On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.
FortiGuard 实验室每两周收集有关勒索软件变体的数据,这些变体在我们的数据集和 OSINT 社区中越来越受到关注。勒索软件综述报告旨在为读者提供有关不断演变的勒索软件格局以及防范这些变体的 Fortinet 解决方案的简要见解。
This edition of the Ransomware Roundup covers the Abyss Locker (AbyssLocker) ransomware.
本版勒索软件综述涵盖了 Abyss Locker (AbyssLocker) 勒索软件。
Affected platforms: Microsoft Windows, Linux
受影响的平台:Microsoft Windows、Linux
Impacted parties: Microsoft Windows and Linux Users
受影响方:Microsoft Windows 和 Linux 用户
Impact: Steals and encrypts victims’ files and demands ransom for file decryption and not releasing the stolen data.
影响:窃取并加密受害者的文件,并要求勒索赎金以进行文件解密,并且不释放被盗的数据。
Severity level: High 严重级别:高
Abyss Locker Ransomware Overview
Abyss Locker 勒索软件概述
Although the first Abyss Locker sample was submitted to a publicly available file scanning service in July of 2023, the first variant of the ransomware may date back further as the ransomware is based on the HelloKitty ransomware source code. A version 1 variant of the Abyss Locker ransomware targeting Windows systems was discovered in early January 2024, followed by version 2 for Windows later that month. (We were unable to locate version 1 for Linux.) We review both the Linux and Windows variants in this week’s roundup.
尽管第一个 Abyss Locker 样本已于 2023 年 7 月提交给公开文件扫描服务,但勒索软件的第一个变种可能可以追溯到更早的时候,因为该勒索软件基于 HelloKitty 勒索软件源代码。针对 Windows 系统的 Abyss Locker 勒索软件版本 1 变体于 2024 年 1 月上旬被发现,随后在当月晚些时候发现了针对 Windows 的版本 2。 (我们无法找到适用于 Linux 的版本 1。)我们在本周的综述中回顾了 Linux 和 Windows 变体。
The Abyss Locker threat actor steals victims’ data before deploying and running its ransomware malware for file encryption. The ransomware is also capable of deleting Volume Shadow Copies and system backups.
Abyss Locker 威胁参与者在部署和运行用于文件加密的勒索软件恶意软件之前窃取受害者的数据。该勒索软件还能够删除卷影副本和系统备份。
Infection Vector 感染载体
Information on the infection vector used by the Abyss Locker ransomware threat actor is unavailable. However, it is not likely to differ significantly from other ransomware groups.
无法获取有关 Abyss Locker 勒索软件威胁行为者所使用的感染媒介的信息。然而,它与其他勒索软件组不太可能有显着差异。
Victimology 受害者学
The Abyss Locker ransomware samples were submitted to a publicly available file scanning service from a variety of regions, including Europe, North America, South America, and Asia.
