CN113228016A - Apparatus and method for luxo software decryption - Google Patents

Apparatus and method for luxo software decryption Download PDF

Info

Publication number
CN113228016A
CN113228016A CN201980086619.XA CN201980086619A CN113228016A CN 113228016 A CN113228016 A CN 113228016A CN 201980086619 A CN201980086619 A CN 201980086619A CN 113228016 A CN113228016 A CN 113228016A
Authority
CN
China
Prior art keywords
encrypted
software
backup image
decryption
files
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201980086619.XA
Other languages
Chinese (zh)
Inventor
阿维夫·库温特
阿萨夫·纳塔逊
亚伦·莫
阿萨夫·耶格尔
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of CN113228016A publication Critical patent/CN113228016A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/565Static detection by checking file integrity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/568Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Abstract

The invention relates to the technical field of data decryption, and particularly provides an automatic decryption method based on blood margin after Lesso software attack. The invention discloses a device for decryption of Lesox software. The apparatus is configured to obtain a first backup image of user data at a first time point T1 and a second backup image of the user data at a second time point T2, wherein T2 is later than T1. The apparatus is further configured to detect whether one or more files of the user data are encrypted by the Lexus software between the point in time T1 and the point in time T2. Further, the device is configured to decrypt one or more files determined to be encrypted by the lasso software using the first backup image and the second backup image.

