CN114095236A - Key searching method and device, computing equipment and storage medium - Google Patents

Key searching method and device, computing equipment and storage medium Download PDF

Info

Publication number
CN114095236A
CN114095236A CN202111362126.XA CN202111362126A CN114095236A CN 114095236 A CN114095236 A CN 114095236A CN 202111362126 A CN202111362126 A CN 202111362126A CN 114095236 A CN114095236 A CN 114095236A
Authority
CN
China
Prior art keywords
file
target
key
memory
software
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111362126.XA
Other languages
Chinese (zh)
Other versions
CN114095236B (en
Inventor
郭洪亮
张慧云
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Antiy Technology Group Co Ltd
Original Assignee
Antiy Technology Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Antiy Technology Group Co Ltd filed Critical Antiy Technology Group Co Ltd
Priority to CN202111362126.XA priority Critical patent/CN114095236B/en
Publication of CN114095236A publication Critical patent/CN114095236A/en
Application granted granted Critical
Publication of CN114095236B publication Critical patent/CN114095236B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/02Addressing or allocation; Relocation
    • G06F12/0223User address space allocation, e.g. contiguous or non contiguous base addressing
    • G06F12/023Free address space management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/903Querying
    • G06F16/90335Query processing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Virology (AREA)
  • Computational Linguistics (AREA)
  • Computing Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a key searching method, a key searching device, computing equipment and a storage medium, wherein the method comprises the following steps: when determining that the equipment infected by the lasso software meets the set conditions, acquiring a target file encrypted by the lasso software and an original file of the target file before encryption; the set condition comprises that the process is not finished after the lasso software infects the equipment; determining a characteristic value corresponding to an encryption algorithm adopted by the lasso software; searching a plurality of potential keys matched with the characteristic values in a memory; and determining a correct key from the plurality of potential keys according to the target file and the original file. According to the scheme, the key can be found quickly, and user experience is improved.

