CN111414623B - Decryption method for GandCrab Lesovirus encrypted file - Google Patents
Decryption method for GandCrab Lesovirus encrypted file Download PDFInfo
- Publication number
- CN111414623B CN111414623B CN202010234179.2A CN202010234179A CN111414623B CN 111414623 B CN111414623 B CN 111414623B CN 202010234179 A CN202010234179 A CN 202010234179A CN 111414623 B CN111414623 B CN 111414623B
- Authority
- CN
- China
- Prior art keywords
- encrypted
- rsa
- bytes
- information
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- General Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a decryption method for a GandCrab Lesovirus encrypted file, which is characterized by comprising the following steps of: s100: searching a luxury notification information file which is randomly encrypted under each catalog and has a suffix of DECRYPT, and searching encryption information which starts with an identifier of BEGIN GANDCRAB KEY and ENDs with an identifier of END GAND CRAB in the luxury notification information file, wherein the encryption information is encryption information which is encrypted by a second RSA public key and is expressed in a Base64 coding format, and the version of GandCrab luxury virus is 5.1; s200: decrypting the encrypted information by adopting an RSA decryption algorithm to obtain information which is expressed in a Base64 coding format and is decrypted by a second RSA private key, wherein the information is the private key encrypted by the first RSA; s300: performing Base64 decryption on the information which is expressed in the Base64 coding format and is decrypted by the second RSA private key to obtain a decrypted private key which is encrypted by the first RSA; s400: searching a key and an initial vector of Salsa20 after RSA encryption; s500: the encrypted file is decrypted using the key and the initial vector of Salsa 20.
Description
Technical Field
The invention belongs to the field of network and information security, relates to a decryption method based on GandCrab Lesovirus encrypted files, and particularly relates to a decryption method based on GandCrab Lesovirus encrypted files with version of 5.1.
Background
The Lesovirus is a new type of computer virus, and is mainly transmitted in the forms of mail, program Trojan horse and web page Trojan horse. The virus is harsh in nature and extremely dangerous, and once infected, would bring immeasurable losses to the user. The virus encrypts the file by various encryption algorithms, and an infected person cannot generally decrypt the file and has to take a decrypted private key to possibly crack the file. Once the file of the lux virus enters the local area, the file automatically runs, and meanwhile, a lux software sample is deleted so as to avoid searching, killing and analysis. Then, the lux virus uses local internet access authority to connect to the C & C server of the hacker, further uploads the local information and downloads the encryption private key and public key, and encrypts the file by using the private key and the public key. Besides the virus developer himself, decryption is almost impossible by others. After encryption is finished, wallpaper is modified, and a luxury prompt file is generated at an obvious position such as a desktop to guide a user to pay redemption. And the variety type is very fast, and has immunity to conventional antivirus software. The samples of the Leucovirus attack are based on types such as exe, js, wsf, vbe, which is a great challenge for conventional security products relying on feature detection. Currently, the lux virus is transmitted mainly through three pathways: loopholes, mail, and advertising campaigns.
The sala 20 algorithm is a stream encryption mode, and is one of symmetric encryption modes, and symmetric encryption is an encryption algorithm which uses the same key for encryption and decryption and needs the same key for encryption and decryption. Because of its fast speed, symmetric encryption is typically used when a message sender needs to encrypt large amounts of data.
The RSA encryption algorithm is an asymmetric encryption algorithm, where the encryption and decryption are performed using no one key, usually two keys, called a "public key" and a "private key", which must be paired for use, otherwise the encrypted file cannot be opened. The "public key" here means that it can be published externally, while the "private key" cannot be known only by the holder. The advantage is that the symmetric encryption method is very difficult to tell the other party without the key if the encrypted file is transmitted over the network, and no matter what method is possible to be stolen by others. The asymmetric encryption method has two secret keys, and the public key can be disclosed, so that the addressee is not afraid of knowing that the addressee only needs to use the private key when decrypting, and the problem of the transmission safety of the secret keys is well avoided.