Description

Apparatus and method for luxo software decryption
Technical Field
The invention relates to a data decryption method, in particular to an automatic decryption method after Lesog software attack. To this end, the invention provides a device and a corresponding method for the decryption of lasso software, and a system comprising said device for the decryption of lasso software.
Background
A leson malware, or leson software, is a malware that prevents a user from accessing its data (typically by encrypting the data) and then requires the user to pay for redemption in order to regain access (decrypt the encrypted data).
Lesoware has become increasingly popular in recent years. There are many different variations of lasso software. Various network security companies (e.g., Kaspersky, aWidth, Emsisoft) continually release decryption tools (also known as decryptors, e.g., Rexph Decryptor of Kaspersky) to help users decrypt data that they are infected with more modern and advanced lemonary software variants.
The use of all the lasso software decryptors requires the user to manually operate the decryptor, including identifying the lasso software, selecting the decryptor, and installing and running the decryptor. Furthermore, for more advanced lemonade variants, the decryptor may impose restrictions, for example, requiring the provision of a pair of files, specifically one unencrypted file and an encrypted version of the same file. Other limitations may be as follows: in a given file pair, the size of the file provided to the decryptor must be maximized, because some decryptors are able to decrypt files whose size must be less than or equal to the provided file. In addition, the optimal decryptor and optimal file pair are typically determined by the user, which results in maximizing the number of decrypted files, especially since not all decryptors can decrypt 100% of the encrypted file.
When the lasso software infects the system protected by the backup application, the application may continue to backup user data, including data encrypted by the lasso software, resulting in system unavailability of the backup and loss of data.
Existing solutions require the user to use an existing database to identify the lasso software, find the appropriate decryption tool for it, then manually install and run the lasso software, and manually verify the decryption correctness.
As mentioned above, since different decryption tools have different operational requirements, it may not be simple to manually satisfy these requirements and may result in the inability to correctly decrypt as many files as possible.
Some data protection systems monitor a protected environment and issue an alarm when a user suspects that the environment is under a lasso attack. However, such systems do not provide a solution for situations where the lasso software is already able to encrypt part of the environment prior to detection. Other data protection systems may recover old versions of encrypted files. However, with these systems, any new data created after the last luxo software pre-backup will be lost.
Disclosure of Invention
In view of the above limitations and problems, embodiments of the present invention are directed to an improved Lexus software decryption method. It is an object to provide an automatic process for the decryption of lean software that does not require the user to manually select and install a decryption tool, nor to select an input for a decryption tool. One of which is decryption based on the blood margin created by the backup system.
The object is achieved by the embodiments provided by the appended independent claims. Advantageous implementations of embodiments of the invention are further defined in the dependent claims.
A first aspect of the invention provides an apparatus for lemonade decryption. The apparatus is for: obtaining a first backup image of user data at a first time point T1 and a second backup image of the user data at a second time point T2, wherein T2 is later than T1; detecting whether one or more files of the user data are encrypted by the Lesoware between the point in time T1 and the point in time T2; and decrypting one or more files determined to be encrypted by the lasso software using the first backup image and the second backup image.
It is therefore proposed to rely on the properties of the backup system to provide automatic lasso software decryption. In particular, a consanguinity-based decryption method is provided that relies on the historical existence of certain encrypted files. The apparatus of the first aspect does not require the user to manually select and install the decryption tool, nor does the user require a selection input for the decryption tool. Accordingly, an improved lasso software decryption device is provided.
In an implementation form of the first aspect, the apparatus is configured to: analyzing the first backup image and the second backup image; and if a file is unencrypted in the first backup image and encrypted in the second backup image, determining that the file is encrypted by the Lesoware between the point in time T1 and the point in time T2.
In particular, for example, a check may be performed automatically to detect the lasso software. For example, the lean software detection may be made by the extension of the file or the location of some "redemption instruction" file created by the lean software, or may be made based on changes made since the last backup.
In an implementation form of the first aspect, the apparatus is configured to: identifying the lasso software; acquiring and installing a first decryption tool related to the Lesox software; and decrypting the one or more files determined to be encrypted by the lasso software using the installed first decryption tool.
The lasso software may be identified by using existing tools or developing a dedicated lasso software identification tool. Accordingly, for example, the corresponding decryption tool will be automatically selected for the lasso software, thereby providing greater decryption efficiency.
In an implementation form of the first aspect, the apparatus is configured to: a database is maintained that maps a plurality of lux software to a plurality of decryption tools, wherein each decryption tool is associated with lux software.
Alternatively, the decryption tool may be selected by consulting a database containing mappings of various lux software to associated decryption tools. The database may be maintained and/or continuously updated by the device. Alternatively, an external (existing) lux software database may be used, such as the lux software database from some network security companies.