Description

Key searching method and device, computing equipment and storage medium
Technical Field
The embodiment of the invention relates to the technical field of decryption, in particular to a key searching method, a key searching device, a computing device and a storage medium.
Background
Luxo software is a malicious software that encrypts a user's file to prevent the user from accessing his file, and then requires the user to pay redemption to decrypt the encrypted file, thereby allowing the user to regain file access. In recent years, the luxo software attack is changing and evolving, and the luxo attack event has become one of the most active threats in the field of network security. Network security companies are constantly issuing decryption tools to assist users in decrypting files encrypted by their extortion software.
In the prior art, after a lemonade attack event occurs, a network security company analyzes the lemonade attack event and then issues a decryption tool to decrypt the lemonade attack event. Therefore, the time period from the encryption of the user file by the Lexus software to the decryption of the file is long, and the user experience is influenced.
Disclosure of Invention
Based on the problem that the user experience is affected by a long time period for encrypting a user file in the prior art, the embodiment of the invention provides a key searching method, a key searching device, computing equipment and a storage medium, which can quickly search a key and improve the user experience.
In a first aspect, an embodiment of the present invention provides a key lookup method, including:
when determining that the equipment infected by the lasso software meets the set conditions, acquiring a target file encrypted by the lasso software and an original file of the target file before encryption; the set condition comprises that the process is not finished after the lasso software infects the equipment;
determining a characteristic value corresponding to an encryption algorithm adopted by the lasso software;
searching a plurality of potential keys matched with the characteristic values in a memory;
and determining a correct key from the plurality of potential keys according to the target file and the original file.
Preferably, the acquiring the target file encrypted by the lasso software and the original file before the target file is encrypted includes:
determining an original file which is not encrypted;
and transmitting the original file to equipment infected by the lasso software, and encrypting the original file by the lasso software to obtain the target file.
Preferably, the acquiring the target file encrypted by the lasso software and the original file before the target file is encrypted includes:
and determining any system file with a backup file in all system files encrypted by the Lesoware as the target file, and determining the backup file corresponding to the target file as the original file.
Preferably, before the finding of the plurality of potential keys matching the feature value in the internal memory, the method further includes:
executing a suspend operation on a process of the lasso software;
and acquiring a target memory corresponding to the process of the lasso software in a device memory infected by the lasso software, and executing the plurality of potential keys matched with the characteristic values in the target memory.
Preferably, the obtaining of the target memory corresponding to the process of the lasso software includes:
and calling a memory dump tool based on the cmd command, and performing memory dump on the process of the funeral software by using the memory dump tool to obtain a dumped target memory.
Preferably, the determining a correct key from the plurality of potential keys according to the target file and the original file includes:
and respectively decrypting the target file by using each potential key, comparing whether the file obtained after decryption is the same as the original file or not, and determining the potential key with the same comparison result as a correct key.
Preferably, before comparing whether the decrypted file is the same as the original file, the method further includes:
judging whether the size of the file obtained after decryption is the same as that of the original file or not;
and if the two files are different, performing truncation processing on the file obtained after decryption so as to enable the size of the file after truncation processing to be the same as that of the original file.
In a second aspect, an embodiment of the present invention further provides a key lookup apparatus, including:
a file acquisition unit configured to acquire a target file encrypted by the ransom software and an original file before the target file is encrypted, when it is determined that a device infected by the ransom software satisfies a set condition; the set condition comprises that the process is not finished after the lasso software infects the equipment;
the characteristic value determining unit is used for determining a characteristic value corresponding to an encryption algorithm adopted by the lasso software;
the potential key searching unit is used for searching a plurality of potential keys matched with the characteristic values in the memory;
and the correct key determining unit is used for determining a correct key from the plurality of potential keys according to the target file and the original file.
In a third aspect, an embodiment of the present invention further provides a computing device, including a memory and a processor, where the memory stores a computer program, and the processor, when executing the computer program, implements the method described in any embodiment of this specification.
In a fourth aspect, the present invention further provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed in a computer, the computer program causes the computer to execute the method described in any embodiment of the present specification.
The embodiment of the invention provides a key searching method, a key searching device, computing equipment and a storage medium, wherein if equipment infected by extware does not execute memory cleaning operation after being infected by the extware, a key used by the extware for encrypting a file also exists in a memory, a potential key which is possibly a correct key can be searched in the memory based on a characteristic value of an encryption algorithm adopted by the extware, and then a correct key in the potential key can be determined based on a decryption process of each potential key by utilizing a target file encrypted by the extware and an original file before the target file is encrypted. Therefore, according to the scheme, the key for decryption can be quickly found after the equipment is infected by the lasso software, and the user waiting time is short, so that the user experience can be improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a flowchart of a key lookup method according to an embodiment of the present invention;
FIG. 2 is a diagram of a hardware architecture of a computing device according to an embodiment of the present invention;
fig. 3 is a block diagram of a key lookup apparatus according to an embodiment of the present invention;
fig. 4 is a block diagram of another key lookup apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer and more complete, the technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention, and based on the embodiments of the present invention, all other embodiments obtained by a person of ordinary skill in the art without creative efforts belong to the scope of the present invention.
As mentioned above, the related art of decryption is generally that after occurrence of a leson attack event, a network security company analyzes the leson attack event and then issues a decryption tool to decrypt the leson attack event. Therefore, the time period from the encryption of the user file by the Lexus software to the decryption of the file is long, and the user cannot perform any work related to the encrypted file during waiting for the decryption, so that the user experience is influenced.