Base64 is a representation method for representing binary data based on 64 printable characters. The Base64 code table has only 64 characters, and if 64 characters are to be expressed, it can be expressed completely using the bit of 6 (64 to the 6 th power of 2). Because the Base64 code is represented by only 6 bits, and normal characters are represented by 8 bits, the least common multiple of 8 and 6 is 24, 4 Base64 characters can represent 3 standard ASCII characters; if the character string is converted into the Base64 code, the corresponding character string is firstly converted into the number corresponding to the ASCII code table, and then the number is converted into 2 system, for example, the binary system of the ASCII code of a is 97, and 97 is: 01100001 the 8 bins are extracted into 6, the remaining 2 bins and the following bins are spliced, and finally the 6 bins are converted into Base64 codes.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides a decryption method for a GandCrab Lesovirus encrypted file with the version of 5.1, which decrypts the encrypted file by acquiring a key and an initial vector of Salsa20, and comprises the following steps:
s100: searching a halyard notification information file which is randomly encrypted under each catalog and has a suffix name of DECRYPT, and searching encryption information which starts with an identifier of BEGIN GANDCRAB KEY and ENDs with an identifier of END GAND CRAB in the halyard notification information file, wherein the encryption information is encrypted by a second RSA public key and is represented by a Base64 coding format, and the version of the GandCrab halyard virus is 5.1;
s200: decrypting the encrypted information by adopting an RSA decryption algorithm to obtain information which is expressed in a Base64 coding format and is decrypted by a second RSA private key, wherein the information is the private key encrypted by the first RSA;
s300: performing Base64 decryption on the information which is expressed in the Base64 coding format and is decrypted by the second RSA private key to obtain a decrypted private key which is encrypted by the first RSA;
s400: searching a key and an initial vector of Salsa20 after RSA encryption;
s500: the encrypted file is decrypted using the key and the initial vector of Salsa 20.
Preferably, the step S400 includes the steps of:
s401: acquiring the byte length of an encrypted file;
s402: reading and looking up the identifier 0x 01000000000000000000 from the end of the encrypted file onwards;
s403: taking the initial address of the identifier 0x0100000000000000 as a first address, shifting forward by 8 bytes in length, and acquiring data of 0x200 bytes forward to serve as data encrypted by RSA for the first time;
s404: decrypting the data of the 0x200 bytes by the private key of the first RSA, wherein the first 32 bytes in the data of the first 0x100 bytes after decryption are the keys of Salsa20, and the first 8 bytes in the data of the second 0x100 bytes are the initial vectors of Salsa 20.
Preferably, the step S402 includes the steps of:
s4021: reading 8 bytes of content from the end of the encrypted file, judging whether the content is the identifier 0x0100000000000000, if yes, executing step S403, otherwise, executing step S4022;
s4022: skipping 5 bytes forward from the end of the encrypted file, and then reading 8 bytes of content forward;
s4023: judging whether the content of the current 8 bytes is the identifier 0x0100000000000000, if yes, executing step S403, otherwise, executing step S4024;
s4024: the next 8 bytes of content are read, and step S4023 is performed.
Preferably, the maximum decryption length is 0x100000 bytes, and data exceeding the maximum decryption length is not encrypted, and only the encrypted portion is decrypted.
The beneficial effects of the invention are as follows:
1. the key and the initial vector of Salsa20 are extracted from the information decrypted based on the RSA private key.
2. Decryption methods based on hybrid encryption.
3. And (5) restoring file recovery data aiming at the GandCrab Lesovirus encrypted file with the version of 5.1.
Drawings
FIG. 1 is a general flow chart of the method provided by the present invention;
FIG. 2 is a diagram of a data structure of information encrypted with a second RSA public key in accordance with one embodiment of the present invention;
FIG. 3 is a diagram illustrating a data structure of information decrypted by a Base64 encoded second RSA private key in accordance with one embodiment of the present invention;
FIG. 4 is a diagram of the data structure of a private key for a first RSA encryption in one embodiment of the present invention;
FIG. 5 is a data structure diagram of first RSA encrypted data in accordance with one embodiment of the present invention;
FIG. 6A is a data structure diagram of a key of Salsa20 after RSA decryption in one embodiment of the invention;
FIG. 6B is a data structure diagram of an initial vector of Salsa20 after RSA decryption, in accordance with one embodiment of the present invention.
Detailed Description
Since the file is typically encrypted twice/more after infection by the lux virus, decryption is a reverse process, and the present invention is illustrated with two encryption examples. That is, in the method provided by the invention, the second encrypted data is decrypted first, and then the first encrypted data is decrypted. The invention is further illustrated in the following figures and examples.
Fig. 1 shows a general flow chart of the method provided by the invention. As shown in fig. 1, the method provided by the invention comprises the following steps:
s100: searching a luxury notification information file which is randomly encrypted under each catalog and has a suffix name of DECRYPT, and searching encryption information which starts with an identifier of BEGIN GANDCRAB KEY and ENDs with an identifier of END GAND CRAB in the luxury notification information file, wherein the encryption information is encrypted by a second RSA public key and is represented by a Base64 coding format, and the version of GandCrab luxury virus is 5.1;
fig. 2 is a diagram illustrating a data structure of information encrypted with a second RSA public key in accordance with an embodiment of the present invention. As shown in fig. 2, the information between the identifier BEGIN GANDCRAB KEY and the identifier END bind CRAB is encrypted information that is encrypted by the second RSA public key and expressed in the Base64 encoding format.
S200: decrypting the encrypted information by adopting an RSA decryption algorithm to obtain information which is expressed in a Base64 coding format and is decrypted by a second RSA private key, wherein the information is the private key encrypted by the first RSA;
FIG. 3 is a diagram illustrating the data structure of information after a Base64 encoded second RSA private key decryption in one embodiment of the present invention.
S300: performing Base64 decryption on information which is expressed in a Base64 encoding format and is decrypted by the second RSA private key to obtain a decrypted private key which is encrypted by the first RSA;
FIG. 4 is a diagram illustrating the data structure of a private key for a first RSA encryption in one embodiment of the present invention.
S400: searching the key and the initial vector of Salsa20 after RSA encryption, comprising the following steps:
s401: acquiring the byte length of an encrypted file;
s402: reading and looking up the identifier 0x 01000000000000000000 from the end of the encrypted file onwards, comprising the steps of:
step S402 includes the steps of:
s4021: reading 8 bytes of content from the end of the encrypted file, judging whether the content is an identifier 0x0100000000000000, if yes, executing step S403, otherwise, executing step S4022;
s4022: skipping 5 bytes forward from the end of the encrypted file, and then reading 8 bytes of content forward;
s4023: judging whether the content of the current 8 bytes is the identifier 0x0100000000000000, if yes, executing step S403, otherwise, executing step S4024;
s4024: the next 8 bytes of content are read, and step S4023 is performed.
S403: the initial address of an identifier 0x0100000000000000 is taken as a first address, the length of 8 bytes is shifted forwards, and then data of 0x200 bytes are obtained forwards to be used as data encrypted by RSA for the first time;
fig. 5 shows a data structure diagram of first RSA-encrypted data in one embodiment of the present invention. As shown in fig. 5, the content of 0x200 bytes (i.e., 512 bytes in decimal) from address 0x00019610 to address 0x000198FF is the first RSA encrypted data.
S404: the first 32 bytes of the data of the first 0x100 bytes are the key of Salsa20, and the first 8 bytes of the data of the second 0x100 bytes are the initial vector of Salsa 20.
FIG. 6A shows a data structure diagram of a key of Salsa20 after RSA decryption in one embodiment of the invention; the contents of the rectangular box shown in fig. 6A are keys of RSA decrypted 32 bytes Salsa20 in one embodiment of the invention.
And FIG. 6B shows a data structure diagram of an initial vector of Salsa20 after RSA decryption in one embodiment of the invention. The contents of the rectangular box shown in FIG. 6B are initial vectors of the 8-byte Salsa20 after RSA decryption in one embodiment of the invention.
S500: the encrypted file is decrypted using the key and the initial vector of Salsa 20.