In an implementation form of the first aspect, the apparatus is configured to: selecting a first file from the one or more files determined to be encrypted by the lasso software; respectively acquiring an unencrypted version and an encrypted version of the first file from the first backup image and the second backup image; and generating one or more encryption keys based on the unencrypted version and the encrypted version of the first file.
Alternatively, if one or more files are needed by the decryption tool, the one or more files may be automatically selected for decryption. For example, the decryption tool may require a pair of files, i.e., a pair of files before and after encryption. In other cases, only encrypted files may be needed.
In an implementation form of the first aspect, the apparatus is configured to: decrypting the one or more files determined to be encrypted by the lasso software based on the one or more generated encryption keys.
In an implementation form of the first aspect, the apparatus is configured to: selecting one file from the one or more files determined to be encrypted by the Lesoware software as the first file according to the determined selection criteria.
It should be appreciated that the determined selection criteria may refer to selecting the best file for using the installed decryption tool. For example, for some decryption tools, the larger the file, the more other encrypted files may be decrypted. In this case, the largest file among the files determined to be encrypted may be selected as the first file.
In an implementation form of the first aspect, the apparatus is configured to: verifying the correctness of the decryption of the one or more files determined to be encrypted by the Lexus software using the first backup image and the second backup image.
It is noted that in some cases, one decryption tool may not be able to decrypt all encrypted files completely, or the decryption tool may not be able to decrypt the encrypted files absolutely correctly. Optionally, the device may thus perform an automatic verification process to check the correctness of the decryption process.
In an implementation form of the first aspect, the apparatus is configured to: verifying correctness of decryption of the determined encrypted file by comparing an unencrypted version of the one or more files in the first backup image with respective decrypted versions of the one or more files obtained after decrypting the one or more determined encrypted files by the lasso software.
Optionally, the original file, i.e. the unencrypted version of the file, may be used for comparison with the decrypted version of the file, i.e. the file obtained after decryption.
In an implementation form of the first aspect, if the verification result indicates that additional decryption is required, the apparatus is configured to: acquiring and installing a second decryption tool related to the Lesox software; and decrypting the file determined to be encrypted by the lasso software using the installed second decryption tool.
It will be apparent that there may be one or more decryption tools associated with a particular Lesog software. Optionally, another decryption tool may thus be automatically installed and run on the device to ensure that the number of files successfully decrypted is maximized.
In one implementation of the first aspect, after decrypting the file determined to be encrypted by the lasso software, the device is configured to: storing the second backup image, the second backup image including the decrypted version of the one or more files determined to be encrypted by the lasso software; or storing the second backup image comprising the encrypted version of the one or more files determined to be encrypted and additionally storing the decrypted version of the one or more files determined to be encrypted by the lasso software.
Optionally, the encrypted version of the backup image may be stored after the affected files are decrypted and used to save data in future incremental backups. The decrypted version may be used for later data recovery.
In an implementation manner of the first aspect, the device is a Virtual Machine (VM) of a host.
For example, a VM may be created to which the backup image may be attached as a volume. The decryption tool may be installed and run on the VM to decrypt.
In the first aspect and its implementation, the above-described functions may be implemented in hardware, software, firmware, or a combination thereof.
A second aspect of the invention provides a system for lemonade decryption, comprising a device according to the first aspect and its respective implementation, a production device accessible to a user and comprising user data, and a backup device comprising a backup image of the user data.
In general, the whole system is composed of three devices, and the following can be realized: a production facility (referred to as a production system in the implementation) that performs normal operations; a backup device for backing up data in the production device (also referred to as a backup system in an implementation); and a computing device (node) according to the first aspect and its respective implementations, the computing device (node) being accessible by an administrator of the overall system and being configured to decrypt encrypted files subject to a luxo software attack.
The system provided by the second aspect may be extended to implementations corresponding to the implementations of the apparatus provided by the first aspect. Accordingly, implementations of the system include one or more features of corresponding implementations of the apparatus.
The system of the second aspect and its implementations provides the same advantages and effects as the device of the first aspect and its respective implementations as described above.
A third aspect of the invention provides a method for lemonade decryption. The method comprises the following steps: obtaining a first backup image at a first time point T1 and a second backup image at a second time point T2, wherein T2 is later than T1; detecting whether one or more files are encrypted by the Lesoware software between the time point T1 and the time point T2; and decrypting the file determined to be encrypted by the lasso software using the first backup image and the second backup image.
The method provided by the third aspect may be extended to implementations corresponding to the implementations of the apparatus provided by the first aspect. Accordingly, implementations of the method include one or more features of corresponding implementations of the apparatus.
The method of the third aspect and its implementations provides the same advantages and effects as the apparatus of the first aspect and its respective implementations as described above.
A fourth aspect of the invention provides a computer program product comprising program code for performing the method according to the third aspect and its implementations when implemented on a processor.
A fifth aspect of the invention provides a computer-readable storage medium comprising computer-executable computer program code instructions. The computer program code instructions, when executed on a computer, will perform the method according to the third aspect and its implementations. The computer readable storage medium comprises one or more of the group consisting of: read-only memory (ROM), Programmable ROM (PROM), Erasable PROM (EPROM), flash memory, Electrically Erasable PROM (EEPROM), and a hard disk drive.
A sixth aspect of the invention provides an apparatus for luxo software decryption comprising a processor and a memory. The memory stores instructions that cause the processor to perform the method of the third aspect and its implementations.
The computer program product provided by the fourth aspect, the computer-readable storage medium provided by the fifth aspect, and the apparatus for luxo software decryption provided by the sixth aspect may be extended to implementations corresponding to the implementations of the apparatus provided by the first aspect. Accordingly, implementations of the computer program product, the computer-readable storage medium and the apparatus for lasso software decryption each include one or more features of a corresponding implementation of the apparatus of the first aspect.
The computer program product provided by the fourth aspect, the computer-readable storage medium provided by the fifth aspect and the apparatus for luxo software decryption provided by the sixth aspect provide the same advantages and effects as the apparatus of the first aspect and its respective implementations as described above.
It should be noted that all devices, elements, units and methods described herein may be implemented in software or hardware elements or any combination thereof. All steps performed by the various entities described in the present application and the functions described to be performed by the various entities are intended to indicate that the respective entities are adapted or arranged to perform the respective steps and functions. Although in the following description of specific embodiments specific functions or steps performed by an external entity are not reflected in the description of specific elements of the entity performing the specific steps or functions, it should be clear to a skilled person that these methods and functions may be implemented in respective hardware or software elements or any combination thereof.
Drawings
The foregoing aspects and many of the attendant aspects of this invention will become more readily appreciated as the same become better understood by reference to the following detailed description, when taken in conjunction with the accompanying drawings, wherein:
FIG. 1 illustrates an apparatus for Lesox software decryption provided by an embodiment of the present invention;
FIG. 2 illustrates a system including the apparatus provided by an embodiment of the invention;
FIG. 3 illustrates a decryption process provided by an embodiment of the invention; and
fig. 4 illustrates a method provided by an embodiment of the invention.
Detailed Description
Illustrative embodiments of a method, apparatus and program product for lux software decryption are described herein with reference to the accompanying drawings. While this description provides detailed examples of possible implementations, it should be noted that the details are intended to be exemplary and in no way limit the scope of the application.
Further, one embodiment/example may refer to other embodiments/examples. For example, any description including, but not limited to, terms, elements, procedures, explanations, and/or technical advantages mentioned in one embodiment/example are applicable to other embodiments/examples.
Fig. 1 illustrates an apparatus 100 provided by an embodiment of the present invention. The device 100 may include processing circuitry (not shown) to perform, implement, or initiate various operations of the device 100 described herein. The processing circuitry may include hardware and software. The hardware may include analog circuitry or digital circuitry, or both analog and digital circuitry. The digital circuit may include components such as an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), a Digital Signal Processor (DSP), or a multi-function processor. In one embodiment, the processing circuitry includes one or more processors and non-transitory memory coupled to the one or more processors. The non-transitory memory may carry executable program code that, when executed by the one or more processors, causes the device 100 to perform, implement, or initiate the operations or methods described herein.
The device 100 is used for lasso software decryption. In particular, the apparatus 100 is configured to obtain a first backup image 101 of user data at a first point in time T1 and a second backup image 102 of the user data at a second point in time T2, wherein T2 is later than T1. The apparatus 100 is further configured to detect whether one or more files of the user data are encrypted by the Lesoware software between the time point T1 and the time point T2. Accordingly, the device 100 is configured to decrypt one or more files determined to be encrypted by the Lesoware software using the first backup image 101 and the second backup image 102.
Embodiments of the present invention provide an automatic off-line lux software decryption proposal based on the attributes of the dependent backup system. Typically, a production system or production equipment is directly accessed by a user for performing normal operations, while the backup system is used to backup data in the production system. Such a decryption process as defined by embodiments of the present invention may be considered an automatic off-line decryption process. In particular, "offline" means that the decryption process is not part of the backup flow. In other words, the device 100 starts the decryption process after the backup is completed, and does not care about the production environment.
According to an embodiment of the present invention, a backup is performed on a user system (production system) at time T1, resulting in the first backup image 101. Possibly, the user will also write additional data to some files in their system. And then the Lego software attacks and encrypts part of files in the user system. After the infection of the lasso software, a further backup of the user system is performed at time T2 resulting in the second backup image 102. Notably, the second backup image 102 can include one or more files that the lasso software is encrypting.
Optionally, according to an embodiment of the present invention, the apparatus 100 may be configured to analyze the first backup image 101 and the second backup image 102. The device 100 is then further configured to determine that a file is encrypted by the Lesoware software between the time point T1 and the time point T2 if the file is unencrypted in the first backup image and encrypted in the second backup image.
