What to do with blackmail virus
4hw.org: in recent days, one of the most concerned words is blackmail virus. The global spread of blackmail virus has caused great panic. At present, it has infected more than 100 countries and regions. Nearly 30000 institutions in China have been invaded. A large number of college students have become direct victims. Graduation papers have been locked. What should we do if blackmail virus is involved? Is there any way to solve it? Where can I download the blackmail virus patch? Now, I'll give you answers one by one!
The worm that extorts with the "eternal blue" loophole is rampant all over the world, and all the recruiters are at a loss, because the solutions given by most security companies are preventive measures in advance. However, 360 gives an after the fact remedy.
Today (May 14), at 2:18 a.m., 360 security guard suddenly released a 360 blackmail worm file recovery tool (download link at the end of the article) on Weibo, claiming that some files encrypted by blackmail software can be recovered. The recovery process is roughly as follows:
Select the drive where the encrypted file is located
After scanning, select the files to restore
Comparison before and after recovery
The above pictures are from the official Weibo of 360 security guard
In Weibo, the author strongly suggests that users choose to save the recovered files on a clean mobile hard disk or U disk. At the same time, the author also said that it is not 100% possible to recover files, but it is possible to recover a certain proportion of files, and the success probability will be affected by multiple factors such as the number of files
The success rate of file recovery of this tool will be affected by the number of files, time, disk operation and other factors. Generally speaking, the earlier recovery after poisoning, the higher the probability of success.
We do our best, but we can't make sure how much of the files can be recovered successfully. Good luck!
According to the previous statement of security researchers, ransomware uses RSA + AES encryption algorithm, which can hardly be cracked in a limited time, so what is the principle of the 360 release tool? Why is there a certain probability to recover files Moreover, many netizens found that the "blackmail worm file recovery tool" is very similar to the "error deletion file recovery tool" launched by 360 before, so why? Do they use similar principles?
▲ on the left is the recovery of deleted files, on the right is the recovery tool of extortion files
Wang Liang, an anti-virus engineer of 360, told Lei Feng that the tool is a recovery tool made for wannacrypt (commonly known as "want to cry") blackmail software. It does not directly crack the encryption algorithm, but by analyzing the working principle of the blackmail software, it uses a special method to recover files.
They found that the general workflow of wannacrypt ransomware is as follows:
Read the original file into memory to complete encryption, generate an encrypted file, and delete the original file.
Therefore, the original files in the computer are not encrypted directly, but deleted by hackers. Only copies are encrypted.
▲ sketch map made by Lei Feng net according to expert's description
Wang Liang explained to Lei Feng the encryption principle of blackmail software:
Generally speaking, the mainstream extortion virus usually has two ways to operate the file, one is to directly encrypt and overwrite the original file, in this case, without the key of the extortioner, it is almost impossible to recover; the other is to encrypt and generate the copy file first, and then delete the original file, in this case, it is possible to recover.
However, the crafty blackmailer usually processes the file in depth, such as overwriting the original file with garbage data before deleting. At this time, the victim can only recover a pile of garbage data with the method of file recovery.
Fortunately, when they analyzed wannacrypt's blackmail software, they found that it did not perform such "deep processing" on the original file, but directly deleted it. This is a relatively low-level 'blunder' in Wang Liang's view, and 360 just used the blackmailer's' blunder 'to achieve partial file recovery.
Wang Liang stressed that the tool released this time is only aimed at wannacrypt blackmail software, which may not be useful for other blackmail viruses, and at the same time, it cannot guarantee 100% recovery of all files, because it involves the storage location, quantity, deletion time, disk reading and writing of the original files and other factors. But even so, they hope to do their best to help people recover some important information, one is the other.
Like many security companies, they are still in the process of further analysis and Research on the blackmail worm, and new findings and results will be released as soon as possible.