It is considered that some legend software does not delete the key used to encrypt the file in the memory after encrypting the user file. Based on this, after the user file is encrypted by the lasso software, if the lasso software is in the process state all the time, that is, the process of the lasso software is not finished, it indicates that the memory corresponding to the lasso software process is not cleaned, and it may be considered to search a possible key in the memory. In addition, in order to be able to find the correct key among the possible keys, it is also necessary to use the file encrypted by the lasso software and the original file of the file that was not encrypted. Therefore, the scheme provides a key searching method, which can quickly search the correct key after the user file is encrypted by the lasso software, so as to decrypt the encrypted file.
Specific implementations of the above concepts are described below.
Referring to fig. 1, an embodiment of the present invention provides a key lookup method, where the method includes:
step 100, when determining that the equipment infected by the lasso software meets the set conditions, acquiring a target file encrypted by the lasso software and an original file before the target file is encrypted; the set condition comprises that the process is not finished after the lasso software infects the equipment.
And 102, determining a characteristic value corresponding to an encryption algorithm adopted by the lasso software.
Step 104, finding a plurality of potential keys matched with the characteristic values in the memory.
And 106, determining a correct key from the plurality of potential keys according to the target file and the original file.
In the embodiment of the invention, because the device infected by the lasso software does not execute the memory cleaning operation after the lasso software is infected, the key of the lasso software used for encrypting the file also exists in the memory, the potential key which is possibly the correct key can be found in the memory based on the characteristic value of the encryption algorithm adopted by the lasso software, then the correct key in the potential keys can be determined by utilizing the target file encrypted by the lasso software and the original file before the target file is encrypted based on the decryption process of each potential key. Therefore, according to the scheme, the key for decryption can be quickly found after the equipment is infected by the lasso software, and the user waiting time is short, so that the user experience can be improved.
The manner in which the various steps shown in fig. 1 are performed is described below.
Firstly, aiming at step 100, when determining that equipment infected by the lasso software meets set conditions, acquiring a target file encrypted by the lasso software and an original file of the target file before encryption; the set condition comprises that the process is not finished after the lasso software infects the equipment.
The lasso attacker may not delete the key in memory that encrypts the file after encrypting the system file. If the key needs to be found in the memory, the following setting conditions need to be satisfied: the process is not finished after the lemonade infects the device (noted as condition one).
The setting of the setting conditions is based on consideration of: if the lasso software finishes the process, the memory occupied by the process of the lasso software can be released or damaged, and the key searching result is influenced; if the lasso software restarts the process after the process is finished, the memory of the original process is released or damaged, and after the process is restarted, the key used by the lasso software may be different from the key used by the original process. Therefore, it is necessary to satisfy the condition that the process is not ended after the lemonade infects the device.
In the embodiment of the present invention, determining whether the device infected by the lasso software satisfies the set condition may be determined by checking the log to see whether the log has ended the process of the lasso software in a time period between the time when the device is infected by the lasso software and the current time point. For example, it is checked whether there is a device restart operation, a process interrupt operation, or the like between the time periods.
In order to find the key in the memory, in addition to the above condition one, a condition two needs to be satisfied: there is a file encrypted by the legend software and the original file before the file was encrypted.
In order to satisfy the second condition, the embodiment of the present invention can be implemented in at least two ways:
in the first mode, all the encrypted system files have no backup files.
In the second mode, the encrypted system file has a backup file.
The following describes the manner of acquiring the target file and the original file in this step with respect to the above two manners.
In the first mode, since all encrypted system files have no backup file, in an embodiment of the present invention, the mode of acquiring the target file and the original file in this step may include: determining an original file which is not encrypted; and transmitting the original file to equipment infected by the lasso software, and encrypting the original file by the lasso software to obtain the target file.
Wherein the original file that is not encrypted may be a file external to the infected device.
After determining the original file, the original file may be transmitted to the device infected by the lasso software by means of usb disk transmission, bluetooth transmission, network transmission, or the like. Since the process of the lasso software is not finished, after the original file is transmitted to the device infected by the lasso software, the original file is encrypted by the lasso software, and the encrypted file is determined as the target file.
In the first mode, the external original file is transmitted to the equipment infected by the Lexus software, so that the position of the target file of the original file after being encrypted can be accurately determined, and the accurate original file and the target file are provided for the process of decrypting and searching for the correct key, thereby improving the accuracy of the search result and the search speed.
In the second mode, because the encrypted system file has a backup file, in an embodiment of the present invention, the mode of acquiring the target file and the original file in this step may include: and determining any system file with a backup file in all system files encrypted by the Lesoware as the target file, and determining the backup file corresponding to the target file as the original file.
In the second mode, because the encrypted system file has the backup file, the original file and the target file can be obtained without transferring the file from the outside to the equipment infected by the lasso software, the obtaining speed of the target file and the original file can be improved, and the situation that the source end equipment of the external file is indirectly infected in the process of transferring the external file to the infected equipment can be avoided, so that the safety of the whole system is ensured.
Whether the first mode or the second mode is utilized, the target file and the original file can be obtained, so that the scheme meets the second condition, and the subsequent key searching process can be continued.
Then, in step 102, a feature value corresponding to an encryption algorithm adopted by the lasso software is determined.
The encryption algorithm may include: DES, RSA, SHA, AES, ECC, etc. Different encryption algorithms correspond to different characteristic values, and the characteristic value corresponding to each encryption algorithm can determine a calculation mode and a calculation parameter of the corresponding characteristic value based on an explanatory document provided by an encryption algorithm publisher, so as to calculate the characteristic value corresponding to the encryption algorithm.
For example, for the AES256 encryption algorithm, it is illustrated that the document includes the following partial contents:
Figure BDA0003359683100000071
from the description of the key _ data _ s structure in the description document, it is known that alg is 0x00006610, keysize is 0x00000020, and flags is 0x1, and then the characteristic value is 1066000001000000200000000 can be calculated based on the above.
