現代勒索軟體攻擊手段的日益複雜化凸顯了使用者和組織保護設備免受惡意軟體侵害的重要性。一次成功的入侵就可能導致營運中斷、經濟損失、聲譽受損以及敏感資訊外洩。目前,研究人員正在分析一種特別危險的勒索軟體—Ndm448。這種極具破壞性的威脅結合了檔案加密、資料竊取和勒索等手段。
Ndm448勒索軟體:一種採用高級勒索手段的Makop家族變種
Ndm448勒索軟體已被確認為臭名昭著的Makop勒索軟體家族的變種。與其他基於Makop的威脅一樣,Ndm448旨在入侵受感染的系統,加密重要數據,並迫使受害者支付贖金以恢復數據。
一旦執行,該惡意軟體會執行一系列協同操作。它會加密系統中的文件,更改文件名,產生名為“+README-WARNING+.txt”的勒索資訊文件,並修改桌面壁紙,以確保受害者立即意識到自己受到了攻擊。加密過程會導致檔案無法訪問,除非攻擊者持有相應的解密金鑰。
文件重命名模式和加密行為
Ndm448 的一個顯著特徵是其獨特的檔案名稱重新命名規則。加密檔案後,它會在每個檔案名稱後面附加三個元素:
- 受害者的唯一ID
- 攻擊者控制的電子郵件地址
- .ndm448 副檔名
例如,原名為“1.png”的文件被重新命名為“1.png.[2AF20FA3].[thomasandersen70@onionmail.org].ndm448”,而“2.pdf”則變為“2.pdf.[2AF20FA3].[masandersen70@onthoionmail.org”。
這種結構化的重新命名系統允許攻擊者單獨識別受害者,同時清晰地標記加密資料。新增專用副檔名還可以阻止標準應用程式識別或開啟這些檔案。
勒索信和雙重勒索策略
勒索信中提供了詳細的指示,並不斷升級心理壓力。受害者被告知他們的文件已被加密,敏感資料已被竊取。攻擊者聲稱,如果受害者不配合,被盜資訊將被刪除、出售或公開。
溝通透過電子郵件 thomasandersen70@onionmail.org 或 qTox Messenger 進行。通知強調,恢復存取權限的唯一方法是購買專有的解密工具。通知警告受害者不要重新啟動系統、修改加密檔案或嘗試使用第三方復原方案,因為這些操作可能會永久損壞資料。
攻擊者設定了嚴格的最後期限。如果幾天內未能達成協議,他們將威脅銷毀解密金鑰並洩露被盜資訊。雖然他們聲稱支付贖金可以保證資料恢復和刪除,但攻擊者是否會兌現這些承諾卻無法保證。許多勒索軟體業者即使在收到贖金後也未能提供有效的解密工具。
感染媒介和傳播方法
Ndm448 透過多種傳播機制擴散,這些機制旨在利用人為錯誤和系統漏洞。它通常在用戶不知情的情況下執行偽裝成合法文件的惡意內容時入侵系統。這些惡意內容可能包括受感染的可執行文件、腳本、壓縮檔案或文檔,例如 Word、Excel 和 PDF 文件。
常見的銷售管道包括:
- 包含惡意附件或連結的詐騙電子郵件活動
- 盜版軟體、金鑰產生器和破解工具
- 利用軟體漏洞和過時的應用程式
- 被入侵的USB和點對點網絡
- 虛假技術支援騙局和欺騙性廣告
- 被劫持或偽造的網站分髮帶有木馬的下載文件
這些多樣化的入口點使得像 Ndm448 這樣的勒索軟體具有很強的適應性,一旦在環境中活躍起來,就很難被控制。
支付風險和持續感染
勒索軟體攻擊會立即造成營運癱瘓。如果沒有未受損的備份,復原選項將受到極大限制。然而,強烈建議不要支付贖金。攻擊者可能不會提供有效的解密工具,可能會要求額外費用,或仍可能洩漏竊取的資料。
立即清除勒索軟體至關重要。如果任其活動,它會繼續加密新建立的文件,並可能嘗試在本地網路中橫向傳播,從而擴大破壞規模。
加強防禦:基本安全最佳實踐
緩解 Ndm448 等威脅需要分層且嚴謹的安全策略。使用者和組織應實施以下核心實踐,以顯著降低風險:
- 定期維護與主系統隔離的離線或雲端備份。
- 保持作業系統和軟體完全更新,以修復已知漏洞。
- 使用信譽良好、具備勒索軟體偵測功能的即時安全解決方案。
- 避免下載盜版軟體或非官方啟動工具。
- 請謹慎對待電子郵件附件、連結和未經請求的通訊。
- 限制管理權限,並應用最小權限原則。
- 除非絕對必要,否則請停用文件中的巨集。
- 網路遭到入侵時,對網路進行分段以限制橫向移動。
除了上述措施外,持續的網路安全意識培訓在減少人為攻擊途徑方面發揮著至關重要的作用。員工和個人用戶都必須接受教育,學習如何識別網路釣魚、可疑下載和社會工程攻擊手段。
結論
Ndm448勒索軟體體現了現代勒索軟體的演變,它已發展成為一種雙重勒索威脅,能夠在加密資料的同時利用竊取的資訊施加額外壓力。作為Makop家族的一員,它結合了強大的加密技術和咄咄逼人的心理戰術,旨在迫使受害者支付贖金。
強而有力的預防性安全措施、持續備份和主動威脅偵測仍然是最有效的防禦手段。在勒索軟體攻擊規模和複雜性不斷增長的環境下,做好準備和保持警惕是防止資料遺失和經濟損失的必要保障。
System Messages
The following system messages may be associated with Ndm448勒索軟體:
Dear Management,
If you are reading this message, it means that:
- your network infrastructure has been compromised,
- critical data was leaked,
- files are encrypted
----------------------------------------------------
The best and only thing you can do is to contact us
to settle the matter before any losses occurs.
Mail : thomasandersen70@onionmail.org
If you do not receive a response within 12 hours, your letter may not have arrived, in this case we provide an alternative contact
Chat qtox : hxxps://qtox.github.io/
Our chat ID : 40E320AC41C066E58264ABF8A6B47A93F69DE2BE30FF94AE701EE15ED856FF5BB76A6B2068A4
----------------------------------------------------
1. THE FOLLOWING IS STRICTLY FORBIDDEN
1.1 EDITING FILES ON HDD.
Renaming, copying or moving any files
could DAMAGE the cipher and
decryption will be impossible.
1.2 USING THIRD-PARTY SOFTWARE.
Trying to recover with any software
can also break the cipher and
file recovery will become a problem.
1.3 SHUTDOWN OR RESTART THE PC.
Boot and recovery errors can also damage the cipher.
Sorry about that, but doing so is entirely at your own risk.
----------------------------------------------------
2. EXPLANATION OF THE SITUATION
2.1 HOW DID THIS HAPPEN
The security of your IT perimeter has been compromised (it's not perfect at all).
We encrypted your workstations and servers to make the fact of the intrusion visible and to prevent you from hiding critical data leaks.
We spent a lot of time researching and finding out the most important directories of your business, your weak points.
We have already downloaded a huge amount of critical data and analyzed it. Now its fate is up to you, it will either be deleted or sold, or shared with the media.
2.2 VALUABLE DATA WE USUALLY STEAL:
- Databases, legal documents, personal information.
- Audit reports.
- Audit SQL database
- Any financial documents (Statements, invoices, accounting, transfers etc.).
- Work files and corporate correspondence.
- Any backups.
- Confidential documents.
2.3 TO DO LIST (best practies)
- Contact us as soon as possible.
- Contact us only in our live chat, otherwise you can run into scammers.
- Purchase our decryption tool and decrypt your files. There is no other way to do this.
- Realize that dealing with us is the shortest way to success and secrecy.
- Give up the idea of using decryption help programs, otherwise you will destroy the system permanently.
- Avoid any third-party negotiators and recovery groups. They can become the source of leaks.
----------------------------------------------------
3. POSSIBLE DECISIONS
3.1 NOT MAKING THE DEAL
- After 4 days starting tomorrow your leaked data will be Disclosed or sold.
- We will also send the data to all interested supervisory organizations and the media.
- Decryption key will be deleted permanently and recovery will be impossible.
- Losses from the situation can be measured based on your annual budget.
3.2 MAKING THE WIN-WIN DEAL
- You will get the only working Decryption Tool and the how-to-use Manual.
- You will get our guarantees (with log provided) of non-recovarable deletion of all your leaked data.
- You will get our guarantees of secrecy and removal of all traces related to the deal in the Internet.
- You will get our security report on how to fix your security breaches.
----------------------------------------------------
4. Your Information and Keys
4.1 All leaked Data samples will be Disclosed in 7 Days if you remain silent.
4.2 Your Decryption keys will be permanently destroyed at the moment the leaked Data is Disclosed.
----------------------------------------------------
6. RESPONSIBILITY
6.1 Breaking critical points of this offer will cause:
- Deletion of your decryption keys.
- Immediate sale or complete Disclosure of your leaked data.
- Notification of government supervision agencies, your competitors and clients.
|
