Preface
BlackHeart (Blackheart) ransomware family is a ransomware written in NET language. Previously, deep-sense EDR security team has reported that its variant family samples are bundled with the well-known remote software AnyDesk for spreading. This time, deep-sense EDR security team discovered the latest variant of one of its family. encryption algorithm still uses AES+RSA, and the encrypted file cannot be restored, and the encrypted file suffix is mariacbc.
. Sample introduction
BlackHeart (Blackheart) ransomware is also one of the members of the SF ransomware family. There are several categories of ransomware of the SF family:
Spartacus (Spartacus ransomware)
Satyr (Saxophone ransomware)
BlackRouter (BlackRouter ransomware)
BlackHeart (Blackheart ransomware)
BlackHeart (Blackheart ransomware)
They are all written in NET language and use similar encryption core code for ransomware encryption, collectively known as the SF ransomware family.
Preface
BlackHeart (Blackheart) ransomware family is a ransomware written in NET language. Previously, deep-sense EDR security team has reported that its variant family samples are bundled with the well-known remote software AnyDesk for spreading. This time, deep-sense EDR security team discovered the latest variant of one of its family. encryption algorithm still uses AES+RSA, and the encrypted file cannot be restored, and the encrypted file suffix is mariacbc.
. Sample introduction
BlackHeart (Blackheart) ransomware is also one of the members of the SF ransomware family. There are several categories of ransomware of the SF family:
Spartacus (Spartacus ransomware)
Satyr (Saxophone ransomware)
BlackRouter (BlackRouter ransomware)
BlackHeart (Blackheart ransomware)
BlackHeart (Blackheart ransomware)
They are all written in NET language and use similar encryption core code for ransomware encryption, collectively known as the SF ransomware family.
2. Detailed analysis of
1. The sample still uses the previous B-character icon, and is also written in NET language, as follows:
2. The entry function of the program is as follows:
3. The KEY that generates the unique AES, as follows: KEY, as follows: ml3
4. Then use the public key of RSA2048 to encrypt the AES key, and then convert it into BASE64 encoding, as shown below:
0 encrypted key generated, as shown below:
"mox1nR9OkprIdiwITblhpiD0XclNiMcMMNaP18mqV N1bkmsALjPThj9ckRNKC1uriLkOzc9BqAsgdLcNpmAJ/OPZDzKZhLsNv5GZAZotlMPX/gZzXvNvXqzKIxTxBv5NLzawTeyQuOuZMeU6gcuZdPThNItes0oFGsozxzsZCWuJoQuoXlfVDHnJC8dNGJ1+/EswCIB9jl5Hov0j9BNnwqOaKaTDJWYqayvKY4dn t14moA2ZzODVarydgHOit7CcJLGjCEijXV4Shrz8LkiBfKcH+haDcNWtT4EXT+zGae4DiAUIrAm+FPwLOuodHdrJwflJgkfawnXZA/6Emv/Vbw=="
5. Traverse the host-related directories and perform encryption operations as follows:
traversal directory, as follows Show:
corresponding directory list, as shown below:
%Desktop%%Documents%%Music%%History%%Downloads%%Pictures%%Videos%%Favorites%%UserProfile%%ProgramData%%SystemRoot%\Users
6. Iterate over the files in the directory, as follows:
determines whether the suffix name of the file is in the list of suffix names of the corresponding files that need to be encrypted, as follows:
list of suffix names that the ransomware will encrypt, as follows:
".exe",".der",".pfx",".key",".crt","" .csr",".p12",".pem",".odt",".sxw",".stw",".3ds",".max",".3dm",".ods",".sxc",".stc",".dif",".slk",".wb2",".odp",".sxd",".std",".sxm",".sqlite3",".sqlitedb",".sql",".accdb",".mdb",".d bf",".odb",".mdf",".ldf",",".cpp",",".pas",".asm",",".cmd",",".bat",".vbs",",".sch",".jsp",".php",",".asp",",".java",".jar",".class",".mp3",",".wav",",".swf",".fla",".wmv",",".mpg"," .vob",".mpeg",".asf",".avi",".mov",".mp4",".mkv",".flv",".wma",".mid",".m3u",".m4u",".svg",".psd",".tiff",".tif",".raw",".gif",".png",". bmp",",.jpg",".jpeg",",".iso",".backup",",".zip",",".rar",".tgz",",".tar",".bak",".ARC",",".vmdk",".vdi",".sldm",".sldx",".sti",".sxi",".dwg",".pdf",".wk1",",".wks",".rtf",".csv",".txt",".m sg",".pst",".ppsx",".ppsm",".pps",".pot",".pptm",".pptx",".ppt",".xltm",".xltx",".xlc",".xlm",".xlt",".xlm",".xlt",".xlw",.xlsb",.xlsx",.xlsx",.xls",.dotm",.dot",.docm",.docx",.doc",.ndf",.pdf", ".ib",".ibk"
7. Encrypt the file, use the AES encryption algorithm, the key KEY is the KEY that was previously encrypted by RSA2048 public key, encrypt the file, and at the same time, the suffix name of the file is changed to mariacbc, as shown below:
The corresponding encryption algorithm is used, and the AESECB encryption algorithm is shown below:
The encrypted file of
is as follows:
8. Iterate through the files in the host disk file directory for encryption, as follows:
9. Delete the disk shadow operation, as follows:
10. Generate ransomware information dialog box, as follows:
corresponding ransomware dialog box, as shown below:
11, traverse the host disk, and generate ransomware text file [email protected], as shown below:
, Solution
htmlm l0 deeply convinced security team once again reminds users that ransomware is mainly for prevention. At present, most of the encrypted files of ransomware cannot be decrypted. Pay attention to daily prevention measures:1. Do not click on email attachments of unknown sources. Do not download the software
2 from unknown websites. Patch the host in time (Eternal Blue Vulnerability Patch) to fix the corresponding high-risk vulnerabilities
3. Regular non-local backups of important data files
4. Try to do the same as possible. Close unnecessary file sharing permissions and close unnecessary ports, such as: 445, 135, 139, 3389 and other
5, RDP remote server and other connections, try to use strong passwords, do not use weak passwords,
6, install professional terminal security protection software, provide endpoint protection and virus detection and cleaning functions for the host
*The author of this article: Qianlimu Security Laboratory, please indicate it from FreeBuf.COM