In an embodiment of the present invention, in step 102, the feature value corresponding to the encryption algorithm adopted by the lasso software may be determined by using the following two ways:
and the mode A is determined based on the target file and the original file.
And B, determining the characteristic values respectively corresponding to all the encryption algorithms as the characteristic values of the encryption algorithm adopted by the Lesso software.
The following describes the above two modes, respectively.
In the method a, since the target file is an encrypted file of the original file, in order to determine an encryption algorithm for encrypting the original file, at least three sample pairs need to be obtained, where each sample pair includes the target file and the corresponding original file.
Aiming at each known encryption algorithm, encrypting the target file in each sample pair by using the encryption algorithm, and calculating the difference value between the hash value of the encrypted file and the hash value of the corresponding original file; and determining the encryption algorithm with the minimum difference-mean value in all the sample pairs as the encryption algorithm adopted by the Lesson software.
After the encryption algorithm is determined, a characteristic value of the encryption algorithm may be determined.
By means of the method a, the characteristic value of the encryption algorithm can be determined, and then only the potential key matched with the characteristic value needs to be found in the subsequent step 104, compared with the method B, the number of the potential keys is smaller, and therefore the determination speed of the correct key can be improved.
In the method B, the feature values corresponding to all the encryption algorithms may be determined as the feature values of the encryption algorithm adopted by the lasso software, so that the step 104 may be performed for each feature value to find out all possible potential keys.
In the method B, although the number of the determined potential keys is larger than that in the method a, when the correct key is determined by using the potential keys, the probability that the correct key exists in the potential keys is higher, so that the determination probability of the correct key can be improved.
In addition to the above-described mode a and mode B, the characteristic value may be determined based on an encryption algorithm used by common leso software.
Next, in step 104, a number of potential keys matching the characteristic values are found in the memory.
In the embodiment of the present invention, when the potential key matching the feature value is searched in the memory, the potential key can be searched in the whole memory. In order to increase the search speed, before this step, the range of the search memory may be narrowed, specifically, the method may include: executing a suspend operation on a process of the lasso software; and acquiring a target memory corresponding to the process of the lasso software in a device memory infected by the lasso software, and executing the plurality of potential keys matched with the characteristic values in the target memory.
When the lasso software is in a process state, the target memory corresponding to the process of the lasso software is locked and cannot be accessed, and the target memory is released or damaged after the lasso software finishes the process, so that the target memory can be obtained by suspending the process of the lasso software.
In the embodiment of the present invention, when the target memory corresponding to the process of the lasso software is obtained, the determination may be performed in the following manner: and calling a memory dump tool based on the cmd command, and performing memory dump on the process of the funeral software by using the memory dump tool to obtain a dumped target memory.
And running cmd through the identity of an administrator, calling a memory dump tool by utilizing a cmd command, for example, the memory dump tool is a procump, and inputting the process ID of the Lego software in the memory dump tool, so that the memory position corresponding to the process of the Lego software is positioned by utilizing the memory dump tool, the file at the memory position is obtained, and the target memory is stored to the specified position. And calling a memory dump tool by using the cmd command, so that the target memory corresponding to the lasso software process can be accurately and quickly acquired.
It should be noted that, in addition to the foregoing manners, the target memory may also be obtained in other manners, for example, a memory mapping condition of an address space of the lasso software process may be obtained through/proc/pid/maps, and then a physical address of a virtual address corresponding to the lasso software process is determined according to the memory mapping condition, so that the target memory is determined and obtained according to the physical address.
In this embodiment, after the target memory is obtained, the target memory may be stored in the directory of the decryption tool, so that the decryption tool is used to search for the potential key based on the target memory.
In one embodiment of the present invention, after the target memory is determined, a number of potential keys matching the characteristic values may be found in the target memory.
When a potential key matched with the characteristic value is searched, whether the data meets the characteristic value or not can be determined by traversing each datum in the memory, and if so, the datum is determined as the potential key.
Taking 256 encryption algorithm as an example, the key is 16 bits, the feature value of the encryption algorithm is that the key is 16 bits, and every 4 bits are a segment, each segment has a corresponding feature, and when matching, if the data is 16 bits and each segment satisfies the feature of the corresponding segment, the data can be determined as a potential key.
It should be noted that, when the manner of determining the feature value in step 102 is not determined based on the target file and the original file, the sequence of the step (denoted as the file obtaining step) of obtaining the target file encrypted by the lasso software and the original file before the target file is encrypted in step 100 and step 102 and step 104 may not be limited, for example, the step 102 and step 104 are performed first, or the steps are performed simultaneously.
Finally, in step 106, a correct key is determined from the plurality of potential keys based on the target file and the original file.
In an embodiment of the present invention, this step may be implemented by using a command line parameter, and when implemented by using the command line parameter, the name of the original file and the name of the target file need to be determined, then the name of the target file is divided to obtain the name and the suffix of the target file, and the suffix of the target file is modified to the same suffix as that of the original file, so that the decryption process can be implemented quickly by using the command line.
In the embodiment of the present invention, the step may include: and respectively decrypting the target file by using each potential key, comparing whether the file obtained after decryption is the same as the original file or not, and determining the potential key with the same comparison result as a correct key.
In the specific implementation process, after each potential key is used for decryption, the file obtained after decryption is compared with the original file, if the potential key is the same as the original file, the potential key can be directly determined to be the correct key, and if the potential key is not the same as the original file, the decryption comparison process is continuously implemented by using the next potential key until the correct key is determined.
In an embodiment of the present invention, in a process of decrypting a target file by using a potential key, there may be data written accidentally in the decrypted file, and the decryption process may include: the protection handle is obtained, then the target file and the designated file are opened, the target file is decrypted by using the potential key, the decrypted data is written into the designated file, then the hash object is released, the potential key is released, the protection handle is released, and the designated file is the decrypted file. Therefore, in order to ensure the correctness of the comparison result, before comparing whether the file obtained after decryption is the same as the original file, whether the size of the file obtained after decryption is the same as the size of the original file can be judged; and if the two files are different, performing truncation processing on the file obtained after decryption so as to enable the size of the file after truncation processing to be the same as that of the original file.
Specifically, when the decrypted file is subjected to truncation processing, the block at the head end or the tail end of the decrypted file may be deleted according to the size of the original file, so that the size of the deleted file is the same as the size of the original file.
After the correct key is determined in this step, all encrypted system files in the device infected with the lasso software may be decrypted using the correct key.
When decrypting an encrypted system file by using a decryption tool, a path of the encrypted system file, a path of a decrypted file, and a key path need to be input, and then the decryption tool decrypts the whole system file.
The scheme can be realized through a system command line, so that the used tools belong to light-weight tools, and the light-weight tools can not occupy a system memory, so that normal use is not influenced.
As shown in fig. 2 and fig. 3, an embodiment of the present invention provides a key lookup apparatus. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. From a hardware aspect, as shown in fig. 2, for a hardware architecture diagram of a computing device in which a key lookup apparatus according to an embodiment of the present invention is located, in addition to the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 2, the computing device in which the apparatus is located in the embodiment may also generally include other hardware, such as a forwarding chip responsible for processing a packet, and the like. Taking a software implementation as an example, as shown in fig. 3, as a logical apparatus, a CPU of a computing device in which the apparatus is located reads a corresponding computer program in a non-volatile memory into a memory to run. The key searching device provided by the embodiment comprises:
a file acquisition unit 301 configured to acquire a target file encrypted by the ransom software and an original file before the target file is encrypted, when it is determined that a device infected by the ransom software satisfies a set condition; the set condition comprises that the process is not finished after the lasso software infects the equipment;
a characteristic value determining unit 302, configured to determine a characteristic value corresponding to an encryption algorithm used by the lasso software;
a potential key searching unit 303, configured to search a plurality of potential keys that match the feature values in a memory;
a correct key determining unit 304, configured to determine a correct key from the plurality of potential keys according to the target file and the original file.
In an embodiment of the present invention, the file obtaining unit 301 is specifically configured to determine an original file that is not encrypted; and transmitting the original file to equipment infected by the lasso software, and encrypting the original file by the lasso software to obtain the target file.
In an embodiment of the present invention, the file obtaining unit 301 is specifically configured to determine, as the target file, any system file having a backup file in all system files encrypted by the lasso software, and determine, as the original file, the backup file corresponding to the target file.
In an embodiment of the present invention, referring to fig. 4, the key lookup apparatus may further include:
a target memory obtaining unit 305, configured to perform a suspend operation on a process of the lasso software; in the device memory infected by the lasso software, a target memory corresponding to the process of the lasso software is obtained to trigger the potential key searching unit 303 to execute the search for a plurality of potential keys matching the characteristic values in the target memory.
In an embodiment of the present invention, when acquiring the target memory corresponding to the process of the ransom software, the target memory acquiring unit 305 is specifically configured to call a memory dump tool based on a cmd command, and perform a memory dump on the process of the ransom software by using the memory dump tool to obtain a dumped target memory.
In an embodiment of the present invention, the correct key determining unit 304 is specifically configured to decrypt the target file with each potential key, compare whether the file obtained after decryption is the same as the original file, and determine the potential key with the same comparison result as the correct key.
In an embodiment of the present invention, the correct key determining unit 304 is further configured to determine whether the size of the file obtained after decryption is the same as that of the original file; and if the two files are different, performing truncation processing on the file obtained after decryption so as to enable the size of the file after truncation processing to be the same as that of the original file.
It is to be understood that the illustrated structure of the embodiment of the present invention does not constitute a specific limitation to a key lookup apparatus. In other embodiments of the invention a key lookup apparatus may include more or fewer components than shown, or some components may be combined, some components may be split, or a different arrangement of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.
Because the content of information interaction, execution process, and the like among the modules in the device is based on the same concept as the method embodiment of the present invention, specific content can be referred to the description in the method embodiment of the present invention, and is not described herein again.
The embodiment of the invention also provides a computing device, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to realize the key searching method in any embodiment of the invention.
An embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the computer program causes the processor to execute a key lookup method in any embodiment of the present invention.
Specifically, a system or an apparatus equipped with a storage medium on which software program codes that realize the functions of any of the above-described embodiments are stored may be provided, and a computer (or a CPU or MPU) of the system or the apparatus is caused to read out and execute the program codes stored in the storage medium.
In this case, the program code itself read from the storage medium can realize the functions of any of the above-described embodiments, and thus the program code and the storage medium storing the program code constitute a part of the present invention.
Examples of the storage medium for supplying the program code include a floppy disk, a hard disk, a magneto-optical disk, an optical disk (e.g., CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD + RW), a magnetic tape, a nonvolatile memory card, and a ROM. Alternatively, the program code may be downloaded from a server computer via a communications network.
Further, it should be clear that the functions of any one of the above-described embodiments may be implemented not only by executing the program code read out by the computer, but also by causing an operating system or the like operating on the computer to perform a part or all of the actual operations based on instructions of the program code.
