해당 록빗(LockBit) 랜섬웨어는 그룹은 버그 포상금 랜섬웨어 활동 분야 최초로 프로그램을 도입했으며 보안 연구원을 초대하여 소프트웨어를 테스트하여 보안을 개선하고 미화 1,000달러에서 100만 달러에 이르는 상당한 금전적 보상을 제공했으며 2024년 2월 19일 국가범죄수사국(National Crime Agency)은 및 기타 국제법 집행 기관과 협력하여 유로폴(Europol) 크로노스 작전(Operation Cronos)의 목적으로 LockBit 랜섬웨어 조직에 속한 다크넷 웹사이트에 대한 통제권을 압수되었습니다. 일단 해당 록빗(LockBit) 랜섬웨어는 입사 이력서를 위장하고 있으며 아이콘만 보면 워드 문서처럼 위장된 것이 특징입니다.
먼저 악성코드 해쉬값은 다음과 같습니다.
파일명:####입사지원서_230925 항상 최선을 다하는 모습을 보이겠습니다 잘부탁드립니다.exe
사이즈:253 KB
MD5:bfe12a8e2169231a3825951ba63f11c9
SHA-1:386967620dd0822fff1de0b25eec59b7c52a72f9
SHA-256:d4f150a8b26e9edccae4987433fb5b8a105970db143ba196f13652730c635668
랜섬웨어 노트 내용
~~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~
>>>>> Your data is stolen and encrypted.
If you don't pay the ransom, the data will be published on our TOR darknet sites. Keep in mind that once your data appears on our leak site, it could be bought by your competitors at any second, so don't hesitate for a long time. The sooner you pay the ransom, the sooner your company will be safe.
Tor Browser Links:
hxxp://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead(.)onion
hxxp://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd(.)onion
hxxp://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd(.)onion
hxxp://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd(.)onion
hxxp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd(.)onion
hxxp://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd(.)onion
hxxp://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid(.)onion
hxxp://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd(.)onion
hxxp://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd(.)onion
Links for normal browser:
hxxp://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead(.)onion(.)ly
hxxp://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd(.)onion(.)ly
hxxp://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd(.)onion(.)ly
hxxp://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd(.)onion(.)ly
hxxp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd(.)onion(.)ly
hxxp://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd(.)onion(.)ly
hxxp://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid(.)onion(.)ly
hxxp://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd(.)onion(.)ly
hxxp://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd(.)onion(.)ly
>>>>> What guarantee is there that we won't cheat you?
We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will provide you with decryption software and destroy the stolen data. After you pay the ransom, you will quickly make even more money. Treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you. Our pentest services should be paid just like you pay the salaries of your system administrators. Get over it and pay for it. If we don't give you a decryptor or delete your data after you pay, no one will pay us in the future. You can get more information about us on Ilon Musk's Twitter hxxps://twitter(.)com/hashtag/lockbit?f=live
>>>>> You need to contact us and decrypt one file for free on TOR darknet sites with your personal ID
Download and install Tor Browser hxxps://www.torproject(.)org/
Write to the chat room and wait for an answer, we'll guarantee a response from you. If you need a unique ID for correspondence with us that no one will know about, tell it in the chat, we will generate a secret chat for you and give you his ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world.
Tor Browser personal link available only to you (available during a ddos attack):
hxxp://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd(.)onion
Tor Browser Links for chat (sometimes unavailable due to ddos attacks):
hxxp://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd(.)onion
hxxp://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd(.)onion
hxxp://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd(.)onion
hxxp://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad(.)onion
hxxp://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd(.)onion
hxxp://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd(.)onion
hxxp://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd(.)onion
hxxp://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd(.)onion
hxxp://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd(.)onion
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>> Your personal ID: 27CD3A041A61B67096AA41D02FDE57C0 <<<<<
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>> Warning! Do not delete or modify encrypted files, it will lead to problems with decryption of files!
>>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you.
They won't help and will only make things worse for you. In 3 years not a single member of our group has been caught by the police, we are top notch hackers and we never leave a trail of crime. The police will try to prohibit you from paying the ransom in any way. The first thing they will tell you is that there is no guarantee to decrypt your files and remove stolen files, this is not true, we can do a test decryption before paying and your data will be guaranteed to be removed because it is a matter of our reputation, we make hundreds of millions of dollars and are not going to lose our revenue because of your files. It is very beneficial for the police and FBI to let everyone on the planet know about your data leak because then your state will get the fines budgeted for you due to GDPR and other similar laws. The fines will be used to fund the police and the FBI, they will eat more sweet coffee donuts and get fatter and fatter. The police and the FBI don't care what losses you suffer as a result of our attack, and we will help you get rid of all your problems for a modest sum of money. Along with this you should know that it is not necessarily your company that has to pay the ransom and not necessarily from your bank account, it can be done by an unidentified person, such as any philanthropist who loves your company, for example, Elon Musk, so the police will not do anything to you if someone pays the ransom for you. If you're worried that someone will trace your bank transfers, you can easily buy cryptocurrency for cash, thus leaving no digital trail that someone from your company paid our ransom. The police and FBI will not be able to stop lawsuits from your customers for leaking personal and private information. The police and FBI will not protect you from repeated attacks. Paying the ransom to us is much cheaper and more profitable than paying fines and legal fees.
>>>>> What are the dangers of leaking your company's data.
First of all, you will receive fines from the government such as the GDRP and many others, you can be sued by customers of your firm for leaking information that was confidential. Your leaked data will be used by all the hackers on the planet for various unpleasant things. For example, social engineering, your employees' personal data can be used to re-infiltrate your company. Bank details and passports can be used to create bank accounts and online wallets through which criminal money will be laundered. On another vacation trip, you will have to explain to the FBI where you got millions of dollars worth of stolen cryptocurrency transferred through your accounts on cryptocurrency exchanges. Your personal information could be used to make loans or buy appliances. You would later have to prove in court that it wasn't you who took out the loan and pay off someone else's loan. Your competitors may use the stolen information to steal technology or to improve their processes, your working methods, suppliers, investors, sponsors, employees, it will all be in the public domain. You won't be happy if your competitors lure your employees to other firms offering better wages, will you? Your competitors will use your information against you. For example, look for tax violations in the financial documents or any other violations, so you have to close your firm. According to statistics, two thirds of small and medium-sized companies close within half a year after a data breach. You will have to find and fix the vulnerabilities in your network, work with the customers affected by data leaks. All of these are very costly procedures that can exceed the cost of a ransomware buyout by a factor of hundreds. It's much easier, cheaper and faster to pay us the ransom. Well and most importantly, you will suffer a reputational loss, you have been building your company for many years, and now your reputation will be destroyed.
Read more about the GDRP legislation::
hxxps://en.wikipedia(.)org/wiki/General_Data_Protection_Regulation
hxxps://gdpr(.)eu/what-is-gdpr/
hxxps://gdpr-info(.)eu/
>>>>> Don't go to recovery companies, they are essentially just middlemen who will make money off you and cheat you.
We are well aware of cases where recovery companies tell you that the ransom price is 5 million dollars, but in fact they secretly negotiate with us for 1 million dollars, so they earn 4 million dollars from you. If you approached us directly without intermediaries you would pay 5 times less, that is 1 million dollars.
>>>> Very important! For those who have cyber insurance against ransomware attacks.
Insurance companies require you to keep your insurance information secret, this is to never pay the maximum amount specified in the contract or to pay nothing at all, disrupting negotiations. The insurance company will try to derail negotiations in any way they can so that they can later argue that you will be denied coverage because your insurance does not cover the ransom amount. For example your company is insured for 10 million dollars, while negotiating with your insurance agent about the ransom he will offer us the lowest possible amount, for example 100 thousand dollars, we will refuse the paltry amount and ask for example the amount of 15 million dollars, the insurance agent will never offer us the top threshold of your insurance of 10 million dollars. He will do anything to derail negotiations and refuse to pay us out completely and leave you alone with your problem. If you told us anonymously that your company was insured for $10 million and other important details regarding insurance coverage, we would not demand more than $10 million in correspondence with the insurance agent. That way you would have avoided a leak and decrypted your information. But since the sneaky insurance agent purposely negotiates so as not to pay for the insurance claim, only the insurance company wins in this situation. To avoid all this and get the money on the insurance, be sure to inform us anonymously about the availability and terms of insurance coverage, it benefits both you and us, but it does not benefit the insurance company. Poor multimillionaire insurers will not starve and will not become poorer from the payment of the maximum amount specified in the contract, because everyone knows that the contract is more expensive than money, so let them fulfill the conditions prescribed in your insurance contract, thanks to our interaction.
