u9032\u7a0b\u3002<\/span><\/span><\/p>\n

 <\/p>\n

\u7136\u5f8c\uff0c\u5b83\u6703\u7e7c\u7e8c\u52a0\u5bc6\u8a2d\u5099\u4e0a\u7684\u6587\u4ef6\uff0c\u540c\u6642\u8df3\u904e<\/span><\/span>Windows<\/span>\u7cfb\u7d71\u6587\u4ef6\u593e\u548c\u5404\u7a2e\u7cfb\u7d71\u6587\u4ef6\u4e2d\u7684\u6240\u6709\u6587\u4ef6\u3002\u53ef\u4ee5\u5728\u4e0b\u9762\u627e\u5230\u88ab\u8df3\u904e\u7684\u7cfb\u7d71\u6587\u4ef6\u593e\u7684\u5217\u8868\uff1a<\/span><\/span><\/p>\n

 <\/p>\n

windir<\/span><\/span><\/p>\n

SystemDrive<\/span><\/span><\/p>\n

:\\$Recycle.Bin<\/span><\/span><\/p>\n

:\\ProgramData<\/span><\/span><\/p>\n

:\\Users\\All Users<\/span><\/span><\/p>\n

:\\Program Files<\/span><\/span><\/p>\n

:\\Local Settings<\/span><\/span><\/p>\n

:\\Boot<\/span><\/span><\/p>\n

:\\System Volume Information<\/span><\/span><\/p>\n

:\\Recovery<\/span><\/span><\/p>\n

\\AppData\\<\/span><\/span><\/p>\n

 <\/p>\n

\u52a0\u5bc6\u6587\u4ef6\u6642\uff0c\u5b83\u5c07\u5728\u6587\u4ef6\u64f4\u5c55\u540d\u5f8c\u9644\u52a0\u52d2\u7d22<\/span><\/span><\/span>5<\/span><\/span>\u500b\u5b57\u7b26\u4e32\u3002\u4f8b\u5982\uff0c\u6587\u4ef6\u4e2d\u547d\u540d<\/span><\/span><\/span>1.doc<\/span><\/span>\u7684\u5c07\u88ab\u52a0\u5bc6\uff0c\u4e26\u66f4\u540d\u70ba\u50cf<\/span><\/span><\/span>1.docqkWbv<\/span><\/span>\u3002<\/span><\/span><\/span><\/p>\n

\"1.png\"<\/p>\n

\"\"<\/span><\/p>\n

\u52a0\u5bc6\u6587\u4ef6\u7684\u6587\u4ef6\u593e<\/span><\/span><\/span><\/p>\n

\u5728\u6bcf\u500b\u52a0\u5bc6\u7684\u6587\u4ef6\u4e2d\uff0c<\/span><\/span><\/span>SNAKE Ransomware<\/span><\/span>\u90fd\u6703\u6dfb\u52a0\u5982\u4e0b\u6240\u793a\u7684<\/span><\/span><\/span>‘ EKANS ‘<\/span><\/span>\u6587\u4ef6\u6a19\u8a18\u3002<\/span><\/span><\/span>EKANS<\/span><\/span>\u53cd\u904e\u4f86\u5c31\u662f<\/span><\/span><\/span>SNAKE<\/span><\/span>\u3002<\/span><\/span><\/span><\/p>\n

\"2.png\"<\/p>\n

EKANS<\/span><\/span>\u6587\u4ef6\u6a19\u8a18<\/span><\/span><\/span><\/p>\n

 <\/p>\n

\u81ea<\/span><\/span><\/span>2013<\/span><\/span>\u5e74\u4ee5\u4f86\uff0c<\/span><\/span><\/span>BleepingComputer<\/span><\/span>\u5df2\u6e2c\u8a66\u4e86\u8a31\u591a\u52d2\u7d22\u8edf\u9ad4\uff0c\u7531\u65bc\u67d0\u4e9b\u539f\u56e0\uff0c\u8207\u8a31\u591a\u5176\u4ed6\u52d2\u7d22\u8edf\u9ad4\u611f\u67d3\u76f8\u6bd4\uff0c<\/span><\/span><\/span>SNAKE<\/span><\/span>\u82b1\u4e86\u7279\u5225\u9577\u7684\u6642\u9593\u4f86\u52a0\u5bc6\u6211\u5011\u7684\u5c0f\u578b\u6e2c\u8a66\u76d2\u3002\u7531\u65bc\u9019\u662f\u5728\u9078\u64c7\u653b\u64ca\u8005\u6642\u57f7\u884c\u7684\u6709\u91dd\u5c0d\u6027\u7684\u52d2\u7d22\u8edf\u9ad4\uff0c\u56e0\u6b64\u554f\u984c\u53ef\u80fd\u4e0d\u5927\uff0c\u56e0\u70ba\u52a0\u5bc6\u5f88\u53ef\u80fd\u6703\u5728\u6578\u5c0f\u6642\u5f8c\u767c\u751f\u3002<\/span><\/span><\/span><\/p>\n

 <\/p>\n

\u52a0\u5bc6\u96fb\u8166\u5f8c\uff0c\u52d2\u7d22\u8edf\u9ad4\u5c07\u5728\u540d\u70ba<\/span><\/span><\/span>Fix-Your-Files.txt<\/span><\/span>\u7684<\/span><\/span><\/span>C<\/span><\/span>\uff1a<\/span><\/span><\/span>\\ Users \\ Public \\ Desktop<\/span><\/span>\u6587\u4ef6\u593e\u4e2d\u5275\u5efa\u52d2\u7d22\u4fbf\u689d\u3002\u8a72\u8d16\u91d1\u8a18\u9304\u5305\u542b\u6709\u95dc\u806f\u7e6b\u5217\u51fa\u7684\u96fb\u5b50\u90f5\u4ef6\u5730\u5740\u4ee5\u7372\u53d6\u4ed8\u6b3e\u8aaa\u660e\u3002<\/span><\/span><\/span>\u8a72\u96fb\u5b50\u90f5\u4ef6\u5730\u5740\u7576\u524d\u70ba<\/span><\/span><\/span>bapcocrypt@ctemplar.com<\/a><\/span><\/span>\u3002<\/span><\/span><\/span><\/p>\n

\"3.png\"<\/p>\n

\"\"<\/span><\/p>\n

SNAKE<\/span><\/span>\u8d16\u91d1\u7684<\/span><\/span><\/span>Note<\/span><\/span><\/p>\n

\u5f9e\u52d2\u7d22\u8aaa\u660e\u4e2d\u7684\u8a9e\u8a00\u53ef\u4ee5\u770b\u51fa\uff0c\u8a72\u52d2\u7d22\u8edf\u9ad4\u5c08\u9580\u91dd\u5c0d\u6574\u500b\u7db2<\/span><\/span><\/span><\/p>\n

\u8def\u800c\u4e0d\u662f\u55ae\u500b\u5de5\u4f5c\u7ad9\u3002\u4ed6\u5011\u9032\u4e00\u6b65\u6307\u51fa\uff0c\u8cfc\u8cb7\u7684\u4efb\u4f55\u89e3\u5bc6\u5668\u90fd\u662f\u91dd\u5c0d\u7db2<\/span><\/span><\/span><\/p>\n

\u8def\u7684\uff0c\u800c\u4e0d\u662f\u91dd\u5c0d\u55ae\u500b\u6a5f\u5668\u7684\uff0c\u4f46\u662f\u73fe\u5728\u5224\u65b7\u5b83\u5011\u662f\u5426\u6703\u4f8b\u5916\u9084\u70ba\u6642\u904e\u65e9\u3002<\/span><\/span><\/span><\/p>\n

 <\/p>\n

IOCs<\/span><\/span>\uff1a<\/span><\/span><\/span><\/p>\n

Hash<\/span><\/span>\uff1a<\/span><\/span><\/span><\/p>\n

e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60<\/span><\/span><\/p>\n

 <\/p>\n

\u8d16\u91d1\u8a3b\u91cb\u6587\u5b57\uff1a<\/span><\/span><\/span><\/p>\n

——————————————–<\/span><\/span><\/p>\n

 <\/p>\n

| What happened to your files? <\/span><\/span><\/p>\n

 <\/p>\n

——————————————–<\/span><\/span><\/p>\n

 <\/p>\n

We breached your corporate network and encrypted the data on your computers. The encrypted data includes documents, databases, photos and more –<\/span><\/span><\/p>\n

 <\/p>\n

all were encrypted using a military grade encryption algorithms (AES-256 and RSA-2048). You cannot access those files right now. But don\u2019t worry!<\/span><\/span><\/p>\n

 <\/p>\n

You can still get those files back and be up and running again in no time. <\/span><\/span><\/p>\n

 <\/p>\n

 <\/p>\n

———————————————<\/span><\/span><\/p>\n

 <\/p>\n

| How to contact us to get your files back?<\/span><\/span><\/p>\n

 <\/p>\n

———————————————<\/span><\/span><\/p>\n

 <\/p>\n

The only way to restore your files is by purchasing a decryption tool loaded with a private key we created specifically for your network. <\/span><\/span><\/p>\n

 <\/p>\n

Once run on an effected computer, the tool will decrypt all encrypted files – and you can resume day-to-day operations, preferably with<\/span><\/span><\/p>\n

 <\/p>\n

better cyber security in mind. If you are interested in purchasing the decryption tool contact us at bapcocrypt@ctemplar.com<\/span><\/span><\/p>\n

 <\/p>\n

 <\/p>\n

——————————————————-<\/span><\/span><\/p>\n

 <\/p>\n

| How can you be certain we have the decryption tool?<\/span><\/span><\/p>\n

 <\/p>\n

——————————————————-<\/span><\/span><\/p>\n

 <\/p>\n

In your mail to us attach up to 3 files (up to 3MB, no databases or spreadsheets).<\/span><\/span><\/p>\n

 <\/p>\n

We will send them back to you decrypted.<\/span><\/span><\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Snake\u52d2\u7d22\u8edf\u9ad4\u662f\u4e0b\u4e00\u500b\u91dd\u5c0d\u4f01\u696d\u7db2\u8def\u7684\u5a01\u8105\u2026\u2026   \u7db2\u8def\u7ba1\u7406\u54e1\u5011\u53ef\u80fd\u9700\u8981\u958b\u59cb\u64d4\u5fc3\u4e00\u7a2e\u540d\u70baSNAKE READ MORE<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[27],"class_list":["post-74","post","type-post","status-publish","format-standard","hentry","category-6","tag-snake"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/74","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=74"}],"version-history":[{"count":1,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/74\/revisions"}],"predecessor-version":[{"id":101,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/74\/revisions\/101"}],"wp:attachment":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=74"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=74"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=74"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}