Abyss Locker 勒索软件样本被提交给来自多个地区的公开文件扫描服务,包括欧洲、北美、南美和亚洲。
Attack Method 攻击方式
Windows Version Windows版本
The Windows version of the Abyss Locker ransomware version 1 performs the following actions:
Windows 版本的 Abyss Locker 勒索软件版本 1 执行以下操作:
It stops the following services:
它停止以下服务:
|
MSSQLServerADHelper100 |
MSSQL$ISARS |
MSSQL$MSFW |
SQLAgent$ISARS |
|
SQLAgent$MSFW |
SQLBrowser SQL浏览器 |
ReportServer$ISARS 报告服务器$ISARS |
SQLWriter SQL编写器 |
|
WinDefend 风卫 |
mr2kserv 先生2kserv |
MSExchangeADTopology MSExchangeAD拓扑 |
MSExchangeFBA MSExchange亚马逊物流 |
|
MSExchangeIS |
MSExchangeSA |
ShadowProtectSvc |
SPAdminV4 |
|
SPTimerV4 SP定时器V4 |
SPTraceV4 |
SPUserCodeV4 SP用户代码V4 |
SPWriterV4 |
|
SPSearch4 SP搜索4 |
IISADMIN IIS管理员 |
firebirdguardiandefaultinstance |
ibmiasrw |
|
QBCFMonitorService QBCF监控服务 |
QBVSS |
QBPOSDBServiceV12 QBPOSDB服务V12 |
IBM Domino Server (CProgramFilesIBMDominodata) |
|
IBM Domino Diagnostics (CProgramFilesIBMDomino) |
Simply Accounting Database Connection Manager |
QuickBooksDB1 |
QuickBooksDB2 |
|
QuickBooksDB3 |
QuickBooksDB4 |
QuickBooksDB5wrapper QuickBooksDB5包装器 |
DefWatch 防御观察 |
|
ccEvtMgr |
ccSetMgr |
SavRoam 萨维漫游 |
Sqlservr 数据库服务器 |
|
sqlagent |
sqladhlp |
Culserver 卡尔瑟夫 |
RTVscan 实时电视扫描 |
|
sqlbrowser sql浏览器 |
SQLADHLP |
QBIDPService QBIDP服务 |
Intuit.QuickBooks.FCS |
|
msmdsrv 短信服务 |
tomcat6 汤姆猫6 |
zhudongfangyu 竹东方语 |
vmware – usbarbitator64 vmware-usbarbitator64 |
|
vmware – converter vmware-转换器 |
dbsrv12 数据库服务12 |
dbeng8 德邦8 |
MSSQL$MICROSOFT##WID |
|
MSSQL$VEEAMSQL2012 |
SQLAgent$VEEAMSQL2012 SQLAgent$VEEAMSQL2012 |
FishbowlMySQ 鱼缸MySQ |
MySQL57 |
|
MSSQL$KAV_CS_ADMIN_KIT |
SQLAgent$KAV_CS_ADMIN_KIT |
msftesql – Exchange msftesql – 交换 |
MSSQL$MICROSOFT##SSEE MSSQL$微软##SSEE |
|
MSSQL$SBSMONITORING MSSQL$SBS监控 |
MSSQL$SHAREPOINT |
MSSQLFDLauncher$SBSMONITORING |
MSSQLFDLauncher$SHAREPOINT |
|
SQLAgent$SBSMONITORING |
SQLAgent$SHAREPOINT |
QBFCService QBFC服务 |
YooBackup 优备份 |
|
YooIT 尤伊特 |
svc$ 服务$ |
MSSQL SQL数据库 |
MSSQL$ |
|
memtas 梅姆塔斯 |
mepocs 梅波克斯 |
sophos 索福斯 |
veeam 维姆 |
|
backup 备份 |
bedbg 贝德布格 |
PDVFSService PDVFS服务 |
BackupExecVSSProvider BackupExecVSS 提供程序 |
|
BackupExecAgentAccelerator |
BackupExecAgentBrowser BackupExec代理浏览器 |
BackupExecDiveciMediaService |
BackupExecJobEngine BackupExec作业引擎 |
|
BackupExecManagementService |
BackupExecRPCService BackupExecRPC服务 |
MVArmor MV装甲 |
MVarmor64 |
|
stc_raw_agent |
VSNAPVSS |
VeeamTransportSvc Veeam 传输服务 |
VeeamDeploymentService Veeam部署服务 |
|
VeeamNFSSvc |
AcronisAgent 安克诺斯代理 |
ARSM |
AcrSch2Svc |
|
CASAD2DWebSvc |
CAARCUpdateSvc CAARC更新服务 |
WSBExchange 世界银行交易所 |
MSExchange 微软交换 |
|
MSExchange$ |
GxVss |
GxBlr 格克斯布莱尔 |
GxFWD 前轮驱动 |
|
GxCVD 化学气相沉积 |
GxCIMgr |
|
|
It then terminates the following processes:
然后它终止以下进程:
|
360doctor.exe 360医生.exe |
360se.exe |
ADExplorer.exe AD资源管理器 |
ADExplorer64.exe |
|
ADExplorer64a.exe |
Adobe CEF.exe |
Adobe Desktop Service.exe |
AdobeCollabSync.exe |
|
AdobeIPCBroker.exe AdobeIPBroker.exe |
AutodeskDesktopApp.exe Autodesk桌面应用程序.exe |
Autoruns.exe 自动运行程序 |
Autoruns64.exe 自动运行64.exe |
|
Autoruns64a.exe 自动运行64a.exe |
Autorunsc.exe 自动运行程序 |
Autorunsc64.exe 自动运行sc64.exe |
Autorunsc64a.exe 自动运行sc64a.exe |
|
AvastUI.exe |
BrCcUxSys.exe |
BrCtrlCntr.exe |
CNTAoSMgr.exe |
|
CagService.exe |
CoreSync.exe 核心同步程序 |
Creative Cloud.exe 创意云.exe |
Culture.exe 文化.exe |
|
Defwatch.exe |
DellSystemDetect.exe 戴尔系统检测.exe |
EnterpriseClient.exe 企业客户端 |
GDscan.exe |
|
GWCtlSrv.exe |
GlassWire.exe 玻璃线.exe |
Helper.exe 助手程序 |
InputPersonalization.exe |
|
MsDtSrvr.exe |
MsDtsSrvr.exe |
MsMpEng.exe |
ONENOTEM.exe |
|
PccNTMon.exe 程序 |
ProcessHacker.exe 进程黑客程序 |
Procexp.exe 程序执行程序 |
Procexp64.exe |
|
QBDBMgr.exe |
QBDBMgrN.exe |
QBIDPService.exe QBIDP服务 |
QBW32.exe |
|
RAgui.exe RAgui程序 |
RTVscan.exe |
Raccine.exe 拉辛程序 |
RaccineElevatedCfg.exe 拉辛ElevatedCfg.exe |
|
RaccineSettings.exe 拉辛设置.exe |
Raccine_x86.exe 拉辛_x86.exe |
RdrCEF.exe 资源管理器CEF |
ReportingServicesService.exe |
|
SQLAGENT.EXE SQL代理程序 |
Simply.SystemTrayIcon.exe |
SimplyConnectionManager.exe |
Sqlservr.exe, Ssms.exe Sqlservr.exe、Ssms.exe |
|
Sysmon.exe 系统监控程序 |
Sysmon64.exe 系统监视器64.exe |
SystemExplorer.exe 系统资源管理器 |
SystemExplorerService.exe |
|
SystemExplorerService64.exe |
TMBMSRV.exe |
TeamViewer.exe 团队查看器.exe |
TeamViewer_Service.exe |
|
TitanV, Ssms.exe TitanV、Ssms.exe |
TmCCSF.exe |
TmListen.exe |
TmPfw.exe |
|
TmProxy.exe TmProxy代理程序 |
Totalcmd.exe |
Totalcmd64.exe |
VeeamDeploymentSvc.exe |
|
WRSA.exe |
WireShark.exe |
ZhuDongFangYu.exe 朱东方雨.exe |
acwebbrowser.exe acweb浏览器 |
|
agntsvc.exe 代理程序 |
avp.exe 执行程序 |
avz.exe |
axlbridge.exe |
|
bedbh.exe 执行程序 |
benetns.exe 贝内特斯 |
bengien.exe 执行程序 |
beserver.exe 服务端程序 |
|
dbeng50.exe |
dbsnmp.exe 数据库管理程序 |
dumpcap.exe 转储文件 |
egui.exe 执行程序 |
|
encsvc.exe encsvc程序 |
excel.exe excel程序 |
fbguard.exe |
fbserver.exe FB服务器 |
|
fdhost.exe |
fdlauncher.exe |
firefox.exe 火狐浏览器 |
httpd.exe |
|
infopath.exe 信息路径程序 |
isqlplussvc.exe |
j0gnjko1.exe |
java.exe 执行程序 |
|
msaccess.exe 微软访问程序 |
msftesql.exe |
msmdsrv.exe |
mspub.exe 执行程序 |
|
mydesktopqos.exe |
mydesktopservice.exe |
mysqld.exe |
node.exe 节点执行程序 |
|
notepad++.exe 记事本++.exe |
notepad.exe 记事本程序 |
ntrtscan.exe |
ocautoupds.exe |
|
ocomm.exe 奥康姆 |
ocssd.exe |
onenote.exe |
oracle.exe 甲骨文执行程序 |
|
outlook.exe 展望.exe |
pg_ctl.exe |
postgres.exe |
powerpnt.exe 执行程序 |
|
procexp64a.exe |
mon.exe 运行程序 |
proc, procmon64.exe 过程,procmon64.exe |
procmon64a.exe |
|
pvlsvr.exe 执行程序 |
qbupdate.exe 更新程序 |
raw_agent_svc.exe |
sam.exe 萨姆.exe |
|
sqbcoreservice.exe |
sql.exe |
sqlbrowser.exe |
sqlceip.exe |
|
sqlmangr.exe |
sqlservr.exe |
sqlwriter.exe |
steam.exe 蒸汽.exe |
|
supervise.exe 监督程序 |
synctime.exe 同步时间程序 |
tbirdconfig.exe |
tcpview.exe |
|
tcpview64.exe |
tcpview64a.exe |
tdsskiller.exe tdskiller.exe |
thebat.exe 执行程序 |
|
thunderbird.exe 雷鸟.exe |
tomcat6.exe 汤姆猫6.exe |
tv_w32.exe 电视_w32.exe |
tv_x64.exe 电视_x64.exe |
|
visio.exe |
vsnapvss.exe |
vxmon.exe vxmon程序 |
wdswfsafe.exe |
|
winword.exe 执行程序 |
wordpad.exe 写字板程序 |
wsa_service.exe |
wxServer.exe wx服务器 |
|
wxServerView.exe |
xfssvccon.exe |
|
|
The ransomware uses the following commands to delete Volume Shadow Copies:
勒索软件使用以下命令来删除卷影副本:
- vssadmin.exe delete shadows /all /quiet
vssadmin.exe 删除阴影 /all /quiet - wmic SHADOWCOPY DELETE wmic 卷影复制删除
It runs the following commands to set the boot status policy:
它运行以下命令来设置启动状态策略:
- bcdedit / set{ default } recoveryenabled No
bcdedit / set{ 默认 } recoveryenabled 否
(Disable Automatic Repair)
(禁用自动修复) - bcdedit / set{ default } bootstatuspolicy IgnoreAllFailures
bcdedit / set{ 默认 } bootstatuspolicy IgnoreAllFailures
(Ignore all boot failures and start Windows normally)
(忽略所有启动失败并正常启动Windows)
The Abyss Locker ransomware encrypts files on compromised machines and adds a “.abyss” extension to the encrypted files. The Abyss Locker version 1 variant for Windows adds a random five-letter extension instead of “.abyss.”
Abyss Locker 勒索软件会对受感染计算机上的文件进行加密,并向加密文件添加“.abyss”扩展名。适用于 Windows 的 Abyss Locker 版本 1 变体添加了一个随机的五个字母扩展名,而不是“.abyss”。
Figure 1: Files encrypted by the Abyss Locker ransomware version 1 for Windows platform
图1:Windows平台Abyss Locker勒索软件版本1加密的文件
The ransomware drops a ransom note labeled “WhatHappened.txt.”
该勒索软件会释放一张标有“WhatHappened.txt”的勒索字条。
Figure 2: Ransom note dropped by the Abyss Locker ransomware version 1 for Windows
图 2:Windows 版 Abyss Locker 勒索软件版本 1 投放的勒索信息
The TOR site used for ransom negotiations was not accessible at the time of our investigation.
在我们调查时,用于赎金谈判的 TOR 站点无法访问。
It then replaces the desktop wallpaper with its own, which contains a ransom message:
然后它用自己的壁纸替换桌面壁纸,其中包含勒索消息:
Figure 3: The Abyss Locker ransomware’s wallpaper
图 3:The Abyss Locker 勒索软件的壁纸
However, the following file encryption exception applies to the Abyss Locker ransomware:
但是,以下文件加密异常适用于 Abyss Locker 勒索软件:
It skips encrypting files with the following extensions:
它会跳过加密具有以下扩展名的文件:
|
.Abyss 。深渊 |
.386 |
.cmd |
.ani |
.adv |
.msi |
|
.msp |
.com |
.nls |
.ocx |
.mpa |
.cpl |
|
.mod |
.hta |
.prf |
.rtp |
.rpd |
.bin 。垃圾桶 |
|
.hlp |
.shs |
.drv |
.wpx |
.bat 。蝙蝠 |
.rom 。只读存储器 |
|
.msc |
.spl |
.msu |
.ics |
.key 。钥匙 |
.exe 。EXE文件 |
|
.dllv |
.lnk |
.icov |
.sys |
.cur |
.idx |
|
.ini |
.reg |
.mp3 |
.mp4 |
.apk |
.ttf |
|
.otf |
.fon |
.fnt |
.dmp |
.tmp |
.pif |
|
.wav |
.wma |
.dmg |
.iso |
.app 。应用程序 |
.ipa |
|
.xex |
.wad |
.icns |
.lock 。锁 |
.theme 。主题 |
.diagcfg |
|
.blf |
.diagcab |
.diagpkg |
.msstyles |
.gadget |
.woff |
|
.part 。部分 |
.sfcache |
.winmd |
|
|
|
It also skips encrypting the following files:
它还会跳过加密以下文件:
|
work.log 工作日志 |
autorun.inf 自动运行文件 |
boot.ini 启动文件 |
bootfont.bin |
|
bootsect.bak |
bootmgr 启动管理器 |
bootmgr.efi 引导管理器.efi |
bootmgfw.efi |
|
desktop.ini 桌面.ini |
iconcache.db 图标缓存数据库 |
ntldr |
ntuser NT用户 |
|
dat |
ntuser.dat.log |
ntuser.ini |
thumbs.db 拇指数据库 |
|
!CryptoLockerDetectionDONT-DELETE!.jpg |
WhatHappened.txt 发生了什么.txt |
|
|
In addition, it avoids encrypting files in the following folders:
此外,它还避免加密以下文件夹中的文件:
|
Boot 开机 |
Windows 视窗 |
Windows.old |
$Windows.~bt |
|
$windows.~ws |
windows nt 视窗 |
msbuild 微软构建 |
microsoft 微软 |
|
perflog 执行日志 |
Microsoft – Cloud 微软——云 |
Computers 电脑 |
Apps & Gaming 应用程序和游戏 |
|
microsoft shared 微软共享 |
common files 共同文件 |
windows defender Windows Defender的 |
windowspowershell |
|
windows security 视窗安全 |
usoshared 乌索共享 |
windowsapp 窗口应用程序 |
windows journal 视窗日记 |
|
windows photo viewer 窗户照片查看器 |
$Recycle.Bin $回收站 |
All Users 全部用户 |
Program Files 程序文件 |
|
Program Files (x86) 程序文件 (x86) |
system volume information |
msocache 微缓存 |
Tor Browser Tor 浏览器 |
|
Internet Explorer IE浏览器 |
Google 谷歌 |
Opera 歌剧 |
Opera Software 歌剧软件 |
|
Mozilla 莫兹拉 |
Mozilla Firefox 火狐浏览器 |
#recycle |
|
Our analysis of Abyss Locker ransomware version 2, which appeared in late January 2024, found no differences from version 1 in terms of functionality. The only differences we could find are the ransom message (including the message on the replaced wallpaper), which clearly states that it’s version 2, and the TOR address used for ransom negotiation.
我们对 2024 年 1 月下旬出现的 Abyss Locker 勒索软件版本 2 的分析发现,在功能方面与版本 1 没有差异。我们能发现的唯一区别是勒索消息(包括替换壁纸上的消息),它清楚地表明它是版本 2,以及用于勒索协商的 TOR 地址。
Figure 4: Ransom note dropped by the Abyss Locker ransomware version 2 for Windows platform
图 4:Windows 平台的 Abyss Locker 勒索软件版本 2 投放的勒索信息
The TOR site used by this version of Abyss Locker ransomware for ransom negotiation was still accessible at the time of our investigation.
在我们调查时,该版本的 Abyss Locker 勒索软件用于进行赎金谈判的 TOR 网站仍然可以访问。
Linux Version Linux版本
This ransomware variant runs the following run commands:
该勒索软件变种运行以下运行命令:
- esxcli vm process list esxcli 虚拟机进程列表
– (get list of running VMs)
-(获取正在运行的虚拟机列表) - esxcli vm process kill -t=soft -w=[ID of VM]
esxcli 虚拟机进程kill -t=soft -w=[虚拟机ID]
– (try to kill VMs gracefully)
-(尝试优雅地杀死虚拟机) - esxcli vm process kill -t=hard -w=[ID of VM]
esxcli 虚拟机进程kill -t=hard -w=[虚拟机ID]
– (if the previous command fails, try to immediately shutdown the VMs)
-(如果上一个命令失败,请尝试立即关闭虚拟机) - esxcli vm process kill -t=force -w=[ID of VM]
esxcli 虚拟机进程kill -t=force -w=[虚拟机ID]
– (if the previous command fails,forcefully kill the VMs as a last resort)
-(如果上一个命令失败,强制终止虚拟机作为最后的手段)
The ransomware then encrypts files on the compromised machines and adds a “.crypt” extension to the encrypted files.
然后,勒索软件会对受感染计算机上的文件进行加密,并向加密文件添加“.crypt”扩展名。
It then creates files with a “.README_TO_RESTORE” extension, which is a ransom note.
然后它会创建带有“.README_TO_RESTORE”扩展名的文件,这是勒索信息。
Figure 5: Ransom note dropped by the Linux version of the Abyss Locker ransomware图 5:Linux 版本的 Abyss Locker 勒索软件丢弃的勒索信息
It avoids encrypting files in the following directories:
它避免加密以下目录中的文件:
|
/boot /启动 |
/dev |
/etc |
/lost+found /丢失+找到 |
|
/proc /进程 |
/run /跑步 |
/usr/bin |
/usr/include /usr/包括 |
|
/usr/lib |
/usr/lib32 |
/usr/lib64 |
/usr/sbin |
|
/sys /系统 |
/usr/libexec /usr/libexec 目录 |
/usr/share /usr/共享 |
/var/lib |
It also avoids encrypting files with the following extensions:
它还避免加密具有以下扩展名的文件:
|
.vmdk |
.vmsd |
.vmsn |
.crypt |
|
.README_TO_RESTORE |
.tmp |
.a |
.so |
|
.la |
|
|
|
Data Leak Site 数据泄露网站
Currently, the Abyss Locker ransomware threat actor does not appear to have a TOR site that exposes the victim’s name and allows others to view the stolen data, although BleepingComputer previously reported such a leak site in mid-2023. However, the threat actor does offer a ransom negotiation site on TOR.
目前,Abyss Locker 勒索软件威胁行为者似乎没有公开受害者姓名并允许其他人查看被盗数据的 TOR 站点,尽管 BleepingComputer 此前曾在 2023 年中期报告过此类泄露站点。然而,威胁行为者确实在 TOR 上提供了一个赎金谈判网站。
Figure 6: Abyss Locker ransomware’s ransom negotiation site
图6:Abyss Locker勒索软件的赎金谈判站点
The ransom is set low for businesses and high for consumers ($282,380 in this case), making it difficult to determine who is being targeted.
企业的赎金较低,而消费者的赎金较高(本例中为 282,380 美元),因此很难确定谁是攻击目标。
Fortinet Protections 飞塔保护
The Abyss Locker ransomware described in this report are detected and blocked by FortiGuard Antivirus as:
FortiGuard Antivirus 检测并阻止了本报告中描述的 Abyss Locker 勒索软件:
- W64/Rook.B!tr.ransom W64/Rook.B!tr. 赎金
- W64/Filecoder_Rook.B!tr
- W64/Filecoder_Rook.B!tr.ransom
- Linux/Filecoder_HelloKitty.A!tr
FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is a part of each of those solutions. As a result, customers who have these products with up-to-date protections are protected.
FortiGate、FortiMail、FortiClient 和 FortiEDR 支持 FortiGuard 防病毒服务。 FortiGuard AntiVirus 引擎是每个解决方案的一部分。因此,拥有这些具有最新保护的产品的客户将受到保护。
IOCs 国际奥委会
Abyss Locker Ransomware File IOCs
Abyss Locker 勒索软件文件 IOC
|
SHA2 |
Note 笔记 |
|
72310e31280b7e90ebc9a32cb33674060a3587663c0334daef76c2ae2cc2a462 |
Abyss Locker v2 (Linux) |
|
3fd080ef4cc5fbf8bf0e8736af00af973d5e41c105b4cd69522a0a3c34c96b6d |
Abyss Locker v2 (Windows) |
|
9243bdcbe30fbd430a841a623e9e1bcc894e4fdc136d46e702a94dad4b10dfdc |
Abyss Locker v1 (Windows) |
|
0763e887924f6c7afad58e7675ecfe34ab615f4bd8f569759b1c33f0b6d08c64 |
Abyss Locker v1 (Windows) |
|
dee2af08e1f5bb89e7bad79fae5c39c71ff089083d65da1c03c7a4c051fabae0 |
Abyss Locker v1 (Windows) |
|
e6537d30d66727c5a306dc291f02ceb9d2b48bffe89dd5eff7aa2d22e28b6d7c |
Abyss Locker v1 (Windows) |
|
1d04d9a8eeed0e1371afed06dcc7300c7b8ca341fe2d4d777191a26dabac3596 |
Abyss Locker v1 (Windows) |
|
1a31b8e23ccc7933c442d88523210c89cebd2c199d9ebb88b3d16eacbefe4120 |
Abyss Locker v1 (Windows) |
|
25ce2fec4cd164a93dee5d00ab547ebe47a4b713cced567ab9aca4a7080afcb7 |
Abyss Locker v1 (Windows) |
|
b524773160f3cb3bfb96e7704ef31a986a179395d40a578edce8257862cafe5f |
Abyss Locker v1 (Windows) |
|
362a16c5e86f13700bdf2d58f6c0ab26e289b6a5c10ad2769f3412ec0b2da711 |
Abyss Locker v1 (Windows) |
|
e5417c7a24aa6f952170e9dfcfdf044c2a7259a03a7683c3ddb72512ad0cd5c7 |
Abyss Locker v1 (Windows) |
|
056220ff4204783d8cc8e596b3fc463a2e6b130db08ec923f17c9a78aa2032da |
Abyss Locker v1 (Windows) |
|
877c8a1c391e21727b2cdb2f87c7b0b37fb7be1d8dd2d941f5c20b30eb65ee97 |
Abyss Locker v1 (Windows) |
|
2e42b9ded573e97c095e45dad0bdd2a2d6a0a99e4f7242695054217e2bba6829 |
Abyss Locker v1 (Windows) |
FortiGuard Labs Guidance FortiGuard 实验室指南
Due to the ease of disruption, damage to daily operations, potential impact on an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date.
由于很容易发生中断、对日常运营造成损害、对组织声誉的潜在影响以及个人身份信息 (PII) 的意外破坏或泄露等,因此使所有 AV 和 IPS 签名保持最新至关重要。
Since the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:
由于大多数勒索软件是通过网络钓鱼传播的,组织应考虑利用 Fortinet 解决方案,旨在培训用户理解和检测网络钓鱼威胁:
The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.
FortiPhish 网络钓鱼模拟服务使用真实世界的模拟来帮助组织测试用户对网络钓鱼威胁的意识和警惕性,并在用户遇到有针对性的网络钓鱼攻击时培训和强化正确的做法。
Our FREE Fortinet Certified Fundamentals (FCF) in Cybersecurity training. The training is designed to help end users learn about today’s threat landscape and will introduce basic cybersecurity concepts and technology.
我们的免费 Fortinet 认证基础知识 (FCF) 网络安全培训。该培训旨在帮助最终用户了解当今的威胁形势,并将介绍基本的网络安全概念和技术。
Organizations will need to make foundational changes to the frequency, location, and security of their data backups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a successful ransomware attack.
组织需要对其数据备份的频率、位置和安全性进行根本性改变,以有效应对勒索软件不断发展和迅速扩大的风险。再加上数字供应链的入侵和员工远程办公进入网络,攻击可能来自任何地方,这是真正的风险。基于云的安全解决方案,例如SASE,用于保护离网设备;先进的端点安全,例如可以中断恶意软件攻击的 EDR(端点检测和响应)解决方案;应该对基于策略和上下文限制对应用程序和资源的访问的零信任访问和网络分段策略进行调查,以最大限度地降低风险并减少成功勒索软件攻击的影响。
As part of the industry’s leading fully integrated Security Fabric, delivering native synergy and automation across your security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.
作为业界领先的完全集成的 Security Fabric 的一部分,Fortinet 在整个安全生态系统中提供原生协同和自动化,还提供广泛的技术组合和以人为本的即服务产品。这些服务由我们经验丰富的网络安全专家组成的全球 FortiGuard 团队提供支持。
FortiRecon is a SaaS based Digital Risk Prevention Service backed by cybersecurity experts to provide unrivaled threat intelligence on the latest threat actor activity across the dark web, providing a rich understanding of threat actors’ motivations and TTPs. The service can detect evidence of attacks in progress allowing customers to rapidly respond to and shut down active threats.
FortiRecon 是一种基于 SaaS 的数字风险预防服务,由网络安全专家提供支持,可提供有关暗网上最新威胁行为者活动的无与伦比的威胁情报,从而深入了解威胁行为者的动机和 TTP。该服务可以检测正在进行的攻击的证据,使客户能够快速响应并关闭主动威胁。
Best Practices Include Not Paying a Ransom
最佳实践包括不支付赎金
Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because the payment does not guarantee that files will be recovered. According to a US Department of Treasury’s Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).
CISA、NCSC、FBI 和 HHS 等组织警告勒索软件受害者不要支付赎金,部分原因是付款并不能保证文件会被恢复。根据美国财政部外国资产控制办公室 (OFAC) 的一份咨询报告,支付赎金还可能会鼓励对手将目标定为其他组织、鼓励其他犯罪分子分发勒索软件和/或资助可能违法的非法活动。对于受勒索软件影响的组织和个人,FBI 有一个勒索软件投诉页面,受害者可以通过其互联网犯罪投诉中心 (IC3) 提交勒索软件活动样本。
How Fortinet Can Help Fortinet 如何提供帮助
FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. Our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).
FortiGuard 实验室的紧急事件响应服务在检测到事件时提供快速有效的响应。我们的事件准备订阅服务提供工具和指导,帮助您通过准备评估、IR 手册开发和 IR 手册测试(桌面练习)更好地为网络事件做好准备。
Additionally, FortiRecon Digital Risk Protection (DRP) is a SaaS-based service that provides a view of what adversaries are seeing, doing, and planning to help you counter attacks at the reconnaissance phase and significantly reduce the risk, time, and cost of later-stage threat mitigation.
此外,FortiRecon 数字风险保护 (DRP) 是一项基于 SaaS 的服务,可提供对手所见、所做和计划的视图,帮助您在侦察阶段反击攻击,并显着降低后期的风险、时间和成本。 -阶段威胁缓解。
原文始发于Shunichi Imano and Fred Gutierrez:Ransomware Roundup – Abyss Locker
相关文章