It is noted that, for the file infected by the Leucavirus, the maximum decryption length is 0x100000 bytes, and the data exceeding the maximum decryption length is not encrypted; in contrast, only the encrypted portion is decrypted at the time of decryption.
It is to be understood that the invention is not limited to the examples described above, and that modifications and variations may be effected in light of the above teachings by those skilled in the art, all of which are intended to be within the scope of the invention as defined in the appended claims.
Claims (2)
1. The decryption method for the GandCrab Lesovirus encrypted file is characterized by comprising the following steps of:
s100: searching a luxury notification information file which is randomly encrypted under each catalog and has a suffix name of DECRYPT, and searching encryption information which starts with an identifier of BEGINGANDCRABKEY and ends with an identifier of ENDGANDCRAB in the luxury notification information file, wherein the encryption information is encrypted by a second RSA public key and is represented by a Base64 coding format, and the version of GandCrab luxury virus is 5.1;
s200: decrypting the encrypted information by adopting an RSA decryption algorithm to obtain information which is expressed in a Base64 coding format and is decrypted by a second RSA private key, wherein the information is the private key encrypted by the first RSA;
s300: performing Base64 decryption on the information which is expressed in the Base64 coding format and is decrypted by the second RSA private key to obtain a decrypted private key which is encrypted by the first RSA;
s400: looking for the key and initial vector of RSA encrypted Salsa20, step S400 includes the steps of:
s401: acquiring the byte length of an encrypted file;
s402: the identifier 0x 01000000000000000000 is read and found forward from the end of the encrypted file, step S402 comprises the steps of:
s4021: reading 8 bytes of content from the end of the encrypted file, judging whether the content is the identifier 0x0100000000000000, if yes, executing step S403, otherwise, executing step S4022;
s4022: skipping 5 bytes forward from the end of the encrypted file, and then reading 8 bytes of content forward;
s4023: judging whether the content of the current 8 bytes is the identifier 0x0100000000000000, if yes, executing step S403, otherwise, executing step S4024;
s4024: reading the content of the next 8 bytes, and executing step S4023;
s403: taking the initial address of the identifier 0x0100000000000000 as a first address, shifting forward by 8 bytes in length, and acquiring data of 0x200 bytes forward to serve as data encrypted by RSA for the first time;
s404: decrypting the data of the 0x200 byte by using a private key of the first RSA, wherein the first 32 bytes in the data of the first 0x100 byte after decryption are keys of Salsa20, and the first 8 bytes in the data of the second 0x100 byte are initial vectors of Salsa 20;
s500: the encrypted file is decrypted using the key and the initial vector of Salsa 20.
2. The method of claim 1, wherein the maximum decryption length is 0x100000 bytes, and data exceeding the maximum decryption length is not encrypted, and only the encrypted portion is decrypted.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010234179.2A CN111414623B (en) | 2020-03-30 | 2020-03-30 | Decryption method for GandCrab Lesovirus encrypted file |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010234179.2A CN111414623B (en) | 2020-03-30 | 2020-03-30 | Decryption method for GandCrab Lesovirus encrypted file |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111414623A CN111414623A (en) | 2020-07-14 |
| CN111414623B true CN111414623B (en) | 2023-06-02 |
Family
ID=71491560
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010234179.2A Active CN111414623B (en) | 2020-03-30 | 2020-03-30 | Decryption method for GandCrab Lesovirus encrypted file |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111414623B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101989984A (en) * | 2010-08-24 | 2011-03-23 | 北京易恒信认证科技有限公司 | Electronic document safe sharing system and method thereof |
| CN106611121A (en) * | 2016-11-01 | 2017-05-03 | 哈尔滨安天科技股份有限公司 | Method and system for finding extortion viruses based on file format monitoring |
| CN107094108A (en) * | 2016-02-18 | 2017-08-25 | 大众汽车有限公司 | The method for being connected to the part of data/address bus and encryption function being realized in the part |