Notably, the device 100 automatically performs a check to detect the lasso software. In some scenarios, the lasso software may be detected by an extension of the file. For example, the extension of a common Word file is. doc or. docx. Some lasso software, after encrypting a file, changes its extension to other content, such as, for example, doc crypt or doc x crypt, to indicate to the user that the file is encrypted.
Possibly, the device 100 may inform the user that the user system is vulnerable to lux software. That is, the device 100 may alert the user, thereby preventing the user from writing further new data to the system.
In particular, the apparatus 100 may be used to identify the lasso software, according to an embodiment of the present invention. The device 100 may also be used to obtain and install a first decryption tool associated with the lasso software. And the device 100 is operable to decrypt the one or more files determined to be encrypted by the lasso software using the installed first decryption tool.
In an example, the lasso software may be identified by an existing lasso software identification tool, such as a lasso software identification tool obtained from a network security company, which is not specifically limited in this embodiment. Alternatively, the lasso software may also be identified by a dedicated lasso software identification tool integrated in the device 100. Upon identifying the lasso software, a corresponding decryption tool will be selected for the lasso software. Possibly, the relevant decryption tool may be selected by querying or consulting a database containing mappings of various lux software to its relevant decryption tools.
Alternatively, the device 100 may rely entirely on an existing external Lesog software database, i.e., such a database provided by a network security company, to access the associated decryption tools. The present embodiment does not limit the type of database used by the device 100 to obtain the associated decryption tool. Alternatively, the device 100 may maintain its own database. Notably, the database may be continuously updated by the device 100.
Accordingly, the apparatus 100 may be configured to maintain a database mapping a plurality of lasso software to a plurality of decryption tools, wherein each decryption tool is associated with lasso software.
In particular, the device 100 may be configured to select a first file from the one or more files determined to be encrypted by the lasso software. The apparatus 100 is further configured to obtain an unencrypted version and an encrypted version of the first file from the first backup image 101 and the second backup image 102, respectively. Further, the device 100 may be operative to generate one or more encryption keys based on the unencrypted and encrypted versions of the first file.
Alternatively, if one or more files are needed by the decryption tool, the one or more files may be automatically selected for decryption. For example, the decryption tool may require a pair of files, i.e., a pair of files before and after encryption. The pair of files may be used to deduce the encryption key therefrom, which may then be used to decrypt other files. In other cases, only encrypted files may be needed. It should be noted that the apparatus 100 automatically proceeds with the process of selecting a file (for decryption) according to an embodiment of the present invention. The user does not need to manually select a file or pair of files.
Accordingly, the device 100 may be configured to decrypt the one or more files determined to be encrypted by the lasso software based on the one or more generated encryption keys. A conventional decryption procedure using an encryption key may be used here.
In particular, according to an embodiment of the present invention, the apparatus 100 may be configured to select one file from the one or more files determined to be encrypted by the lasso software as the first file according to a determined selection criterion.
It should be appreciated that the determined selection criteria may refer to selecting the best file for using the installed decryption tool. For example, for some decryption tools, the larger the file, the more other encrypted files may be decrypted. In this case, the largest file among the files determined to be encrypted may be selected as the first file.
Optionally, the apparatus 100 may be adapted to: verifying the correctness of the decryption of the one or more files determined to be encrypted by the Lexus software using the first backup image and the second backup image.
It is noted that one decryption tool may not be able to decrypt all encrypted files, or the decryption tool may not be able to properly decrypt the encrypted files. Optionally, the device 100 may perform an automatic verification process to check the correctness of the decryption process.
Optionally, the apparatus 100 may be configured to verify the correctness of the decryption of the determined encrypted file by comparing an unencrypted version of the one or more files in the first backup image with respective decrypted versions of the one or more files obtained after decrypting the one or more determined encrypted files by the lasso software.
After the decryption tool execution is complete, information obtained from the previous generation of the file (e.g., if the file is known to be infrequently changed) may be used to verify the decryption correctness. If many changes are found after decrypting a file in the second backup image 102 compared to the previous version in the first backup image 101, it can be assumed with a high probability that the decryption tool did not decrypt the file correctly. Optionally, the correctness of the decryption can also be verified by attempting to use the relevant file in the context of some applications (e.g., attempting to access an Oracle DB stored in an encrypted Oracle file). In this case, another decryption tool may be required.
In particular, the device 100 may also be used to obtain and install a second decryption tool associated with the lasso software if the verification result indicates that additional decryption is required. Accordingly, the device 100 may be further configured to decrypt the file determined to be encrypted by the lasso software using the installed second decryption tool.
It will be apparent that there may be one or more decryption tools associated with a particular Lesog software. Alternatively, another decryption tool may be automatically installed and run on the device 100 to ensure that the number of files successfully decrypted is maximized. The decryption process using the second decryption tool may be similar to the decryption process using the first decryption tool. Accordingly, the device 100 may verify the correctness of the additional decryption.
Possibly, if the result of the verification still indicates that further decryption is required, the device 100 may be further adapted to obtain and install a third decryption tool associated with the lasso software and to decrypt accordingly.
According to an embodiment of the present invention, after decrypting a file determined to be encrypted by the lasso software, the device 100 may be configured to store the second backup image 102, the second backup image 102 comprising the decrypted version of the one or more files determined to be encrypted by the lasso software. Alternatively, the device 100 may be configured to store the second backup image 102, the second backup image 102 comprising the encrypted version of the one or more files determined to be encrypted and additionally storing the decrypted version of the one or more files determined to be encrypted by the lasso software.
Possibly, after the affected file is decrypted, an encrypted version of the backup image, i.e. the second backup image 102 provided by the embodiment of the present invention, may also be stored. One purpose of storing an encrypted version of the backup image is to allow small incremental backups to be made in the future (until a restore to a decrypted version is performed).
In particular embodiments, the device 100 may be a VM of a host.
One possible way to implement the present invention is to create a VM, other than to access the backup system. A backup image from the backup system may be attached to the VM as a volume. The decryption tool may be installed and run on the VM to decrypt.
It should be understood that the decryption method proposed by the present invention is considered to be based on cursory lemonade decryption. That is, the method relies on previous generation files in the backup system.
In particular embodiments, the apparatus 100 may be configured to obtain a third backup image 103 of user data at a first point in time T3, where T3 is later than T2. The apparatus 100 is further configured to detect whether one or more files of the user data are encrypted by the Lesoware software between the time point T2 and the time point T3. Accordingly, the device 100 is configured to decrypt one or more files determined to be encrypted by the lasso software using the first backup image 101 and/or the second backup image 102 and the third backup image 103.
That is, if the luxo software attacks between T2 and T3, the affected files (files encrypted by the luxo software) may be decrypted using a plurality of previous backup images (e.g., the first backup image 101 and the second backup image 102).
Fig. 2 illustrates a system 200 provided by an embodiment of the invention. The system 200 includes the apparatus 100. In particular, the apparatus 100 shown in fig. 2 may be the apparatus 100 shown in fig. 1. It is to be noted that, for the same reason, the same elements are denoted by the same reference symbols and functions throughout the figures.
In general, the system 200 is composed of three devices, and can be implemented as follows:
a production facility 201, directly accessible by a user, comprising user data (also referred to as a production system in an implementation);
a backup device 202 for backing up data in the production device 201, including a backup image of the user data (also referred to as a backup system in an implementation); and
-computing device (node): can be accessed by an administrator of the overall system and used to perform decryption operations on encrypted files that are subject to a luxo software attack.
Notably, the computing device is the device 100 shown in fig. 1 or fig. 2. One or more production facilities 201 are located in a production environment. The backup device 202 may be a backup server.
Fig. 3 shows a decryption process according to an embodiment of the invention. In the present embodiment, the first backup image 101 of the user data existing in the production device 201 at the time point T1 is created and stored in the backup device 202. After the user data is backed up at T1, the user performs further operations, for example, writing new data into the memory of the production device 201. The lemonade attacks the production device 201 and encrypts part of the files in the production device 201 before creating a further backup of the newly added data. At the next point in time T2, a second backup image 102 of the user data present in the production device 201 is also created and stored in the backup device 202. It is to be appreciated that the lasso software encrypts one or more files in the second backup image 102. The device 100 performs the lasso software decryption described in the above embodiments of the invention. The apparatus 100 shown in fig. 3 is embodied as the apparatus 100 shown in fig. 1.
Fig. 4 illustrates a method 400 for lasso software decryption provided by an embodiment of the invention. In particular, the method 400 is performed by the apparatus 100 shown in fig. 1. The method 400 comprises the steps 401: a first backup image 101 at a first point in time T1 and a second backup image 102 at a second point in time T2 are obtained, wherein T2 is later than T1. The method further comprises step 402: detecting whether one or more files are encrypted by the Lesoware software between the time point T1 and the time point T2; and step 403: decrypting the file determined to be encrypted by the lasso software using the first backup image 101 and the second backup image 102.
Notably, the method 400 may also include acts as described in the above-described embodiments of the apparatus 100.
The invention also provides a computer program product comprising program code for performing the method 400 as shown in fig. 4 when implemented on a processor. The computer program is embodied in a computer-readable medium of a computer program product. The computer-readable medium may include substantially any memory, such as ROM (read only memory), PROM (programmable read only memory), EPROM (erasable programmable read only memory), flash memory, EEPROM (electrically erasable programmable read only memory), and a hard disk drive.
The invention has been described in connection with various embodiments and implementations as examples. Other variations will be understood and effected by those skilled in the art in practicing the claimed invention, from a study of the drawings, the disclosure, and the independent claims. In the claims and in the description, the term "comprising" does not exclude other elements or steps, and "a" or "an" does not exclude a plurality. A single element or other unit may fulfill the functions of several entities or items recited in the claims. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.

Claims (15)

1. Device (100) for luxo software decryption, characterized by:
obtaining a first backup image (101) of user data at a first point in time T1 and a second backup image (102) of the user data at a second point in time T2, wherein T2 is later than T1;
detecting whether one or more files of the user data are encrypted by the Lesoware between the point in time T1 and the point in time T2; and
decrypting one or more files determined to be encrypted by the lasso software using the first backup image (101) and the second backup image (102).
2. The apparatus (100) of claim 1, configured to:
analyzing the first backup image (101) and the second backup image (102); and
if a file is unencrypted in the first backup image (101) but encrypted in the second backup image (102), then it is determined that the file is encrypted by the Lesoware between the point in time T1 and the point in time T2.
3. The apparatus (100) according to claim 1 or 2, for:
identifying the lasso software;
acquiring and installing a first decryption tool related to the Lesox software; and
decrypting the one or more files determined to be encrypted by the Lesoware software using the installed first decryption tool.
4. The apparatus (100) of claim 3, configured to:
a database is maintained that maps a plurality of lux software to a plurality of decryption tools, wherein each decryption tool is associated with lux software.
5. The apparatus (100) according to any one of claims 1 to 4, characterized by being configured to:
selecting a first file from the one or more files determined to be encrypted by the lasso software;
obtaining an unencrypted version and an encrypted version of the first file from the first backup image (101) and the second backup image (102), respectively; and
generating one or more encryption keys based on the unencrypted and encrypted versions of the first file.
6. The apparatus (100) of claim 5, configured to:
decrypting the one or more files determined to be encrypted by the lasso software based on the one or more generated encryption keys.
7. The apparatus (100) according to claim 5 or 6, for:
selecting one file from the one or more files determined to be encrypted by the Lesoware software as the first file according to the determined selection criteria.
8. The apparatus (100) according to any one of claims 1 to 7, characterized by being configured to:
verifying correctness of decryption of the one or more files determined to be encrypted by the Lesoware software using the first backup image (101) and the second backup image (102).
9. The apparatus (100) according to any one of claims 5 to 8, characterized by being configured to:
verifying the correctness of the decryption of the determined encrypted file by comparing the unencrypted version of the one or more files in the first backup image (101) with the respective decrypted version of the one or more files obtained after decrypting the one or more determined files encrypted by the lasso software.
10. The apparatus (100) according to claim 8 or 9, for:
if the verification result indicates that additional decryption is required,
acquiring and installing a second decryption tool related to the Lesox software; and
decrypting the file determined to be encrypted by the Lesoware software using the installed second decryption tool.
11. The device (100) according to any one of claims 1 to 10, configured to, after decrypting said file determined to be encrypted by said lasso software:
storing the second backup image (102), the second backup image (102) including the decrypted version of the one or more files determined to be encrypted by the lasso software; or
Storing the second backup image (102), the second backup image (102) comprising the encrypted version of the one or more files determined to be encrypted, and additionally storing the decrypted version of the one or more files determined to be encrypted by the lux software.
12. The device (100) according to any of claims 1 to 11, wherein the device (100) is a Virtual Machine (VM) of a host.
13. A system (200) for luxo software decryption, characterized in that it comprises a device (100) according to any one of claims 1 to 12, a production device (201) accessible to a user and comprising user data, and a backup device (202) comprising a backup image of said user data.
14. A method (400) for luxo software decryption, the method comprising:
obtaining (401) a first backup image (101) at a first point in time T1 and a second backup image (102) at a second point in time T2, wherein T2 is later than T1;
detecting (402) whether one or more files are encrypted by the Lesoware between the point in time T1 and the point in time T2; and
decrypting (403) the file determined to be encrypted by the lasso software using the first backup image (101) and the second backup image (102).
15. A computer program product comprising program code for performing the method of claim 14 when implemented on a processor.
CN201980086619.XA 2019-11-22 2019-11-22 Apparatus and method for luxo software decryption Pending CN113228016A (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2019/082185 WO2021098968A1 (en) 2019-11-22 2019-11-22 Device and method for ransomware decryption

Publications (1)

Publication Number Publication Date
CN113228016A true CN113228016A (en) 2021-08-06

Family

ID=68654499

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201980086619.XA Pending CN113228016A (en) 2019-11-22 2019-11-22 Apparatus and method for luxo software decryption

Country Status (2)

Country Link
CN (1) CN113228016A (en)
WO (1) WO2021098968A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114095236A (en) * 2021-11-17 2022-02-25 安天科技集团股份有限公司 Key searching method and device, computing equipment and storage medium

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9990511B1 (en) * 2015-11-20 2018-06-05 Symantec Corporation Using encrypted backup to protect files from encryption attacks
US10346258B2 (en) * 2016-07-25 2019-07-09 Cisco Technology, Inc. Intelligent backup system
US11126718B2 (en) * 2017-07-12 2021-09-21 Acronis International Gmbh Method for decrypting data encrypted by ransomware

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114095236A (en) * 2021-11-17 2022-02-25 安天科技集团股份有限公司 Key searching method and device, computing equipment and storage medium
CN114095236B (en) * 2021-11-17 2023-11-10 安天科技集团股份有限公司 Key searching method, device, computing equipment and storage medium

Also Published As

Publication number Publication date
WO2021098968A1 (en) 2021-05-27

Similar Documents

Publication Publication Date Title
US11139968B2 (en) Secure database backup and recovery
EP3707631B1 (en) File recovery using anti-virus engine and backup provider
US10375086B2 (en) System and method for detection of malicious data encryption programs
US11126718B2 (en) Method for decrypting data encrypted by ransomware
US11601281B2 (en) Managing user profiles securely in a user environment
WO2019209630A1 (en) File processing method and system, and data processing method
US11238157B2 (en) Efficient detection of ransomware attacks within a backup storage environment
US8458491B1 (en) Cryptographically scrubbable storage device
US10255171B2 (en) Test methodology for detection of unwanted cryptographic key destruction
US11374745B1 (en) Key usage tracking using TPM
US10261920B2 (en) Static image RAM drive
CN113228016A (en) Apparatus and method for luxo software decryption
US20190305948A1 (en) Secure database backup and recovery
KR101763184B1 (en) File recovery method using backup
EP3151147B1 (en) System and method for detection of malicious data encryption programs
US9424406B2 (en) Asset protection based on redundantly associated trusted entitlement verification
CN109240804B (en) Method and device for managing disk resources of virtual machine
US10503898B2 (en) Method for defending against malware
US11163909B2 (en) Using multiple signatures on a signed log
CN117313126A (en) Method for detecting encrypted data, machine-readable storage medium, and computer device
CN114006695A (en) Hard disk data protection method and device, trusted platform chip and electronic equipment
CN112613058A (en) Method and device for retrieving encryption key, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination