现代勒索软件攻击手段的日益复杂化凸显了用户和组织保护设备免受恶意软件侵害的重要性。一次成功的入侵就可能导致运营中断、经济损失、声誉受损以及敏感信息泄露。目前,研究人员正在分析一种特别危险的勒索软件——Ndm448。这种极具破坏性的威胁结合了文件加密、数据窃取和勒索等手段。
Ndm448勒索软件:一种采用高级勒索手段的Makop家族变种
Ndm448勒索软件已被确认为臭名昭著的Makop勒索软件家族的变种。与其他基于Makop的威胁一样,Ndm448旨在入侵受感染的系统,加密重要数据,并迫使受害者支付赎金以恢复数据。
一旦执行,该恶意软件会执行一系列协同操作。它会加密系统中的文件,更改文件名,生成名为“+README-WARNING+.txt”的勒索信息文件,并修改桌面壁纸,以确保受害者立即意识到自己受到了攻击。加密过程会导致文件无法访问,除非攻击者持有相应的解密密钥。
文件重命名模式和加密行为
Ndm448 的一个显著特征是其独特的文件名重命名规则。加密文件后,它会在每个文件名后附加三个元素:
- 受害者的唯一ID
- 攻击者控制的电子邮件地址
- .ndm448 扩展名
例如,原名为“1.png”的文件被重命名为“1.png.[2AF20FA3].[thomasandersen70@onionmail.org].ndm448”,而“2.pdf”则变为“2.pdf.[2AF20FA3].[thomasandersen70@onionmail.org].ndm448”。
这种结构化的重命名系统允许攻击者单独识别受害者,同时清晰地标记加密数据。添加专用扩展名还可以阻止标准应用程序识别或打开这些文件。
勒索信和双重勒索策略
勒索信中提供了详细的指示,并不断升级心理压力。受害者被告知他们的文件已被加密,敏感数据已被窃取。攻击者声称,如果受害者不配合,被盗信息将被删除、出售或公开。
沟通通过邮箱 thomasandersen70@onionmail.org 或 qTox Messenger 进行。通知强调,恢复访问权限的唯一方法是购买专有的解密工具。通知警告受害者不要重启系统、修改加密文件或尝试使用第三方恢复方案,因为这些操作可能会永久损坏数据。
攻击者设定了严格的最后期限。如果几天内未能达成协议,他们将威胁销毁解密密钥并泄露被盗信息。虽然他们声称支付赎金可以保证数据恢复和删除,但攻击者是否会兑现这些承诺却无法保证。许多勒索软件运营者即使在收到赎金后也未能提供有效的解密工具。
感染媒介和传播方法
Ndm448 通过多种传播机制扩散,这些机制旨在利用人为错误和系统漏洞。它通常在用户不知情的情况下执行伪装成合法文件的恶意内容时入侵系统。这些恶意内容可能包括受感染的可执行文件、脚本、压缩文件或文档,例如 Word、Excel 和 PDF 文件。
常见的销售渠道包括:
- 包含恶意附件或链接的欺诈性电子邮件活动
- 盗版软件、密钥生成器和破解工具
- 利用软件漏洞和过时的应用程序
- 被入侵的U盘和点对点网络
- 虚假技术支持骗局和欺骗性广告
- 被劫持或伪造的网站分发带有木马的下载文件
这些多样化的入口点使得像 Ndm448 这样的勒索软件具有很强的适应性,一旦在环境中活跃起来,就很难被控制。
支付风险和持续感染
勒索软件攻击会立即造成运营瘫痪。如果没有未受损的备份,恢复选项将受到极大限制。然而,强烈建议不要支付赎金。攻击者可能不会提供有效的解密工具,可能会要求支付额外费用,或者仍然可能泄露窃取的数据。
立即清除勒索软件至关重要。如果任其活动,它会继续加密新创建的文件,并可能尝试在本地网络中横向传播,从而扩大破坏规模。
加强防御:基本安全最佳实践
缓解 Ndm448 等威胁需要分层且严谨的安全策略。用户和组织应实施以下核心实践,以显著降低风险:
- 定期维护与主系统隔离的离线或云端备份。
- 保持操作系统和软件完全更新,以修复已知漏洞。
- 使用信誉良好、具备勒索软件检测功能的实时安全解决方案。
- 避免下载盗版软件或非官方激活工具。
- 请谨慎对待电子邮件附件、链接和未经请求的通信。
- 限制管理权限,并应用最小权限原则。
- 除非绝对必要,否则请禁用文档中的宏。
- 在网络遭到入侵时,对网络进行分段以限制横向移动。
除了上述措施外,持续的网络安全意识培训在减少人为攻击途径方面发挥着至关重要的作用。员工和个人用户都必须接受教育,学习如何识别网络钓鱼、可疑下载和社会工程攻击手段。
结论
Ndm448勒索软件体现了现代勒索软件的演变,它已发展成为一种双重勒索威胁,能够在加密数据的同时利用窃取的信息施加额外压力。作为Makop家族的一员,它结合了强大的加密技术和咄咄逼人的心理战术,旨在迫使受害者支付赎金。
强有力的预防性安全措施、持续备份和主动威胁检测仍然是最有效的防御手段。在勒索软件攻击规模和复杂性不断增长的环境下,做好准备和保持警惕是防止数据丢失和经济损失的必要保障。
System Messages
The following system messages may be associated with Ndm448勒索软件:
Dear Management,
If you are reading this message, it means that:
- your network infrastructure has been compromised,
- critical data was leaked,
- files are encrypted
----------------------------------------------------
The best and only thing you can do is to contact us
to settle the matter before any losses occurs.
Mail : thomasandersen70@onionmail.org
If you do not receive a response within 12 hours, your letter may not have arrived, in this case we provide an alternative contact
Chat qtox : hxxps://qtox.github.io/
Our chat ID : 40E320AC41C066E58264ABF8A6B47A93F69DE2BE30FF94AE701EE15ED856FF5BB76A6B2068A4
----------------------------------------------------
1. THE FOLLOWING IS STRICTLY FORBIDDEN
1.1 EDITING FILES ON HDD.
Renaming, copying or moving any files
could DAMAGE the cipher and
decryption will be impossible.
1.2 USING THIRD-PARTY SOFTWARE.
Trying to recover with any software
can also break the cipher and
file recovery will become a problem.
1.3 SHUTDOWN OR RESTART THE PC.
Boot and recovery errors can also damage the cipher.
Sorry about that, but doing so is entirely at your own risk.
----------------------------------------------------
2. EXPLANATION OF THE SITUATION
2.1 HOW DID THIS HAPPEN
The security of your IT perimeter has been compromised (it's not perfect at all).
We encrypted your workstations and servers to make the fact of the intrusion visible and to prevent you from hiding critical data leaks.
We spent a lot of time researching and finding out the most important directories of your business, your weak points.
We have already downloaded a huge amount of critical data and analyzed it. Now its fate is up to you, it will either be deleted or sold, or shared with the media.
2.2 VALUABLE DATA WE USUALLY STEAL:
- Databases, legal documents, personal information.
- Audit reports.
- Audit SQL database
- Any financial documents (Statements, invoices, accounting, transfers etc.).
- Work files and corporate correspondence.
- Any backups.
- Confidential documents.
2.3 TO DO LIST (best practies)
- Contact us as soon as possible.
- Contact us only in our live chat, otherwise you can run into scammers.
- Purchase our decryption tool and decrypt your files. There is no other way to do this.
- Realize that dealing with us is the shortest way to success and secrecy.
- Give up the idea of using decryption help programs, otherwise you will destroy the system permanently.
- Avoid any third-party negotiators and recovery groups. They can become the source of leaks.
----------------------------------------------------
3. POSSIBLE DECISIONS
3.1 NOT MAKING THE DEAL
- After 4 days starting tomorrow your leaked data will be Disclosed or sold.
- We will also send the data to all interested supervisory organizations and the media.
- Decryption key will be deleted permanently and recovery will be impossible.
- Losses from the situation can be measured based on your annual budget.
3.2 MAKING THE WIN-WIN DEAL
- You will get the only working Decryption Tool and the how-to-use Manual.
- You will get our guarantees (with log provided) of non-recovarable deletion of all your leaked data.
- You will get our guarantees of secrecy and removal of all traces related to the deal in the Internet.
- You will get our security report on how to fix your security breaches.
----------------------------------------------------
4. Your Information and Keys
4.1 All leaked Data samples will be Disclosed in 7 Days if you remain silent.
4.2 Your Decryption keys will be permanently destroyed at the moment the leaked Data is Disclosed.
----------------------------------------------------
6. RESPONSIBILITY
6.1 Breaking critical points of this offer will cause:
- Deletion of your decryption keys.
- Immediate sale or complete Disclosure of your leaked data.
- Notification of government supervision agencies, your competitors and clients.
|