| CN108363923A (en) * | 2017-10-19 | 2018-08-03 | 北京安天网络安全技术有限公司 | A kind of blackmailer's virus defense method, system and equipment |
| CN108932428A (en) * | 2017-05-25 | 2018-12-04 | 腾讯科技(深圳)有限公司 | A kind of processing method that extorting software, device, equipment and readable storage medium storing program for executing |
| US10554688B1 (en) * | 2017-05-30 | 2020-02-04 | Ca, Inc. | Ransomware locked data decryption through ransomware key transposition |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10193872B2 (en) * | 2015-08-12 | 2019-01-29 | Cyphyx, Llc | System and methods for dynamically and randomly encrypting and decrypting data |
| US10387648B2 (en) * | 2016-10-26 | 2019-08-20 | Cisco Technology, Inc. | Ransomware key extractor and recovery system |
-
2020
- 2020-03-30 CN CN202010234179.2A patent/CN111414623B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101989984A (en) * | 2010-08-24 | 2011-03-23 | 北京易恒信认证科技有限公司 | Electronic document safe sharing system and method thereof |
| CN107094108A (en) * | 2016-02-18 | 2017-08-25 | 大众汽车有限公司 | The method for being connected to the part of data/address bus and encryption function being realized in the part |
| CN106611121A (en) * | 2016-11-01 | 2017-05-03 | 哈尔滨安天科技股份有限公司 | Method and system for finding extortion viruses based on file format monitoring |
| CN108932428A (en) * | 2017-05-25 | 2018-12-04 | 腾讯科技(深圳)有限公司 | A kind of processing method that extorting software, device, equipment and readable storage medium storing program for executing |
| US10554688B1 (en) * | 2017-05-30 | 2020-02-04 | Ca, Inc. | Ransomware locked data decryption through ransomware key transposition |
| CN108363923A (en) * | 2017-10-19 | 2018-08-03 | 北京安天网络安全技术有限公司 | A kind of blackmailer's virus defense method, system and equipment |
Non-Patent Citations (2)
| Title |
|---|
| 李华生 ; 黄进.勒索病毒识别、处置与防御.信息安全研究.2019,(第004期),全文. * |
| 郭春生 ; 程光 ; .基于API Hooking勒索软件WannaCry的解密方法.网络空间安全.2019,(第01期),全文. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111414623A (en) | 2020-07-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111371549B (en) | Message data transmission method, device and system | |
| CN106599723B (en) | File encryption method and device and file decryption method and device | |
| CN113259133B (en) | Encryption communication method, equipment and storage medium based on HTTP protocol | |
| JP3946192B2 (en) | Data originality verification method and system | |
| US20080144809A1 (en) | Encryption process, encryption device, and computer-readable medium storing encryption program | |
| CN110138739B (en) | Data information encryption method and device, computer equipment and storage medium | |
| CN1522516A (en) | Secure header information for multi-content e-mail | |
| CN110084599B (en) | Key processing method, device, equipment and storage medium | |
| CN111131282B (en) | Request encryption method and device, electronic equipment and storage medium | |
| CN113434852A (en) | Password processing method, password verification device, medium and electronic equipment | |
| US20020095604A1 (en) | Encryption system and method | |
| CN112637230A (en) | Instant messaging method and system | |
| CN109117670A (en) | A kind of realization shear plate data encryption and decryption method, apparatus and hardware device | |
| CN111414623B (en) | Decryption method for GandCrab Lesovirus encrypted file | |
| CN117375836A (en) | Encryption and decryption method and system for long text segment based on RSA encryption algorithm | |
| KR100868712B1 (en) | Transmission of secure electronic mail formats | |
| US8473516B2 (en) | Computer storage apparatus for multi-tiered data security | |
| CN114547653B (en) | Encryption method, decryption method, device, equipment and medium for development environment | |
| Agarwal et al. | Encrypted transfer of confidential information using steganography and identity verification using face data | |
| TWI262012B (en) | Method for transmitting the important parameter by network | |
| Taft et al. | The application/pdf media type | |
| CN112395629A (en) | File encryption method and system based on TCM chip | |
| US20100246817A1 (en) | System for data security using user selectable one-time pad | |
| JPH1188323A (en) | Electronic signature device and signature recognition device | |
| KR102256231B1 (en) | Digital forensic data decoding device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |