CN117077180B

CN117077180B - Lesu encrypted data recovery feasibility assessment and processing device, method, electronic equipment and storage medium

Info

Publication number: CN117077180B
Application number: CN202311314167.0A
Authority: CN
Inventors: 王昆明; 刘佳男; 高喜宝; 李柏松; 肖新光
Original assignee: Beijing Antiy Network Technology Co Ltd
Current assignee: Beijing Antiy Network Technology Co Ltd
Priority date: 2023-10-11
Filing date: 2023-10-11
Publication date: 2024-01-26
Anticipated expiration: 2043-10-11
Also published as: CN117077180A

Abstract

The embodiment of the invention discloses a device, a method, electronic equipment and a storage medium for evaluating and processing the recovery feasibility of luxury encrypted data, and relates to the technical field of network space security defense. The device comprises: the condition matching program module is used for matching the basic information and the luxury software information of the victim endpoint with a luxury encryption data recovery precondition set stored in the evaluation and recovery resource database, and judging whether the recovery condition is met or not; the method selection program module is used for selecting a lux encryption data recovery method applicable to the victim endpoint according to the victim endpoint basic information, the lux software information and the satisfied recovery conditions; and the data recovery program module is used for recovering the victim data to the state before the Leucasian encryption by using the recovery method and taking the victim data as an operation object. The embodiment of the invention can effectively help a user to judge whether the data encrypted or locked by the luxury software is likely to be restored or not, and provides a corresponding restoration processing scheme.

Description

Lesu encrypted data recovery feasibility assessment and processing device, method, electronic equipment and storage medium

Technical Field

The present invention relates to the field of network space security defense technologies, and in particular, to a device, a method, an electronic device, and a storage medium for evaluating and processing the feasibility of recovery of encrypted data.

Background

The luxury software (Ransomware) is malicious software capable of encrypting or locking user equipment or files by utilizing an encryption algorithm, and has become a great difficulty in the field of network space security, and brings great threat and loss to key information infrastructures of countries around the world.

Currently, for lux software, prevention and removal is mainly performed by security software or tools. However, security software or tools do not completely prevent or clear all types of luxury software, and once a user device or file is encrypted or locked, a solution to decrypt or recover the data needs to be sought.

Disclosure of Invention

In view of this, embodiments of the present invention provide a device, a method, an electronic device, and a storage medium for evaluating and processing the feasibility of recovering the luxury encrypted data, which can effectively help a user to determine whether the data encrypted or locked by the luxury software is likely to be recovered, and provide a corresponding recovery processing scheme.

In a first aspect, an apparatus for evaluating and processing the feasibility of recovering the encrypted data according to an embodiment of the present invention includes: the information acquisition program module is used for acquiring basic information and lux software information of the victim endpoint; the condition matching program module is used for matching the basic information and the luxury software information of the victim endpoint with a luxury encryption data recovery precondition set stored in the evaluation and recovery resource database, judging whether the recovery conditions are met or not, and giving out a corresponding recovery feasibility evaluation result; the method selection program module is used for selecting a Leuch encrypted data recovery method applicable to the victim endpoint from the Leuch encrypted data recovery method set stored in the evaluation and recovery resource database according to the victim endpoint basic information, leuch software information and the satisfied recovery conditions; and the data recovery program module is used for calling a corresponding recovery method and a recovery script or tool stored in an evaluation and recovery resource database on which the method is run, taking the victim data as an operation object, and recovering the victim data to a state before the victim encryption.

Optionally, the apparatus further comprises: and the first storage program module is used for storing the original data file obtained after the recovery under the drive letter with the largest storage space residual quantity on the victim endpoint after recovering the victim data to the state before being encrypted by the lux.

Optionally, the apparatus further comprises: the statistics program module is used for counting the completion degree of the current recovery processing operation and the related information of the completion degree; the prompting program module is used for sending a prompting message to a victim endpoint user based on the completion degree of the recovery processing operation and the related information of the completion degree; the prompting message is used for prompting the user to confirm the recovered data; and a second storage program module for storing the result of the current recovery implementation job to the evaluation and recovery object database.

Optionally, the basic information of the victim endpoint includes: the method comprises the steps of victim endpoint operating system basic information, victim endpoint running logs, victim endpoint memory data, process running state data in a victim endpoint system, hard disk partition conditions of the victim endpoint, hard disk storage space allowance, file data in a specific path in the victim endpoint system, victim endpoint non-encrypted network communication traffic data and victim endpoint backup available states; the lux software information comprises: a file sample encrypted by the luxury code encountered by the luxury code, a luxury code encountered by the luxury code, an email address or hyperlink informed by the luxury code encountered by the luxury code, and other contact information; the recovery condition includes: the victim endpoint encounters a luxury software attack, has logic loopholes on execution, and can be mined and utilized by a defender; the encryption flow of the luxury software encountered by the victim endpoint can be analyzed by the defender and can be interfered by the defender in a key link; the victim endpoint does not restart the machine after being infected; the victim endpoint is not treated by the antivirus software or the specialized tool to ensure that the encryption process still exists; the disk space of the victim endpoint is sufficient to ensure that the deleted file is not covered; encrypted, moved, or renamed under the victim endpoint designated path; the server of the Lesu software save key encountered by the victim endpoint is seized or is counteracted by the security enterprise; the compromised endpoint encounters a luxury software decryption key that is revealed by its competitor or the luxury software writer master/slave hands out the key or decryption tool; the encryption algorithm adopted by the luxury software encountered by the victim endpoint can be cracked by the defensive party in a violent manner; the key of the Lesu software encountered by the victim endpoint does not use an encrypted communication protocol in the uploading process and is intercepted by a defender; in the process of attacking the victim endpoint by the lux software, the backup is not deleted.

Optionally, the recovery method includes: a lux encryption data recovery technology based on lux software reverse analysis and logic vulnerability exploitation; a lux encryption data recovery technology based on encryption flow analysis and link intervention; a lux encryption data recovery technology based on disk data recovery and file recovery; a lux encryption data recovery technique based on key preservation server data acquisition; a lux encryption data recovery technique based on lux software key disclosure or delivery; a Lesu encrypted data recovery technique based on brute force cracking of a weak strength encryption algorithm; a Lesu encrypted data recovery technique based on the intercepted key in the non-encrypted backhaul communication process; and, a le-rope encrypted data recovery technique based on data backup restoration.

Optionally, the lux encryption data recovery technology based on the lux software reverse analysis and the logic vulnerability exploitation comprises the following steps: the lux software encryption key can be obtained in the memory; the lux software specific version variant key utilization mechanism has defects; the lux software key is hard coded and adopts symmetric encryption; the luxo software key is hard coded and the public key is the same; the lux software key is hard coded and the number of public keys is limited; the lux software does not recover or timely recovers the decryption key; the lux software only encrypts the file header or file fragment; and, the lux software uses other normal software encryption modules; the lux software adopts a custom encryption algorithm and embeds a secret key in a sample; the le-cable encryption data recovery technology based on data backup and restoration comprises the following steps: performing the lux data recovery according to the undeleted shadow copy, performing the lux data recovery according to the deployed endpoint defense system intelligent backup, and/or performing the lux data recovery according to the disaster backup and the snapshot file.

In a second aspect, a further embodiment of the present invention provides a method for evaluating and processing the feasibility of recovering the encrypted data, where the method includes: collecting basic information and luxury software information of a victim endpoint, wherein the basic information of the victim endpoint comprises: the network environment of the victim endpoint, the operating system type and version of the victim endpoint, the hardware configuration of the victim endpoint, and the type and quantity of data encrypted by the luxury on the victim endpoint; the basic information and the luxury software information of the victim endpoint are matched with a luxury encryption data recovery precondition set stored in an evaluation and recovery resource database, whether recovery conditions are met or not is judged, and a corresponding recovery feasibility evaluation result is given; if the recovery condition is met, selecting a luxury encryption data recovery method applicable to the victim endpoint from the luxury encryption data recovery method set stored in the evaluation and recovery resource database according to the victim endpoint basic information and the luxury software information; and calling a corresponding recovery method and a recovery script or tool stored in an evaluation and recovery resource database on which the method is run, and recovering the victim data to a state before the victim data is encrypted by taking the victim data as an operation object.

Optionally, the apparatus further comprises: the first storage program module is used for storing the original data file obtained after the recovery under the drive letter with the largest storage space residual quantity at the victim endpoint after the victim data is recovered to the state before the Leuckey encryption; and storing the recovered metadata file to a dedicated directory or under a custom configured path.

In a third aspect, the present invention further provides an electronic device, including: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space surrounded by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, and is configured to execute the step flow executed by the apparatus for evaluating and processing the encrypted data recovery feasibility of the first aspect.

In a fourth aspect, the present invention further provides a computer readable storage medium storing one or more programs executable by one or more processors to implement the step flow executed by the apparatus for evaluating and processing the lux encrypted data recovery feasibility of any one of the first aspects.

According to the device, the method, the electronic equipment and the storage medium for evaluating and processing the recovery feasibility of the Leucasian encrypted data, provided by the embodiment of the invention, whether the recovery condition is met or not is judged by collecting and matching the basic information and Leucasian software information of the victim endpoint, a corresponding recovery feasibility evaluation result is given, then a Leucasian encrypted data recovery method suitable for the victim endpoint is selected from an evaluation and recovery resource database according to the basic information, the Leucasian software information and the met recovery condition of the victim endpoint, a corresponding recovery script or tool is called, and the victim data is taken as an operation object, so that the victim data can be recovered to a state before Leucasian encryption. Therefore, the method can effectively help a user to judge whether the data encrypted or locked by the luxury software is possible to recover or not, and provides a corresponding recovery processing scheme.

Drawings

In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a schematic block diagram illustrating the construction of an embodiment of a device for evaluating and processing the recovery feasibility of the encrypted data according to the present invention;

FIG. 2 is a schematic block diagram illustrating another embodiment of a device for evaluating and processing the recovery feasibility of the encrypted data according to the present invention;

FIG. 3 is a schematic block diagram illustrating a further embodiment of the apparatus for evaluating and processing the recovery feasibility of the encrypted data according to the present invention;

FIG. 4 illustrates some examples of the suffix or extension of a Leucasian virus sample and corresponding victim data file according to an embodiment of the present invention;

FIG. 5 is a partial screenshot of original data recovered according to an embodiment of the present invention;

FIG. 6 is a flowchart illustrating an embodiment of a method for evaluating and processing the recovery feasibility of the encrypted data according to the present invention;

FIG. 7 is a flowchart illustrating a method for evaluating and processing the recovery feasibility of the encrypted data according to another embodiment of the invention;

FIG. 8 is a screenshot of an original file and an encrypted file simultaneously present in a directory after encountering a Leuckey attack;

FIG. 9 is a schematic diagram of a thread created by a Lesu software sample;

fig. 10 is a schematic block diagram of an architecture of one embodiment of an electronic device of the present invention.

Detailed Description

Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.

It should be understood that the described embodiments are merely some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

Example 1

Fig. 1 is a schematic block diagram of an embodiment of a device for evaluating and processing the feasibility of recovering the lux encrypted data according to the present invention, and referring to fig. 1, the device for evaluating and processing the feasibility of recovering the lux encrypted data according to the embodiment of the present invention can be applied to a network security defense scenario, and is particularly suitable for related works such as recovering data of victimized attacks of lux encrypted attacks in a network space; it should be noted that, the method for evaluating and processing the feasibility of recovering the encrypted data in the luxury manner provided by the embodiment of the invention can be solidified in a certain manufactured product in the form of software to form the processing device, and when a user uses the product, the method flow in any one of the embodiments of the application can be reproduced.

At present, only part of user organizations suffering from the luxury software can perform analysis and decryption recovery attempts on the luxury software suffered by the user organizations, however, the user organizations often fall into the pain of searching for scattered and few decryption recovery tool resources, so that the luxury software attack and the luxury encrypted data recovery at the present stage are in relatively obvious imbalance, namely the luxury attack is already industrialized, and the decryption recovery still needs to be enhanced. For example, users who are exposed to a Lesu software attack on a straight side often face the difficult problem of victim data being "unaware of being unable to recover" and "how to recover if it can be recovered".

FIG. 6 is a flowchart illustrating an embodiment of the apparatus for evaluating and processing the recovery feasibility of the encrypted data in the best mode disclosed in FIG. 1; FIG. 7 is a flowchart illustrating a method for evaluating and processing the recovery feasibility of the encrypted data according to another embodiment of the invention; referring to fig. 1, fig. 6 and fig. 7, in order to solve the above-mentioned problems, the apparatus for evaluating and processing the recovery feasibility of the luxury encrypted data according to the embodiments of the present invention can effectively help a user to determine whether the data encrypted or locked by the luxury software is likely to be recovered, and provide a corresponding recovery processing scheme. Which comprises the following program modules:

the information acquisition program module 110 is configured to acquire basic information and lux software information of the victim endpoint.

Wherein the basic information of the victim endpoint includes: the method comprises the steps of victim endpoint operating system basic information, victim endpoint running logs, victim endpoint memory data, process running state data in a victim endpoint system, hard disk partition conditions of the victim endpoint, hard disk storage space allowance, file data in a specific path in the victim endpoint system, victim endpoint non-encrypted network communication traffic data and victim endpoint backup available states;

the lux software information comprises: the file information comprises a file sample of the luxury encrypted file encountered by the luxury software, the luxury information encountered by the luxury software, an email address or a hyperlink informed by the luxury software encountered by the luxury software and the like.

The information gathering program module 110 obtains the victim point base information and the lux software information from the intact endpoints in the victim organization's network that have not suffered lux attack and stores them in a file database.

For example, the data file which is copied from the victim endpoint and is finished by malicious encryption is sent to a network security expert team or a remote support team through a network, and an evaluation result of manual judgment is obtained.

Or, the uncorrupted end point is used for accessing a SaaS (software as a service, software as a Service, saaS for short) service website operated by an enterprise where a network security expert team is located, uploading and submitting information such as a maliciously encrypted data file, a suffix name of the maliciously encrypted data file, a luxury message itself, a contact way in the luxury message, a wallet address paying redemption in the luxury message and the like, and acquiring automatic preliminary analysis and evaluation result feedback, and optional manual research, judgment and evaluation feedback.

In one embodiment, the information collecting program module 110 may be implemented based on a physical hardware connection, for example, through a computer readable storage medium or a device, such as a USB disk, a mobile hard disk, a portable tool box or a 1U-2U rack-Type box device, etc., and connects with an victim Endpoint (Endpoint) suffering from a lux software attack through an interface such as USB, type-C, RJ-45, etc., and collects the victim Endpoint suffering from the lux attack and the information of the lux software suffered from the victim Endpoint according to an information collecting policy preset in an evaluation and recovery Resource database (db_resource), where the preset information collecting policy mainly refers to what Type of data information is collected, for example, including but not limited to at least 11 types of data such as basic information of an operating system of the victim Endpoint, an operation log of the Endpoint, etc., and stores the collected victim Endpoint and the information of the lux software suffered from the victim Endpoint into an evaluation and recovery object database (db_target).

Specifically, the information acquisition strategy adopts industry recommended or practice optimized strategy content by default, and meanwhile, custom configuration is supported. The acquired victim endpoint and its encountering lux software information are stored in an evaluation and recovery object database.

In this embodiment, the information acquisition program module 110 acquires the basic information and the lux software information of the victim endpoint, so that necessary data support is provided for subsequent evaluation and recovery, and the accuracy and efficiency of the evaluation and recovery are improved. In addition, the information acquisition program module 110 can flexibly adapt to different victim endpoints and lux software conditions according to different physical hardware connection modes and information acquisition strategies, so that the universality and the expandability of the device are enhanced.

Referring to fig. 2, in some embodiments, the apparatus further comprises: a database construction program module 105 for constructing and maintaining an evaluation and restoration resource database based on known lux software information and restoration method information. The database builder module 105 may also exchange and update data with various security institutions or platforms via a network or connection cable similar to the information gathering module 110 described above, obtain updated information on the luxury software and recovery methods, and store it in the assessment and recovery resource database. The evaluation and recovery resource database stores a plurality of different types of lux encryption data recovery methods, and each method has corresponding information such as recovery preconditions, application range, advantages and disadvantages, recovery success rate and the like.

The database builder module 105 may be a pre-built and periodically maintained update assessment and recovery resource database that enriches the knowledge base of the device and enhances its coping capability. In addition, the device is effectively docked and utilized with external resources through data exchange and updating between the network or the connecting cable and various safety mechanisms or platforms, and the intelligent level of the device is improved.

The condition matching program module 120 is configured to match the basic information and the lux software information of the victim endpoint with a lux encryption data recovery precondition set stored in the evaluation and recovery resource database, determine whether a recovery condition is satisfied, and provide a corresponding recovery feasibility evaluation result.

The condition matching program module 120 can perform logic judgment and calculation by reading the basic information of the victim endpoint and the luxury software information in the temporary file and evaluating and recovering the luxury encrypted data recovery precondition set stored in the resource database, and output an evaluation result file.

The evaluation result file may contain information on whether the restoration condition is satisfied, the probability of satisfaction of the condition, the expected restoration effect, and the like.

If one or more recovery conditions are met, the flow goes to step S03-1, and the recovery feasibility assessment result is Yes; the result indicates that the data encrypted by the lux in the evaluated victim endpoint has a possibility of recovery, and the flow can proceed to the next step S04. The evaluation result data is stored in an evaluation and recovery object database; if any condition is not satisfied, the flow goes to S03-2, and a recovery feasibility evaluation result is given as to whether (No), wherein the result indicates that the data encrypted by the le in the evaluated victim endpoint has No possibility of recovery once after evaluation, and the flow goes to an ending link directly. The evaluation result data is also stored in the evaluation and restoration object database.

Wherein, the Lesu encrypted data recovery precondition set includes, but is not limited to, the following condition items:

1. the victim endpoint encounters a luxury software attack, has a logical vulnerability in execution, and can be mined and exploited by the defender. For example, the symmetric encryption algorithm key in the memory is not released after the Lesu software encrypts the victim endpoint data.

2. The encryption flow of the lux software encountered by the victim endpoint may be analyzed by the defender and may be tampered with by the defender in a critical link.

3. The victim endpoint does not restart the machine after it is infected. For example, in the case that the system is not restarted after "grotto" (wanna cry) is infected under the XP/Win7 system, the encryption key is also stored in the memory, and the file decryption can be performed by using the related key; after restarting, the memory is cleared and the key is lost.

4. The victim endpoint is not handled by the disinfection software, the specialization tool, etc. to ensure that the encryption process still exists, e.g., tasksche. Exe of "grotto" (WannaCry).

5. The victim endpoint has sufficient disk space to ensure that deleted files are not covered, e.g., file recovery for non-desktop, document, user folders in the data recovery of the lux software "grotto" (WannaCry).

6. The victim endpoint specifies encrypted, moved or renamed under the path, e.g., in the data recovery of the luxo software "grotto" (wanna cry),% temp% directory, $recycle directory.

7. Servers where the victim endpoint encounters the luxury software to save keys are either seized or countered by the security enterprise.

8. The compromised endpoint encounters a luxury software decryption key that is compromised by its competitor or the luxury software writer master/slave hands off the key or decryption tool.

9. The encryption algorithm adopted by the Lesu software of the victim endpoint has relatively weak strength and can be cracked by the defender in a violent manner.

10. The key of the Lesu software encountered by the victim endpoint is not used in the encrypted communication protocol during the uploading process and is intercepted by the defender.

11. Various forms of backups such as shadow copies (Volume Shadow Copy) are not deleted during the process of the Lesu software attacking the victim endpoint.

The lux encryption data recovery precondition data are stored in an evaluation and recovery resource database.

As can be seen from the foregoing description, in some embodiments, the lux software information may include: a file sample encrypted by the luxury code encountered by the luxury code, a luxury code encountered by the luxury code, an email address or hyperlink informed by the luxury code encountered by the luxury code, and other contact information; the recovery condition may include: the victim endpoint encounters a luxury software attack, has logic loopholes on execution, and can be mined and utilized by a defender; the encryption flow of the luxury software encountered by the victim endpoint can be analyzed by the defender and can be interfered by the defender in a key link; the victim endpoint does not restart the machine after being infected; the victim endpoint is not treated by the antivirus software or the specialized tool to ensure that the encryption process still exists; the disk space of the victim endpoint is sufficient to ensure that the deleted file is not covered; encrypted, moved, or renamed under the victim endpoint designated path; the server of the Lesu software save key encountered by the victim endpoint is seized or is counteracted by the security enterprise; the compromised endpoint encounters a luxury software decryption key that is revealed by its competitor or the luxury software writer master/slave hands out the key or decryption tool; the encryption algorithm adopted by the luxury software encountered by the victim endpoint can be cracked by the defensive party in a violent manner; the key of the Lesu software encountered by the victim endpoint does not use an encrypted communication protocol in the uploading process and is intercepted by a defender; in the process of attacking the victim endpoint by the lux software, the backup is not deleted.

The method selection program module 130 is configured to select, according to the victim endpoint basic information and the lux software information, a lux encrypted data recovery method applicable to the victim endpoint from the lux encrypted data recovery method set stored in the evaluation and recovery resource database.

The method selection program module 130 performs screening and comparison by reading the victim endpoint basic information and the lux software information in the temporary file, and evaluating and recovering the lux encrypted data recovery method set stored in the resource database, and outputs a method selection file. The method selection file can contain the information of the name, type, precondition, application range, advantages and disadvantages, success rate and the like of the selected recovery method.

The recovery method comprises the following steps: a lux encryption data recovery technology based on lux software reverse analysis and logic vulnerability exploitation; a lux encryption data recovery technology based on encryption flow analysis and link intervention; a lux encryption data recovery technology based on disk data recovery and file recovery; a lux encryption data recovery technique based on key preservation server data acquisition; a lux encryption data recovery technique based on lux software key disclosure or delivery; a Lesu encrypted data recovery technique based on brute force cracking of a weak strength encryption algorithm; a Lesu encrypted data recovery technique based on the intercepted key in the non-encrypted backhaul communication process; and, a le-rope encrypted data recovery technique based on data backup restoration.

In some embodiments, the method selects the program module 130, specifically for:

and screening out a recovery method conforming to the basic information of the victim endpoint, such as the type and version of an operating system, hardware configuration and other conditions, and storing the recovery method into a candidate set according to the basic information of the victim endpoint, the encountered luxury software information and the satisfied recovery conditions.

And screening out a recovery method meeting the characteristics and requirements of the victim data according to the types and the quantity of the sample data encrypted by the luxury on the victim endpoint, and storing the recovery method into a candidate set.

And screening out a recovery method which accords with the Lesu software information and the recovery condition encountered by the victim endpoint according to the recovery feasibility evaluation result, and storing the recovery method into a candidate set.

And the data recovery program module 140 is used for calling a corresponding recovery method and a recovery script or tool stored in an evaluation and recovery resource database on which the method is run, taking the victim data as an operation object, and recovering the victim data to a state before being encrypted by the halyard.

Wherein, the recovery script or tool set is stored in the evaluation and recovery resource database; the original data file storage path obtained after recovery is defaulted to select a special directory under a drive letter with the largest residual amount of the storage space in the victim endpoint, for example, E \RecoveriedFiles\in a Windows system, and the storage path can be configured in a self-defined manner.

The data restoring program module 140 performs a restoring operation by reading restoring method information in the method selection file and evaluating and restoring a restoring script or tool stored in the resource database, and stores the restored data in a designated directory or path. The method realizes the automatic recovery processing of the victim data, solves the difficult problem of encrypting or locking the data by the luxury software for the user, and reduces the loss and risk of the user.

Therefore, the device for evaluating and processing the recovery feasibility of the lux encrypted data provided by the embodiment of the invention judges whether the recovery condition is met or not by collecting and matching the basic information and the lux software information of the victim endpoint, gives a corresponding recovery feasibility evaluation result, then selects the lux encrypted data recovery method suitable for the victim endpoint from the evaluation and recovery resource database according to the basic information, the lux software information and the satisfied recovery condition of the victim endpoint, invokes a corresponding recovery script or tool, and takes the victim data as an operation object, so that the victim data can be recovered to the state before the lux encryption. Therefore, the method can effectively help a user to judge whether the data encrypted or locked by the luxury software is possible to recover or not, and provides a corresponding recovery processing scheme.

In some embodiments, the first storage program module 150 is configured to store, after restoring the victim data to the state before the encrypted state, the original data file obtained after the restoration under the drive letter with the largest storage space remaining at the victim endpoint; or, the recovered original data file is stored under a dedicated directory or a custom configured path.

The first storage program module 150 determines the drive letter with the largest storage space remaining amount by reading the storage space information of each drive letter at the victim endpoint and comparing the remaining amount of the drive letter with the storage space information of each drive letter at the victim endpoint, and stores the recovered original data file under the drive letter. In this way, more space can be used to store more recovery data, so as to ensure that recovery failure caused by insufficient storage resources in the data recovery process can not be caused.

In some embodiments, the apparatus further comprises: a statistics program module 160 (not shown) for counting the completion of the current recovery processing job and the relevant information of the recovery processing job.

The statistics program module 160 performs data analysis and summary statistics by reading the evaluation result file, the recovery operation log, and other files, and outputs the result file. The related information comprises information such as the starting time, the ending time, time consumption, success rate, failure reason, abnormal condition and the like of the current recovery processing job.

A prompt program module 170 (not shown) for sending a prompt message to the victim endpoint user based on the completion of the restored processing job and the information related to the completion; and the prompt message is used for prompting the user to confirm the recovered data. The program module generates a corresponding prompt message by reading information in the statistical result file, and sends the prompt message to a victim endpoint user, so that the victim endpoint user can know the completion degree of the operation of the recovery processing and the related information of the completion degree, and confirms the completion degree.

A second storage program module 180 (not shown) is configured to store the result of the current recovery implementation job in the database to be evaluated and recovered. The second storage program module 180 sorts and stores the result of the current restoration execution job in the evaluation and restoration object database.

In some embodiments, the method for recovering the Leso encrypted data applicable to the victim endpoint is specifically:

the advantages and disadvantages and success rates of the recovery methods in the candidate set are comprehensively compared, and the optimal or most suitable recovery method is selected from the candidate set according to a certain priority or weight rule and is output to the data recovery program module 140.

In some embodiments, if the recovery method is selected as follows: an embodiment of the recovery technology of the lux encrypted data based on the lux software reverse analysis and the logic vulnerability exploitation is as follows:

the victim data file of the luxury software encountered by the victim endpoint is obtained, as shown in fig. 4, and the victim data file has characteristics such as a suffix name or an extension name and the like, and can be used for primarily analyzing and determining the virus family name of the related luxury software according to the characteristic library matching.

And carrying out static analysis and dynamic debugging on the Lecable software by using a reverse analysis tool, acquiring storage or generation positions of an encryption algorithm, an encryption key or a decryption key, an encryption flow and logic vulnerability information of the Lecable software, and outputting the information to a first recovery script or tool.

And scanning and identifying the data encrypted by the luxury on the victim endpoint by using a first recovery script or tool, acquiring information such as the encrypted file name, the file head, the file tail, the file size and the like, and outputting the information to a second recovery script or tool.

Specifically, as one implementation manner of this step, it may include: s1, developing a script program for scanning and identifying an encrypted file, namely a first recovery script; and S2, traversing all file catalogues and files of the victim endpoint by using the first recovery script. S3, reading the content of the file header of each accessed file, and comparing the file header with the known signature of the file header of the Leucasian software. And S4, if the file header is matched, continuing to read the signature at the tail of the file, and performing further comparison verification. S5, recording the identified matched encrypted file and the complete path thereof. S6, reading and recording the size of the matched file. S7, extracting the file name of the identified matching encryption file, and analyzing the file name mode. And S8, searching potential encrypted files with similar names in the victim endpoint according to the analyzed file name mode. And S9, carrying out matching verification on the head and tail signatures of the newly discovered files, and recording the successfully verified newly discovered encrypted files. S10, outputting the identification result of the steps to a file or a database, wherein the identification result comprises information such as a path, a file name, a size and the like of the encrypted file. S11, the identification result file is transmitted into a second recovery script to be used as a target input to be processed of decryption operation. S12, repeating the identifying and recording process until all files in the victim endpoint are traversed.

In the embodiment of the invention, all encrypted files in the victim endpoint can be automatically identified through the steps of the method, the range is wide, all the truly encrypted files on the victim endpoint can be accurately locked through the file name mode and head-tail signature judgment, some key features are extracted, and key input and preparation work are provided for decryption operation. Wherein the header signature refers to the first few bytes of the file, and contains a byte sequence that identifies the file type information. The end-of-file signature refers to the signature at the end of the file that is used to verify the integrity of the file. The file name mode refers to naming rules adopted by the encrypted file, such as adding a specific suffix, for example, the names of the suffixes of different luxurious encrypted files are different, as shown in fig. 4.

And using a second recovery script or tool to decrypt the victim data by using the encryption key or the decryption key, the encryption algorithm, the logic loophole and other information according to the reverse analysis result, and outputting the decrypted data to a designated directory or path.

In this embodiment, by using a reverse analysis tool and a recovery script or tool, key information, such as an encryption algorithm, an encryption key, or a decryption key, can be extracted from the le su software.

Specifically, the specific implementation manner of this step may be: and reading the identification result file of the first script by using the second recovery script as input. Wherein the second recovery script is a script developed in advance for realizing the decryption function. According to the situation that a certain encryption algorithm is actually adopted to carry out malicious encryption in the Leuch encrypted data recovery method set, based on the deep reverse analysis of the Leuch software program, determining the encryption process steps of the Leuch software, adopting the type and intensity of the encryption algorithm, the operation principle of the encryption algorithm and the realization code thereof, calling function functions, acquiring and calling encryption keys from where, storing the encryption keys (namely decryption keys) in the symmetric encryption algorithm, storing the private keys (namely decryption keys) in each set of key pairs in the asymmetric encryption algorithm, whether encryption and deletion are carried out on the decryption keys generated in the victim endpoint environment, whether encryption and deletion are carried out in which link of the encryption Leuch execution process, whether encryption is carried out on the decryption keys, whether encryption is carried out on communication traffic in the network communication return process, and the like are adopted, so that the decryption process design and the code realization of a decryption function script are carried out by taking the Leuch software and the reverse idea of the operation process of the encryption algorithm as keys are key as key, namely, a second recovery script is constructed; and loading a decryption key through the script, calling a decryption function and parameters thereof, and implementing decryption operation on a specified data file object (namely, a victim data file which is subjected to malicious encryption), wherein the decryption operation refers to the whole algorithm thought and process for decrypting the victim data file subjected to encryption. Taking a symmetric encryption algorithm as an example, assuming that the key used is K and the encrypted text is C, the decryption function may be expressed as: d (C) =c≡k (mod n), where C is the encrypted text, n is the alphabet size, K is the key, and d is the output of the decryption function. For example, for a data file encrypted using the AES algorithm, reference may be made to attempting decryption using the following Python script code:

import Crypto.Cipher.AES as Cipher

key = b'privatekey'

iv = b'ivvalue'

cipher = Cipher.new(key, Cipher.decrypting, iv)

plaintext = cipher.update(b'encryptedtext')

print(plaintext)

In this example, the decryption key is b 'private key', the initial vector is b 'ivvalue', and the decryption function is cipher. In the decryption process, the ciphertext is decrypted by using an update () method, and finally the plaintext is obtained.

And obtaining path information of each encrypted file according to the read identification result file. And opening the first encrypted file according to the path information, reading the file content and storing the file content in a memory buffer area. And calling a decryption function in the decryption operation process, and transmitting the read maliciously encrypted victim file data, a decryption key and parameters required by the decryption function, wherein the required parameters comprise: a seed for generating a random number (in the case where a random number generator is used for the encryption function), and the like. And decrypting the file data by using the obtained key and the decryption function. Writing the decrypted plaintext content into a new file; wherein the file name is generated according to the original file name. And circularly repeating the steps, and sequentially processing each encrypted file in the identification result until decryption of all the identified encrypted files is completed, and comparing the newly generated file hash value, file header information, file format suffix and the like. And verifying the decryption effect. Copying the successfully decrypted file to the secure storage directory to complete recovery. And generating a decryption result report, and counting the related information of job completion degrees such as the number of success and failure files.

The method can read and write the extremely large files in blocks, so that the problem of insufficient memory resources can be avoided from influencing the decryption recovery effect.

In some embodiments, the device is provided with a write protection mechanism that denies write operations to its internal files from any process external to the device and computer medium; meanwhile, only a preset evaluation and recovery control program (with a special digital signature) in the device has the authority of writing data stored in the device, the execution authority of all other portable executable (Portable Executable, PE) files is forbidden in the storage space, and attacks on the data in the execution flow, which are possibly launched by the luxury software and other malicious codes which are not completely cleared in a victim endpoint, are prevented in a write protection mode and an execution authority forbidden mode.

According to the device for evaluating and recovering the feasibility of recovering the Leuchy encrypted data, which is provided by the embodiment of the invention, loose coupling is arranged among all the constituent modules, so that the integral change caused by upgrading and updating of a certain/some modules is avoided; meanwhile, the interactive interface for confirming and feeding back the implementation result, the custom configuration interface and the expert auxiliary interface are provided, so that the user experience can be improved, and the expansion capability and effectiveness of the assessment and the implementation recovery are enhanced.

Wherein: the user-defined configuration interface is used for supporting a victim user with a certain technical experience and capability to carry out user-defined configuration on an information acquisition strategy, an original data file storage path obtained after recovery and the like. And the expert auxiliary interface is used for supporting a network security expert team to provide necessary manual intervention and technical support channels for the information acquisition, the recovery feasibility assessment and the recovery processing process. The confirmation and feedback interaction interface is used for supporting a victim end point user and a series of interaction operations such as result confirmation and the like of recovered data by the victim end point user according to the result confirmation prompt.

Referring to fig. 3 and 6, in order to help understand the technical solution and the technical effects provided by the embodiments of the present invention, an example of a victim organization user who encounters a lux software "grotto" (wanna cry) attack is described below, and of course, it should be noted that the technical solution provided by the embodiments of the present invention is not limited to the situation of encountering a lux software "grotto" (wanna cry) attack, and the illustration is only for helping understanding.

Illustratively, when encrypting victim files, "grottoes" may take different actions according to different directory and file sizes (i.e., files above 200MB in volume may be renamed as WNCYR files, file header 0xFFFF bytes moved to the tail, adding new file header), e.g., files within desktops, documents, user folders may be encrypted, and original files may be deleted after overwriting; other files are only encrypted and then the original files are deleted or moved to a% TEMP% directory or recycle bin, and then the% TEMP% directory or recycle bin is emptied at regular time, so that the original files are only deleted, and recovery can be carried out by adopting a disk data recovery measure. A specific analysis of this part of the operation of the lux software is as follows:

(1) And reading the original file, performing encryption operation, and generating a new encrypted file, wherein the original file is not processed. After the file encryption is completed, the original file and the encrypted file coexist as shown in the rectangular box in fig. 8.

(2) At intervals, the original file (unencrypted file) is moved to the% TEMP% directory, renamed · wnry, and moved twice to the% TEMP% directory.

(3) At this time, the original file does not exist under the original directory, but two operations of deleting and moving the original path file are also performed.

(4) The lux software sample creates a thread, as shown in fig. 9, calls taskdl.exe (released by the master module) every 30s, and deletes · wnry under%temp.

From the above analysis, it is known that the file system is a file system, and the file system is a file system.

If the victim organization user deploys and applies the device provided by the embodiment of the invention, information can be acquired on the victim endpoint, and then when the information is matched with the recovery condition, a certain victim endpoint or a certain victim endpoints can be found to be matched with the following conditions: the victim endpoint encounters a luxury software attack, has logic loopholes on execution, and can be mined and utilized by a defender; the victim endpoint (Win XP/Win7 system) does not restart the machine after being infected, and the encryption key is also stored in memory.

The victim endpoint is not treated by the disinfection software, special tools, etc., and the encryption process tasksche.exe of "grotto" (WannaCry) still exists.

The disk space of the victim endpoint is sufficient, and deleted files of non-desktop, file and user folder are not covered.

The% TEMP% directory of the victim endpoint, $recycle directory below the wnry file is not deleted.

The condition matching program module 120 gives the recovery feasibility evaluation result based on the above condition matching as follows: can be recovered.

Further, the method selecting program module 130 selects the le-based data recovery technology based on the reverse analysis of le-based software and the logical exploitation of the le-based data recovery method set, the le-based data recovery technology based on the recovery of disk data and the recovery of files, and the corresponding recovery tools, and through actual measurement verification, the number of the files which are encrypted or moved and renamed and then deleted is about 1600, and the number of the recovered files is about 900, including texts, pictures, zip and the like; performing recovery operation on the non-system disk by using data recovery software; WNCRY carries out recovery and restoration operation to files under the%TEMP% directory in the system disk, and normal files can be obtained by judging the file format through the file header and modifying the suffix; for files with the volume of more than 200MB, the tail 0x10000 bytes of the file are cut back to the head of the file after recovery, so that recovery of the luxury encrypted data is realized, and the recovered partial data is shown in fig. 5.

According to the disclosure, the embodiment of the invention provides an evaluation and recovery processing device for the recovery feasibility of the lux encrypted data, which can judge whether the lux encrypted data has the possibility of recovery according to the victim endpoint and the lux software information encountered by the victim endpoint, and give out a corresponding evaluation result, thereby providing a reference basis for the subsequent recovery implementation. Further, a recovery method suitable for the victim endpoint is selected from multiple recovery methods, and a corresponding recovery script or tool is called for recovery implementation, so that recovery efficiency and success rate are improved.

Example two

FIG. 6 is a flowchart illustrating an embodiment of a method for evaluating and processing the recovery feasibility of the encrypted data according to the present invention. Referring to fig. 6, a method provided by an embodiment of the present invention includes:

s210, collecting basic information and lux software information of a victim endpoint, wherein the basic information of the victim endpoint comprises: the network environment of the victim endpoint, the operating system type and version of the victim endpoint, the hardware configuration of the victim endpoint, and the type and quantity of data encrypted by the luxury on the victim endpoint;

s220, basic information and luxury software information of the victim endpoint are matched with a luxury encryption data recovery precondition set stored in an evaluation and recovery resource database, whether recovery conditions are met or not is judged, and a corresponding recovery feasibility evaluation result is given;

S230, if the recovery condition is met, selecting a Leuch encrypted data recovery method applicable to the victim endpoint from a Leuch encrypted data recovery method set stored in the evaluation and recovery resource database according to the victim endpoint basic information and Leuch software information;

s240, a corresponding recovery method and a recovery script or tool stored in an evaluation and recovery resource database on which the method is run are called, and victim data is used as an operation object to recover the victim data to a state before being encrypted by the halyard.

In some embodiments, the method further comprises: and after the victim data is restored to the state before being encrypted by the lux, storing the original data file obtained after restoration under the drive letter with the largest storage space remaining amount on the victim endpoint.

In some embodiments, the lux software information includes: a file sample encrypted by the luxury code encountered by the luxury code, a luxury code encountered by the luxury code, an email address or hyperlink informed by the luxury code encountered by the luxury code, and other contact information;

the recovery condition includes: the victim endpoint encounters a luxury software attack, has logic loopholes on execution, and can be mined and utilized by a defender;

The encryption flow of the luxury software encountered by the victim endpoint can be analyzed by the defender and can be interfered by the defender in a key link;

the victim endpoint does not restart the machine after being infected;

the victim endpoint is not treated by the antivirus software or the specialized tool to ensure that the encryption process still exists;

the disk space of the victim endpoint is sufficient to ensure that the deleted file is not covered;

encrypted, moved, or renamed under the victim endpoint designated path;

the server of the Lesu software save key encountered by the victim endpoint is seized or is counteracted by the security enterprise;

the compromised endpoint encounters a luxury software decryption key that is revealed by its competitor or the luxury software writer master/slave hands out the key or decryption tool;

the encryption algorithm adopted by the luxury software encountered by the victim endpoint can be cracked by the defensive party in a violent manner;

the key of the Lesu software encountered by the victim endpoint does not use an encrypted communication protocol in the uploading process and is intercepted by a defender;

in the process of attacking the victim endpoint by the lux software, the backup is not deleted.

In some embodiments, the lux encryption data recovery technique based on the lux software reverse analysis and the logic exploit comprises the following steps: the lux software encryption key can be obtained in the memory; the lux software specific version variant key utilization mechanism has defects; the lux software key is hard coded and adopts symmetric encryption; the luxo software key is hard coded and the public key is the same; the lux software key is hard coded and the number of public keys is limited; the lux software does not recover or timely recovers the decryption key; the lux software only encrypts file header or file fragment the lux software uses other normal software encryption modules; and, the Lesu software adopts a custom encryption algorithm and embeds the secret key in the sample;

the le-cable encryption data recovery technology based on data backup and restoration comprises the following steps:

performing the lux data recovery according to the undeleted shadow copy, performing the lux data recovery according to the deployed endpoint defense system intelligent backup, and/or performing the lux data recovery according to the disaster backup and the snapshot file.

The method provided in the embodiments of the present invention may be cured in a certain manufactured product in the form of software to form the processing device described in the embodiment, and when a user uses the product, any one of the method flows described in the embodiments of the present application may be reproduced, so that embodiments of the implementation principle and technical effects are similar, and are not repeated herein.

Fig. 10 is a schematic block diagram of an architecture of an embodiment of an electronic device according to the present invention, where the embodiment of the present invention further provides an electronic device, which has the same overall technical concept as the first or second embodiment, and as shown in fig. 10, may implement a method flow according to any one of the second embodiments of the present invention.

The electronic device may include: the device comprises a shell 41, a processor 42, a memory 43, a circuit board 44 and a power circuit 45, wherein the circuit board 44 is arranged in a space surrounded by the shell 41, and the processor 42 and the memory 43 are arranged on the circuit board 44; a power supply circuit 45 for supplying power to the respective circuits or devices of the above-described electronic apparatus; the memory 43 is for storing executable program code; the processor 42 executes a program corresponding to the executable program code by reading the executable program code stored in the memory 43, for executing the lux encrypting data recovery feasibility evaluating and processing device according to any of the foregoing embodiments.

The specific implementation of the above steps by the processor 42 and the further implementation of the steps by the processor 42 through the execution of the executable program code may be referred to as the description of the first embodiment of the present invention, which is not repeated herein.

The embodiment of the invention also provides a computer readable storage medium, which stores one or more programs, and the one or more programs may be executed by one or more processors, so as to implement the task flow executed by the apparatus for evaluating and processing the luxury encrypted data recovery feasibility in the first embodiment.

The electronic device exists in a variety of forms including, but not limited to:

(1) A mobile communication device: such devices are characterized by mobile communication capabilities and are primarily aimed at providing voice, data communications. Such terminals include: smart phones (e.g., iPhone), multimedia phones, functional phones, and low-end phones, etc.

(2) Ultra mobile personal computer device: such devices are in the category of personal computers, having computing and processing functions, and generally also having mobile internet access characteristics. Such terminals include: PDA, MID, and UMPC devices, etc., such as iPad.

(3) Portable entertainment device: such devices may display and play multimedia content. The device comprises: audio, video players (e.g., iPod), palm game consoles, electronic books, and smart toys and portable car navigation devices.

(4) And (3) a server: the configuration of the server includes a processor, a hard disk, a memory, a system bus, and the like, and the server is similar to a general computer architecture, but is required to provide highly reliable services, and thus has high requirements in terms of processing capacity, stability, reliability, security, scalability, manageability, and the like.

(5) Other electronic devices with data interaction functions.

In summary, the apparatus and the method for evaluating and processing the recovery feasibility of the luxury encrypted data provided by the embodiment of the invention can effectively help a user judge whether the data encrypted or locked by the luxury software is likely to be recovered or not, and provide a corresponding recovery processing scheme. The system can be adapted to Windows, linux double platforms and various endpoint devices, including mobile terminals such as a Server (Server), a desktop (PC), a notebook (Laptop), a tablet (Pad), an industrial control computer (Industrial Control Computer), a Smart Phone (Smart Phone) and the like, virtual machines (Virtual machines) of virtualized dimensions and the like, and is safe and reliable; the method can be deployed locally and can also support SaaS (software as a service) operation. And moreover, the interface can be in butt joint with specialized operation of domestic capacity type safety enterprises, so that updating and high availability of utilization technology and tool resources are ensured, and the success rate of the recovery of the luxury encrypted data is improved.

According to the embodiment of the invention, the gap of the integrated operation of the recovery feasibility evaluation and recovery implementation of the le-rope encrypted data is filled by combining the recovery feasibility evaluation and recovery implementation of the le-rope encrypted data.

Further, the embodiment of the invention can quickly judge whether the capability of recovering feasibility of the encrypted data of the victim organization user is present or not, solve the difficult problems that the organization user cannot recover without knowing and how to recover, and can help the organization user to make relatively correct treatment decisions early, thereby avoiding the best treatment opportunity from being falsified.

Furthermore, the embodiment of the invention does not depend on the analysis of the Lecable software and clues thereof encountered by the victim organization user, but focuses on the collection and analysis of multidimensional data of the victim endpoint after encountering the attack, and can improve the recovery possibility to a certain extent under the condition of lacking ready available recovery tools by assisting with the manual support of a network security expert team.

It should be noted that in this document, relational terms such as first and second, and the like are used solely to refer to

One entity or operation is distinguished from another entity or operation without necessarily requiring or implying any such

There may be any such actual relationship or order between entities or operations. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

In this specification, each embodiment is described in a related manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments.

In particular, for system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, as relevant to see a section of the description of method embodiments.

For convenience of description, the above system is described as being functionally divided into various units/program modules, respectively. Of course, the functions of each unit/program module may be implemented in one or more pieces of software and/or hardware when implementing the present invention.

Those skilled in the art will appreciate that implementing all or part of the above-described methods in accordance with the embodiments may be accomplished by way of a computer program stored on a computer readable storage medium, which when executed may comprise the steps of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a random access Memory (RandomAccess Memory, RAM), or the like.

The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any changes or substitutions easily contemplated by those skilled in the art within the scope of the present invention should be included in the present invention. Therefore, the protection scope of the invention is subject to the protection scope of the claims.

Claims

1. An apparatus for evaluating and processing the feasibility of recovering encrypted data, said apparatus comprising:

the information acquisition program module is used for acquiring basic information and lux software information of the victim endpoint;

the condition matching program module is used for matching the basic information and the luxury software information of the victim endpoint with a luxury encryption data recovery precondition set stored in the evaluation and recovery resource database, judging whether the recovery conditions are met or not, and giving out a corresponding recovery feasibility evaluation result;

the method selection program module is used for selecting a Leuch encrypted data recovery method applicable to the victim endpoint from the Leuch encrypted data recovery method set stored in the evaluation and recovery resource database according to the victim endpoint basic information, leuch software information and the satisfied recovery conditions;

The data recovery program module is used for calling a corresponding recovery method and a recovery script or tool stored in an evaluation and recovery resource database on which the method is run, taking victim data as an operation object, and recovering the victim data to a state before being encrypted by a luxury;

the basic information of the victim endpoint includes: the method comprises the steps of victim endpoint operating system basic information, victim endpoint running logs, victim endpoint memory data, process running state data in a victim endpoint system, hard disk partition conditions of the victim endpoint, hard disk storage space allowance, file data in a specific path in the victim endpoint system, victim endpoint non-encrypted network communication traffic data and victim endpoint backup available states;

the lux software information comprises: a file sample encrypted by the luxury code encountered by the luxury code, a luxury code encountered by the luxury code, an email address or hyperlink contact information notified by the luxury code encountered by the luxury code;

The victim endpoint does not restart the machine after being infected;

the encrypted, moved or renamed file under the victim endpoint designated path is not deleted;

2. The apparatus of claim 1, wherein the apparatus further comprises: and the first storage program module is used for storing the original data file obtained after the recovery under the drive letter with the largest storage space residual quantity on the victim endpoint after recovering the victim data to the state before being encrypted by the lux.

3. The apparatus of claim 1, wherein the apparatus further comprises: the statistics program module is used for counting the completion degree of the current recovery processing operation and the related information of the completion degree;

the prompting program module is used for sending a prompting message to a victim endpoint user based on the completion degree of the recovery processing operation and the related information of the completion degree; the prompting message is used for prompting the user to confirm the recovered data;

and a second storage program module for storing the result of the current recovery implementation job to the evaluation and recovery object database.

4. The apparatus of claim 1, wherein the recovery method comprises:

a lux encryption data recovery technology based on lux software reverse analysis and logic vulnerability exploitation;

a lux encryption data recovery technology based on encryption flow analysis and link intervention;

a lux encryption data recovery technology based on disk data recovery and file recovery;

a lux encryption data recovery technique based on key preservation server data acquisition;

a lux encryption data recovery technique based on lux software key disclosure or delivery;

a Lesu encrypted data recovery technique based on brute force cracking of a weak strength encryption algorithm;

A Lesu encrypted data recovery technique based on the intercepted key in the non-encrypted backhaul communication process;

and, a le-rope encrypted data recovery technique based on data backup restoration.

5. The apparatus of claim 4, wherein the lux-based reverse analysis of lux software and logical exploit based lux-encrypted data recovery technique comprises:

the lux software encryption key can be obtained in the memory;

the lux software specific version variant key utilization mechanism has defects;

the lux software key is hard coded and adopts symmetric encryption;

the luxo software key is hard coded and the public key is the same;

the lux software key is hard coded and the number of public keys is limited;

the lux software does not recover or timely recovers the decryption key;

the lux software only encrypts the file header or file fragment;

the lux software uses other normal software encryption modules; the method comprises the steps of,

the lux software adopts a custom encryption algorithm and embeds a secret key in a sample;

6. A method for evaluating and processing the feasibility of recovering the encrypted data, comprising the steps of:

collecting basic information and luxury software information of a victim endpoint, wherein the basic information of the victim endpoint comprises: the network environment of the victim endpoint, the operating system type and version of the victim endpoint, the hardware configuration of the victim endpoint, and the type and quantity of data encrypted by the luxury on the victim endpoint;

the basic information and the luxury software information of the victim endpoint are matched with a luxury encryption data recovery precondition set stored in an evaluation and recovery resource database, whether recovery conditions are met or not is judged, and a corresponding recovery feasibility evaluation result is given;

if the recovery condition is met, selecting a luxury encryption data recovery method applicable to the victim endpoint from the luxury encryption data recovery method set stored in the evaluation and recovery resource database according to the victim endpoint basic information and the luxury software information;

invoking a corresponding recovery method and a recovery script or tool stored in an evaluation and recovery resource database on which the method is run, and recovering the victim data to a state before being encrypted by the halyard by taking the victim data as an operation object;

the victim endpoint does not restart the machine after being infected;

7. The method of claim 6, wherein the method further comprises: and after the victim data is restored to the state before being encrypted by the lux, storing the original data file obtained after restoration under the drive letter with the largest storage space remaining amount on the victim endpoint.

8. An electronic device, the electronic device comprising: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space surrounded by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, for executing the step flow executed by the luxury encrypted data recovery feasibility assessment and processing device according to any one of the preceding claims 1 to 5.

9. A computer readable storage medium storing one or more programs executable by one or more processors to implement the process of steps performed by the apparatus for evaluating and processing luxury encrypted data recovery feasibility of any one of claims 1 to 5.