CTB-Locker病毒作者释放出密钥数据库转储

Locker Ransomware Author Allegedly Releases Database Dump of Private Keys

Allegedly, the author of the “Locker” ransomware has uploaded a dump of the C2 server database, releasing private keys of infected hosts to the public.

Allegedly, the author of the “Locker” ransomware has
uploaded a dump of the C2 server database, releasing private keys of infected hosts worldwide to the public.  The “author” claims that the release was a mistake, that no further keys will be utilized for encryption, and that automatic decryption of all affected
hosts will begin on June 2nd.

This is the post made by the alleged author, uploaded to [url=http://pastebin.com/1WZGqrUH] on 05/30/2015
.

Hi, 
I am the author of the Locker ransomware and I‘m very sorry about that has happened. It was never my intention to release this. I uploaded the database to mega.co.nz containing "bitcoin address, public key, private key" as CSV.
This is a dump of the complete database and most of the keys weren‘t even used.
All distribution of new keys has been stopped.
 
hxxps://mega.co.nz/#!W85whbSb!kAb-5VS1Gf20zYziUOgMOaYWDsI87o4QHJBqJiOW6Z4
 
Automatic decryption will start on 2nd of june at midnight. @devs, as you might be aware the private key is used in the RSACryptoServiceProvider class .net and files are encrypted with AES-256 bit using the RijndaelManaged class.
 
This is the structure of the encrypted files:
 
- 32 bit integer, header length
- byte array, header (length is previous int)
*decrypt byte array using RSA & private key.
 
Decrypted byte array contains:
- 32 bit integer, IV length
- byte array, IV (length is in previous int)
- 32 bit integer, key length
- byte array, Key (length is in previous int)
 
- rest of the data is the actual file which can be decrypted using Rijndaelmanaged and the IV and Key
 
Again sorry for all the trouble.
 
Poka BrightMinds
 
~ V
[b]File Information[/b]
Name: [b]database_dump.csv[/b]
Size: [b]127.5 MB[/b]
MD5: d4d781412e562b76fe0db0977cf6279b
SHA-1: 6ba671ce2a6c256c74d7db81186b0dbddd5e2185
SHA-256: d7fd791b86615fada64fe0290aecb70e5584b9ac570e7b55534555a3b468b33f
VirusTotal: https://www.virustotal.com/en/file/d7fd791b86615fada64fe0290aecb70e5584b9ac570e7b55534555a3b468b33f/analysis/1433015747/

Based on a brief analysis, the file seems non-malicious and does contain a large quantity of RSA keys.

The CSV file contains Bitcoin addresses and RSA keys.

Open at your own risk, until further analyses are performed.

UPDATE May 31th, 2015

Nathan Scott, an experienced programmer who can often be found developing and releasing decryption utilities and other security-related tools on BleepingComputer.com, has created adecrytpion utility for theLockerransomware.

The decryption utility can be downloaded from the below URL:

https://easysyncbackup.com/Downloads/LockerUnlocker_v1.0.6.0.exe

About the Author Michael Fratello

Michael Fratello is a Security Engineer employed by CipherTechs, Inc., a privately held information
security services provider located in downtown Manhattan, New York.  Specializing in Penetration Testing and Digital Forensics, Michael, a St. John’s University graduate majoring in Computer Security Systems, has developed a passion for information security
and often spends his free time studying, programming, and researching the exponentially growing number of threats found in-the-wild today.

Edited by Pierluigi Paganini

(Security Affairs –  Locker, malware)

原文地址:http://securityaffairs.co/wordpress/37346/cyber-crime/locker-ransomware-db-dump.html

时间: 2024-10-11 03:56:24

CTB-Locker病毒作者释放出密钥数据库转储的相关文章

一个少年电脑病毒作者的独白

90年代你的电脑经常崩溃吗?是的,很抱歉 在我17岁那年,我没事情可做,所以我自学编程.于是我决定自己写个病毒出来. 别担心.我完成的两个病毒Leprosy 和 Leprosy-B是针对MS-DOS电脑的.它们和因特网没有关系,因为那时还没有.现在它们就像天花一样绝迹了. 我想写出这些搞坏别人电脑的东西出来的原因有很多.首先,像我所说的,我那时才17岁.除了摆弄电脑,我的爱好还包括用烟花炸电话亭.可写计算机病毒都是比较不错的选择了. 但是最主要的原因是我当时有些自大,在计算机地下组织,我更有存在

两天 写出简易数据库管理程序

一.学习汇报,思想总结. 学JDBC和网络编程也有一段时间了,从一开始的新鲜感驱动学习,到后面新鲜感没了,这个时候看到同班同学在朋友圈晒出自己的成果,再看看自己的能力,瞬间驱动我去学习的并非是新鲜感,是耻辱感,于是我开始做Demo先是做出了一个客户端与服务器端简易通信.后面就拼命的写出了一个简易的数据库管理程序. 二.技术总结: 1.JDBC连接数据库后多种不同的操作. 2.数据库存储过程简单学习. 3.数据库基本语句的简单学习. 三.近期计划: 1.带领团队参加节能减排比赛. 2.带领团队参加

.ETH后缀勒索病毒信息整理及SQL数据库恢复

研究人员(公众号:网安众安)检测到一种使用.ETH文件扩展名的新勒索病毒,通过对.ETH后缀勒索病毒的整理,目前发现,涉及到的勒索信息后缀如下:[MailPayment@decoder.com].ETH [helpfilerestore@india.com].ETH [decryptmyfiles@qq.com].ETH [decryptprof@qq.com].ETH [1701222381@qq.com].ETH [btccrypthelp@cock.li].ETH(注:由于整理的局限性,不

说出一些数据库优化方面的经验?

用 PreparedStatement 一般来说比 Statement 性能高: 一个 sql 发给服务器去执行, 涉及步骤:语法检查. 语义分析, 编译, 缓存“inert into user values(1,1,1)”-?二进制“inert into user values(2,2,2)”-?二进制“inert into user values(?,?,?)”-?二进制 有外键约束会影响插入和删除性能, 如果程序能够保证数据的完整性, 那在设计数据库时就去掉外键.( 比喻: 就好比免检产品

excel转出MySql数据库数据

using System;using System.Collections.Generic;using System.Linq;using System.Web;using System.Web.UI;using System.Web.UI.WebControls;using System.Data.SqlClient;using System.Text;using System.IO;using System.Data; public partial class Default2 : Syst

扣出thinkphp数据库操作类

假如你是一位thinkphp的使用者,想必你会觉得thinkphp操作数据库非常方便.现在在你面前有一个非常小的作业,小到完全没有必要用thinkphp去完成它.但是你又觉得不用thinkphp的话,操作数据库非常麻烦.这时,你陷入了左右为难的境况.那么,下面我要分享的这个数据库操作类,可能会帮助你摆脱这种困境.这个数据库操作类虽然不能说是完全从thinkphp里扣出来的,但多多少少能看到thinkphp当年的影子,使用起来非常类似,真是方便好用啊.好了,马上来演示一下基本用法吧. 首先来演示一

最新后缀.*4444后缀勒索病毒文件及SQL Server数据库修复方案

近期GlobeImposter变种在国内较大范围内传播,网络安全研究员提醒用户加强防范,应对此类勒索软件***. 威胁概述近期我们发现GlobeImposter3.0变种勒索病毒在国内较大范围内传播.GlobeImposter勒索病毒家族向来以垃圾邮件.扫描***和远程桌面服务密码暴破方式进行传播,通过分析本次捕获的最新样本并未发现样本具备其他新的传播方式.该家族加密的后缀名也随着变种的不同在进行变化,已经出现的变种加密后的后缀名有:.ox4444 .help4444 .all4444 .chi

.phobos后缀勒索病毒处理方案 用友数据库mdf ldf恢复成功

中了.phobos勒索病毒怎么处理呢?这种病毒是今年以来最流行的勒索病毒之一,同样采用的RSA非对称加密算法,每一台电脑的公私钥,算法都是不同的.陕西某企业中了后缀是.phobos勒索病毒,公司内服务器全部中招,联系我们后,2天内全部恢复成功,公司内领导特电话联系致谢!安全建议:1.服务器暂时关闭不必要的端口(如135.139.445)2.下载并更新Windows系统补丁,及时修复永恒之蓝系列漏洞XP.Windows Server 2003.win8等系统访问:Win7.win8.1.Windo

转载用sql语句计算出mysql数据库的qps,tps,iops性能指标

本帖最后由 LUK 于 2014-9-21 22:39 编辑 思路: 1 关注MYSQL三个方面的性能指标,分别为query数,transaction数,io请求数 2 在某个时间范围内(例如20秒),统计MYSQL中上面的三个指标的总量,以及每一秒的量 ,同时每隔一秒种打印一个当前的指标量,在最后再计算并打印时间段内总量及每秒量 3 在IO的统计公式如下:Key_reads  * 2 +  Key_writes * 2 + Key_read_requests + Innodb_data_rea