>>>>> If you do not pay the ransom, we will attack your company again in the future.
랜섬웨어 노트 대충 내용
귀하의 데이터가 도난당하고 암호화되었습니다.
몸값을 지불하지 않으면 데이터가 TOR 다크넷 사이트에 게시됩니다. 귀하의 데이터가 유출 사이트에 나타나면 언제든지 경쟁업체가 해당 데이터를 구매할 수 있으므로 오랫동안 주저하지 마십시오. 몸값을 빨리 지급할수록 회사는 더 빨리 안전해질 것입니다.
>>>>> 우리가 당신을 속이지 않을 것이라는 보장은 무엇입니까?
우리는 지구 상에서 가장 오래된 랜섬웨어 제휴 프로그램이므로 우리의 평판보다 더 중요한 것은 없습니다. 우리는 정치적 동기를 지닌 그룹이 아니며 돈 외에는 아무것도 원하지 않습니다. 귀하가 비용을 지급하면 당사는 귀하에게 암호 해독 소프트웨어를 제공하고 도난당한 데이터를 파기합니다. 몸값을 지급한 후에는 더 많은 돈을 빨리 벌 수 있습니다. 이 상황을 단순히 시스템 관리자를 위한 유료 교육으로 간주하십시오. 회사 네트워크가 제대로 구성되지 않았기 때문에 우리가 귀하를 공격할 수 있었기 때문입니다. 우리의 침투 서비스는 시스템 관리자의 급여를 지불하는 것과 마찬가지로 지불되어야 합니다. 그것을 극복하고 비용을 지급하십시오. 귀하가 지급하고 암호 해독기를 제공하지 않거나 데이터를 삭제하지 않으면 앞으로는 누구도 우리에게 비용을 지불하지 않을 것입니다. Ilon Musk의 Twitter hxxps://twitter(.)com/hashtag/lockbit?f=live에서 당사에 대한 자세한 정보를 얻을 수 있습니다.
한마디로 몸값을 지불 하지 않으며 계속 공격할 것이며 경찰이나 FBI에 도움을 요청하지 말고, 우리가 당신을 공격했다는 사실을 아무에게도 말하지 마십시오. 한마디로 이야기하면 공권론은 도움이 안 되니 그냥 가상화폐(암화화폐)로 우리에게 돈을 지급해라 뭐 이런 내용입니다.
랜섬웨어가 진행이 되고 나면 바뀌는 바탕화면 내용 표시
All your important files are stolen and encrypted! You must find 51q6EmbYb.README.txt file and follow the instruction!
중요한 파일이 모두 도난당하고 암호화되었습니다! 51q6EmbYb.README.txt 파일을 찾아 지시사항을 따라야 합니다!
바이러스토탈에서 탐지하는 보안 업체들은 다음과 같습니다.
AhnLab-V3:Ransomware/Win.StopCrypt.R608553
Alibaba:Trojan:Win32/Redline.14f30a24
ALYac:Trojan.Ransom.LockBit
Antiy-AVL:Trojan/Win32.Chapak.gen
Arcabit:Trojan.Mikey.D258D5
Avast:Win32:DropperX-gen [Drp]
AVG:Win32:DropperX-gen [Drp]
BitDefender:Gen:Variant.Mikey.153813
Bkav Pro:W32.AIDetectMalware
ClamAV:Win.Packer.pkr_ce1a-9980177-0
CrowdStrike Falcon:Win/malicious_confidence_100% (W)
Cybereason:Malicious.20dd08
Cylance:Unsafe
Cynet:Malicious (score: 100)
DeepInstinct:MALICIOUS
DrWeb:Trojan.Encoder.38049
Elastic:Malicious (high Confidence)
Emsisoft:Gen:Variant.Mikey.153813 (B)
eScan:Gen:Variant.Mikey.153813
ESET-NOD32:A Variant Of Win32/Kryptik.HUTH
Fortinet:W32/GenKryptik.ERHN!tr
GData:Gen:Variant.Mikey.153813
Google:Detected
Gridinsoft (no cloud):Ranso Win32.STOP.bot!n
Ikarus:Trojan-Spy.Agent
K7AntiVirus:Trojan (005690671)
K7GW:Trojan (005690671)
Kaspersky:HEUR:Trojan.Win32.Chapak.gen
Kingsoft:Win32.Trojan.Chapak.gen
Lionic:Trojan.Win32.Chapak.4!c
Malwarebytes:Trojan.MalPack.GS
MAX:Malware (ai Score=88)
MaxSecure:Trojan.Malware.73643692.susgen
McAfee:Lockbit-FSWW!BFE12A8E2169
Microsoft:Trojan:Win32/Redline.HUL!MTB
NANO-Antivirus:Trojan.Win32.Chapak.kbmifd
Panda:Trj/GdSda.A
QuickHeal:Ransom.Stop.P5
Rising:Trojan.SmokeLoader!1.EB63 (CLASSIC)
Sangfor Engine Zero:Trojan.Win32.Save.a
SecureAge:Malicious
SentinelOne (Static ML):Static AI - Malicious PE
Skyhigh (SWG):BehavesLike.Win32.Lockbit.dh
Sophos:Troj/Krypt-VK
Symantec:ML.Attribute.HighConfidence
Tencent:Trojan.Win32.Obfuscated.gen
Trapmine:Malicious.moderate.ml.score
Trellix (FireEye):Generic.mg.bfe12a8e2169231a
TrendMicro:Ranso.LOCKBIT.YXDIZT
TrendMicro-HouseCall:Ranso.LOCKBIT.YXDIZT
Varist:W32/Kryptik.KSR.gen!Eldorado
VBA32:BScope.TrojanDownloader.Smoke
VIPRE:Gen:Variant.Mikey.153813
Zillya:Trojan.Chapak.Win32.95394
ZoneAlarm by Check Point:HEUR:Trojan.Win32.Chapak.gen
기본적인 보안 수칙을 지키면 이런 랜섬웨어에 감염이 되는것을 최소화할 수가 있으며 록 빗에 감염된 분들은 최근 록빗 랜섬웨어 복원도구가 새로 나왔으니 한번 해당 복원 도구로 복구를 시도해 보시는 것을 추천합니다.
'소프트웨어 팁 > 보안 및 분석' 카테고리의 다른 글
락빗 랜섬웨어(Lockbit Ransomware) 랜섬웨어 복구 도구 사용방법 (0) | 2024.03.05 |
---|---|
북한 해킹 단체 APT37 Reaper(리퍼)에서 만든 악성코드-(안보칼럼) 반국가세력에 안보기관이 무기력해서는 안된다.zip(2024.02.22) (0) | 2024.03.04 |
윈도우 11 2024.2 월 보안 업데이트 0x800F0922 오류 설치 중지 중 (0) | 2024.03.01 |
Bitwarden(비트워든)의 새로운 자동 채우기 옵션으로 피싱 방지 기능 추가 (0) | 2024.02.28 |
윈도우 11 버전 23H2는 이전 시스템에 자동으로 설치 (0) | 2024.02.26 |
애플 제로클릭 바로가기 보안 취약점 해결 및 취약점 정보 공개 (0) | 2024.02.24 |
파이어폭스 123.0 보안 업데이트 및 손상된 사이트 보고 도구 추가 (0) | 2024.02.23 |
LockBit 랜섬웨어 글로벌 경찰 작전으로 인해 중단 (0) | 2024.02.22 |