Further, it is to be understood that the program code read out from the storage medium is written to a memory provided in an expansion board inserted into the computer or to a memory provided in an expansion module connected to the computer, and then causes a CPU or the like mounted on the expansion board or the expansion module to perform part or all of the actual operations based on instructions of the program code, thereby realizing the functions of any of the above-described embodiments.
The embodiments of the invention have at least the following beneficial effects:
1. in an embodiment of the present invention, since the device infected by the lasso software does not perform the memory cleaning operation after being infected by the lasso software, the key used by the lasso software to encrypt the file also exists in the memory, based on the characteristic value of the encryption algorithm adopted by the lasso software, the potential key that may be the correct key can be found in the memory, and then the correct key in the potential keys can be determined based on the decryption process of each potential key by using the target file encrypted by the lasso software and the original file before the target file is encrypted. Therefore, according to the scheme, the key for decryption can be quickly found after the equipment is infected by the lasso software, and the user waiting time is short, so that the user experience can be improved.
2. In one embodiment of the invention, the external original file is transmitted to the equipment infected by the Lesso software, so that the position of the target file of the original file after being encrypted can be accurately determined, and the accurate original file and the target file are provided for the process of decrypting and searching for the correct key, thereby improving the accuracy of the searching result and the searching speed.
3. In an embodiment of the present invention, because the encrypted system file has the backup file, the original file and the target file can be obtained without transferring the file from the outside to the device infected by the lasso software, the obtaining speed of the target file and the original file can be increased, and the occurrence of the situation that the source device of the external file is indirectly infected during the process of transferring the external file to the infected device can be avoided, thereby ensuring the security of the entire system.
4. In an embodiment of the present invention, the characteristic values respectively corresponding to all the encryption algorithms are determined as the characteristic values of the encryption algorithm adopted by the leso software, so that a possible potential key can be found for each characteristic value, the potential keys determined by the method are richer, and the probability of the existence of the correct key is higher, thereby improving the determination probability of the correct key.
5. In an embodiment of the present invention, in order to avoid an influence of accidentally written data on a comparison result in a decryption process, after the target file is decrypted, the file truncation obtained after decryption may be processed to be the same size as the original file, so that the correctness of the comparison result may be ensured.
6. In one embodiment of the invention, because the scheme can be realized through a system command line, all the used tools belong to light-weight tools, and the light-weight tools can not occupy the system memory, so that the normal use is not influenced.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an …" does not exclude the presence of other similar elements in a process, method, article, or apparatus that comprises the element.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. A key lookup method, comprising:
when determining that the equipment infected by the lasso software meets the set conditions, acquiring a target file encrypted by the lasso software and an original file of the target file before encryption; the set condition comprises that the process is not finished after the lasso software infects the equipment;
determining a characteristic value corresponding to an encryption algorithm adopted by the lasso software;
searching a plurality of potential keys matched with the characteristic values in a memory;
and determining a correct key from the plurality of potential keys according to the target file and the original file.
2. The method according to claim 1, wherein said obtaining the target file encrypted by the lasso software and the original file before the target file is encrypted comprises:
determining an original file which is not encrypted;
and transmitting the original file to equipment infected by the lasso software, so that the lasso software encrypts the original file to obtain the target file.
3. The method according to claim 1, wherein said obtaining the target file encrypted by the lasso software and the original file before the target file is encrypted comprises:
and determining any system file with a backup file in all system files encrypted by the Lesoware as the target file, and determining the backup file corresponding to the target file as the original file.
4. The method of claim 1, wherein prior to finding the number of potential keys in the memory that match the eigenvalues, further comprising:
executing a suspend operation on a process of the lasso software;
and acquiring a target memory corresponding to the process of the lasso software in a device memory infected by the lasso software, and executing the plurality of potential keys matched with the characteristic values in the target memory.
5. The method of claim 4, wherein obtaining the target memory corresponding to the process of the lasso software comprises:
and calling a memory dump tool based on the cmd command, and performing memory dump on the process of the funeral software by using the memory dump tool to obtain a dumped target memory.
6. The method according to any of claims 1-5, wherein said determining a correct key from the plurality of potential keys based on the target document and the original document comprises:
and respectively decrypting the target file by using each potential key, comparing whether the file obtained after decryption is the same as the original file or not, and determining the potential key with the same comparison result as a correct key.
7. The method according to claim 6, wherein before comparing whether the decrypted file is the same as the original file, further comprising:
judging whether the size of the file obtained after decryption is the same as that of the original file or not;
and if the two files are different, performing truncation processing on the file obtained after decryption so as to enable the size of the file after truncation processing to be the same as that of the original file.
8. A key lookup apparatus, comprising:
a file acquisition unit configured to acquire a target file encrypted by the ransom software and an original file before the target file is encrypted, when it is determined that a device infected by the ransom software satisfies a set condition; the set condition comprises that the process is not finished after the lasso software infects the equipment;
the characteristic value determining unit is used for determining a characteristic value corresponding to an encryption algorithm adopted by the lasso software;
the potential key searching unit is used for searching a plurality of potential keys matched with the characteristic values in the memory;
and the correct key determining unit is used for determining a correct key from the plurality of potential keys according to the target file and the original file.
9. A computing device comprising a memory having stored therein a computer program and a processor that, when executing the computer program, implements the method of any of claims 1-7.
10. A computer-readable storage medium, on which a computer program is stored which, when executed in a computer, causes the computer to carry out the method of any one of claims 1-7.
CN202111362126.XA 2021-11-17 2021-11-17 Key searching method, device, computing equipment and storage medium Active CN114095236B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111362126.XA CN114095236B (en) 2021-11-17 2021-11-17 Key searching method, device, computing equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111362126.XA CN114095236B (en) 2021-11-17 2021-11-17 Key searching method, device, computing equipment and storage medium

Publications (2)

Publication Number Publication Date
CN114095236A true CN114095236A (en) 2022-02-25
CN114095236B CN114095236B (en) 2023-11-10

Family

ID=80301301

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111362126.XA Active CN114095236B (en) 2021-11-17 2021-11-17 Key searching method, device, computing equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114095236B (en)

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110126024A1 (en) * 2004-06-14 2011-05-26 Rodney Beatson Method and system for combining a PIN and a biometric sample to provide template encryption and a trusted stand-alone computing device
US20180114020A1 (en) * 2016-10-26 2018-04-26 Cisco Technology, Inc. Ransomware key extractor and recovery system
US20180248896A1 (en) * 2017-02-24 2018-08-30 Zitovault Software, Inc. System and method to prevent, detect, thwart, and recover automatically from ransomware cyber attacks, using behavioral analysis and machine learning
US20190018961A1 (en) * 2017-07-12 2019-01-17 Acronis International Gmbh Method for decrypting data encrypted by ransomware
CN109347620A (en) * 2018-08-10 2019-02-15 深圳前海微众银行股份有限公司 Sample alignment schemes, system and computer readable storage medium
US20190228148A1 (en) * 2018-01-22 2019-07-25 International Business Machines Corporation Ransomware resetter
US10554688B1 (en) * 2017-05-30 2020-02-04 Ca, Inc. Ransomware locked data decryption through ransomware key transposition
CN110851833A (en) * 2019-11-18 2020-02-28 深信服科技股份有限公司 Lesovirus detection method, device and related equipment
CN110851472A (en) * 2019-11-19 2020-02-28 深圳前海微众银行股份有限公司 Sample matching method, device and readable storage medium
US20200082074A1 (en) * 2018-09-06 2020-03-12 International Business Machines Corporation Proactive ransomware defense
WO2021098968A1 (en) * 2019-11-22 2021-05-27 Huawei Technologies Co., Ltd. Device and method for ransomware decryption

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110126024A1 (en) * 2004-06-14 2011-05-26 Rodney Beatson Method and system for combining a PIN and a biometric sample to provide template encryption and a trusted stand-alone computing device
US20180114020A1 (en) * 2016-10-26 2018-04-26 Cisco Technology, Inc. Ransomware key extractor and recovery system
US20180248896A1 (en) * 2017-02-24 2018-08-30 Zitovault Software, Inc. System and method to prevent, detect, thwart, and recover automatically from ransomware cyber attacks, using behavioral analysis and machine learning
US10554688B1 (en) * 2017-05-30 2020-02-04 Ca, Inc. Ransomware locked data decryption through ransomware key transposition
US20190018961A1 (en) * 2017-07-12 2019-01-17 Acronis International Gmbh Method for decrypting data encrypted by ransomware
US20190228148A1 (en) * 2018-01-22 2019-07-25 International Business Machines Corporation Ransomware resetter
CN109347620A (en) * 2018-08-10 2019-02-15 深圳前海微众银行股份有限公司 Sample alignment schemes, system and computer readable storage medium
US20200082074A1 (en) * 2018-09-06 2020-03-12 International Business Machines Corporation Proactive ransomware defense
CN110851833A (en) * 2019-11-18 2020-02-28 深信服科技股份有限公司 Lesovirus detection method, device and related equipment
CN110851472A (en) * 2019-11-19 2020-02-28 深圳前海微众银行股份有限公司 Sample matching method, device and readable storage medium
WO2021098968A1 (en) * 2019-11-22 2021-05-27 Huawei Technologies Co., Ltd. Device and method for ransomware decryption
CN113228016A (en) * 2019-11-22 2021-08-06 华为技术有限公司 Apparatus and method for luxo software decryption

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
古兰精: "从nodejs的AES加密解密之后文件大小不一致的问题谈谈AES加密中的补位", Retrieved from the Internet <URL:cnblogs.com/goloving/p/13405369.html> *

Also Published As

Publication number Publication date
CN114095236B (en) 2023-11-10

Similar Documents

Publication Publication Date Title
US9740639B2 (en) Map-based rapid data encryption policy compliance
US10387648B2 (en) Ransomware key extractor and recovery system
US10375086B2 (en) System and method for detection of malicious data encryption programs
CN112637166B (en) Data transmission method, device, terminal and storage medium
US10235539B2 (en) Server device, recording medium, and concealed search system
US8683208B2 (en) Information processing device, program developing device, program verifying method, and program product
EP2751735B1 (en) Encrypted chunk-based rapid data encryption policy compliance
US11658978B2 (en) Authentication using blockchains
US20090208002A1 (en) Preventing replay attacks in encrypted file systems
CN110221990B (en) Data storage method and device, storage medium and computer equipment
CN108881261B (en) Service authentication method and system based on block chain technology in container environment
CN110990829B (en) Method, device and equipment for training GBDT model in trusted execution environment
CN111753312B (en) Data processing method, device, equipment and system
CN114095236B (en) Key searching method, device, computing equipment and storage medium
JP6672451B2 (en) Encrypted search index merge server, encrypted search index merge system, and encrypted search index merge method
US11455404B2 (en) Deduplication in a trusted execution environment
CN111091197B (en) Method, device and equipment for training GBDT model in trusted execution environment
JPWO2017209228A1 (en) Encrypted information verification device, encrypted information verification method, and encrypted information verification program
JP6381861B2 (en) Registration destination determination device, registration device, secret search system, registration destination determination method, and registration destination determination program
KR102618922B1 (en) Apparatus and method for Preventing SW reverse engineering of embedded system
CN117874789A (en) Dynamic privacy data encryption method and system
JP2007334767A (en) Software behavior modeling apparatus and software behavior modeling method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant