β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦recently from undercode tweets :
twitter.com/UndercodeNews
> Encrypted files add .Cov19 extension, FushenKingdee ransomware is active
1) Tencent Security Threat Intelligence Center has detected that a ransomware virus called Fushen Kingdee is active, and existing enterprises have been attacked. This virus is a variant of Scarab ransomware, which uses RSA + AES to encrypt files.
2) The virus will not only encrypt the content of the file, but also use RC4 + non-standard Base64 to encrypt and encode the file name. After being attacked, the file in the system will be modified to the "fixed name encoded data.cov19" format.
2) The attacker left a blackmail letter and asked to contact FushenKingdee@protonmail.com to purchase the decryption tool. The files damaged by the virus encryption cannot be decrypted and restored at the moment. Tencent security experts remind users to handle unknown emails carefully. Government and enterprise users must strengthen network security management measures to avoid damage.
3) The author of FushenKingdee ransomware is suspected to be from the Russian region. When the virus is encrypted, Russia, Belarus, and Ukraine will be excluded. Based on tools such as processhacker (a security analysis tool) and NetworkShare v.2.exe (network sharing scan) that the attacker left on the victim computer, Tencent security experts speculate that the attacker is not limited to encrypting a computer, but also conducts network scanning horizontally With the intention of spreading, an attacker may try to invade by phishing email, weak password blasting, or vulnerability intrusion, and then release the ransomware virus.
3) At present, Tencent computer housekeeper and Tencent T-Sec terminal security management system can kill and kill Fushen Kingdee ransomware virus.
π¦recently from undercode tweets :
twitter.com/UndercodeNews
> Encrypted files add .Cov19 extension, FushenKingdee ransomware is active
1) Tencent Security Threat Intelligence Center has detected that a ransomware virus called Fushen Kingdee is active, and existing enterprises have been attacked. This virus is a variant of Scarab ransomware, which uses RSA + AES to encrypt files.
2) The virus will not only encrypt the content of the file, but also use RC4 + non-standard Base64 to encrypt and encode the file name. After being attacked, the file in the system will be modified to the "fixed name encoded data.cov19" format.
2) The attacker left a blackmail letter and asked to contact FushenKingdee@protonmail.com to purchase the decryption tool. The files damaged by the virus encryption cannot be decrypted and restored at the moment. Tencent security experts remind users to handle unknown emails carefully. Government and enterprise users must strengthen network security management measures to avoid damage.
3) The author of FushenKingdee ransomware is suspected to be from the Russian region. When the virus is encrypted, Russia, Belarus, and Ukraine will be excluded. Based on tools such as processhacker (a security analysis tool) and NetworkShare v.2.exe (network sharing scan) that the attacker left on the victim computer, Tencent security experts speculate that the attacker is not limited to encrypting a computer, but also conducts network scanning horizontally With the intention of spreading, an attacker may try to invade by phishing email, weak password blasting, or vulnerability intrusion, and then release the ransomware virus.
3) At present, Tencent computer housekeeper and Tencent T-Sec terminal security management system can kill and kill Fushen Kingdee ransomware virus.
X (formerly Twitter)
UNDERCODE NEWS (@UndercodeNews) on X
π¦ Latest in Cyber & Tech News with AI-Powered Analysis and Fact Checking.
γjoin us: https://t.co/YVv330UsjQ
More: @DailyCve @UndercodeUpdate
γjoin us: https://t.co/YVv330UsjQ
More: @DailyCve @UndercodeUpdate
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Second, security recommendations and solutions
Tencent security experts advise users to take necessary measures to improve network security and avoid being subjected to ransomware virus attacks.
Business users
1) Close unnecessary ports as much as possible, such as 445, 135, 139, etc. White ports can be configured for ports 3389, 5900, etc. Only IP connections in the white list are allowed to log in;
2) Try to turn off unnecessary file sharing. If necessary, use ACL and strong password protection to limit access and disable anonymous access to shared folders;
3) Use strong passwords to avoid weak passwords, and Replace regularly. It is recommended to use high-strength and irregular passwords for server passwords, and it is mandatory to use different password management for each server;
4) Set corresponding controls on internal access to servers / workstations that do not require interconnection, to prevent servers that can be connected to external networks from being used as springboards to further attack Attack other servers;
5) Regularly back up important files and data (databases and other data), and keep at least one non-local backup;
6) It is recommended that enterprise end users handle cautious email attachments with caution. If not necessary, the Office macro code should be prohibited ;
7) the deployment of professional security software in the terminal / server, Web server may consider deploying in the cloud such as Tencent have professional security capabilities of cloud services platform. .
8) It is recommended to install the Tencent T-Sce terminal security management system
by
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Second, security recommendations and solutions
Tencent security experts advise users to take necessary measures to improve network security and avoid being subjected to ransomware virus attacks.
Business users
1) Close unnecessary ports as much as possible, such as 445, 135, 139, etc. White ports can be configured for ports 3389, 5900, etc. Only IP connections in the white list are allowed to log in;
2) Try to turn off unnecessary file sharing. If necessary, use ACL and strong password protection to limit access and disable anonymous access to shared folders;
3) Use strong passwords to avoid weak passwords, and Replace regularly. It is recommended to use high-strength and irregular passwords for server passwords, and it is mandatory to use different password management for each server;
4) Set corresponding controls on internal access to servers / workstations that do not require interconnection, to prevent servers that can be connected to external networks from being used as springboards to further attack Attack other servers;
5) Regularly back up important files and data (databases and other data), and keep at least one non-local backup;
6) It is recommended that enterprise end users handle cautious email attachments with caution. If not necessary, the Office macro code should be prohibited ;
7) the deployment of professional security software in the terminal / server, Web server may consider deploying in the cloud such as Tencent have professional security capabilities of cloud services platform. .
8) It is recommended to install the Tencent T-Sce terminal security management system
by
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦personal user
1) It is recommended to enable Tencent computer housekeeper, do not open strange mails at will, close Office to execute macro code;
2) Turn on the computer housekeeper's document guardian function, and use disk redundant space to automatically back up data files, even if an accident occurs, the data can be prepared.> those recommendations must applied for all members in undercode
1) It is recommended to enable Tencent computer housekeeper, do not open strange mails at will, close Office to execute macro code;
2) Turn on the computer housekeeper's document guardian function, and use disk redundant space to automatically back up data files, even if an accident occurs, the data can be prepared.> those recommendations must applied for all members in undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Analysis of encryption part
After the virus runs, first use ZLib to decompress a large amount of plain text string information to be used from the memory, which contains hard-coded RSA 2048 public key information
> Encrypted files add .Cov19 extension, FushenKingdee ransomware is active
π¦Analysis of encryption part
After the virus runs, first use ZLib to decompress a large amount of plain text string information to be used from the memory, which contains hard-coded RSA 2048 public key information
> Encrypted files add .Cov19 extension, FushenKingdee ransomware is active
π¦Then generate the local RSA 512 key pair information, export its RSA 512 Private Key (N, D), and splice and save it for later use.
> Then use the hard-coded RSA 2048 Public Key in the decompressed configuration to encrypt its RSA 512 Private Key, and the encryption result will be processed further.
> Then use the hard-coded RSA 2048 Public Key in the decompressed configuration to encrypt its RSA 512 Private Key, and the encryption result will be processed further.
π¦After the RSA 512 Private Key is encrypted, the following three processes are performed:
> Calculate the encrypted content length of RSA 512 Private Key: the following figure (Offset: 0x0, Size: 0x8);
Carry out CRC32 check on the encrypted content of RSA 512 Private Key and save its Hash: the following picture (Offset: 0x8, Size: 0x4);
> ZLib-Level 2 compression is performed on the encrypted content of its RSA 512 Private Key, the compression flag of 2 bytes before compression is removed, and the trailing 5 bytes are removed and saved (Offset: 0xC, Size: size after compression).
> Calculate the encrypted content length of RSA 512 Private Key: the following figure (Offset: 0x0, Size: 0x8);
Carry out CRC32 check on the encrypted content of RSA 512 Private Key and save its Hash: the following picture (Offset: 0x8, Size: 0x4);
> ZLib-Level 2 compression is performed on the encrypted content of its RSA 512 Private Key, the compression flag of 2 bytes before compression is removed, and the trailing 5 bytes are removed and saved (Offset: 0xC, Size: size after compression).
π¦Finally, the processed 3 parts of data are encoded using modified Base64:
The standard Base64-Table is:
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 + /
The virus modified Base64-Table is:
ABCDEFGHIJKLMNOPQRSTUVWXYZ + = 0123456789abcdefghijklmnopqrstuvwxyz
The standard Base64-Table is:
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 + /
The virus modified Base64-Table is:
ABCDEFGHIJKLMNOPQRSTUVWXYZ + = 0123456789abcdefghijklmnopqrstuvwxyz
Before the virus encrypts the file, rdtsc will be used to generate a total of 0x30 (0x10 + 0x20 two parts) random key data for each file.
The generated size of 0x20 bytes will be used as the key first, and the file name will be encrypted using RC4.
Then, the RC4 encrypted file name data is non-standard Base64 encoded. The encoded string is the random file name after the file encryption. For example, the file name cef_100_percent.pak in the following figure will be renamed to iDQbLSy99iHpsRqiT2f7kwmrQhhHKOcKFaq5TnhlZgEX5gLATUo.cov
File encryption uses the AES-256 CBC mode. The previously generated 0x10 byte data will be used as the IV again, and the 0x20 byte random data will be used as the Key to encrypt the file content.