The name was WannaRen a few days ago new-style blackmail software to erupt suddenly, this blackmails software main characteristic is to imitate the WannaCry that erupted 2017 to blackmail software.
This can decide to blackmail software and WannaCry to have nothing to do completely after passing to be analysed in safe researcher, and should blackmail software to sit basically solid it is what domestic aggressor is.
And of its backside only then the person that make tomb figure is long-term also and active at domestic ash black produce a group, its develop a group to basically transmit trojan virus before this next to load digs mine module to be used dig mine.
Just show an accident this slightly this development group begins suddenly to do blackmail software, it is not quite good to do not know money encircles prices virus developer wants to change a train of thought to make money.
The name is the hacker group of conceal shadow:
The developer that group of strange tiger safety has the discovery after the analysis blackmails software this is group of conceal shadow hacker actually, this hacker group also is compared in domestic criminal record much.
Before 360 safe cerebra analyse discovery to blackmail software this to atttack gimmick and relevant code and this with source sex data dedicated the group of conceal shadow hacker at digging mine is almost same.
This hacker group covers a road idiomatically to use BT to download namely implement and activation tool will transmit virus, before this also ever the blue flaw of eternity of have the aid of has transmitted virus.
In the meeting after infecting user computer executive PowerShell downloads module, release the module that dig mine again next, what just release this is postern module is mixed blackmail software.
The processor that Tecent drive sees minatory information center monitors this group to release the module that dig mine to use user computer before this digs XMR door collect money and PASC money.
Look at pallet but aggressiveness is very strong:
When just seeing this blackmails software interface, blue dot net thinks this is for a time evil do, because interface and WannaCry are similar and the interface still is hanged have some fat picture.
But from the point of analysis of current and safe expert this blackmails software is not evil those who do, because its purpose is clear and aggressiveness still uses a variety of attack methods very by force.
The mainest executive way is to pass network channel to carry poisonous transmission, download through PowerShell next implement to load virus, final virus can be released blackmail software.
But this is not this what the paragraph blackmails software is all, analytic discovery should blackmail software to return inside the blue module of buy eternity, if the system did not install patch criterion,the net inside the meeting is affected.
In addition this blackmails software to be returned actually inside buy is famous Everything of file index tool, this tool offers HTTP function to be able to turn computer into the file the server.
The purpose of aggressor is to install this index tool to turn user computer into the file the server, computer of user of convenient aggressor have the aid of transmits trojan virus new computer to go up.
From the point of this method aggressor development blackmails software nature this also deliberately plan, won't give or take a lot of trouble so otherwise use many measure to hope to strengthen transmission.
Still need to emphasize issueing the interface that at present the action in the user sees here namely article head graph, not be virus actually however what aggressor stays is special use at decoded tool.
Analysis of tinder safety lab discovers this tool does not have harm sex, just input after the user pays ransom to obtain close key solution is used after close key the lock already added secret file.
Main transmission way is domestic download station it seems that:
What tinder safety lab releases is newest trace to the source analytic report shows, discover in software park of cc of domestic download station inner tube of a certain famous editor opening a source has virus.
And the editor opening a source that takes poison in this downloads seniority to lead, the download that take poison is entered to stand carelessly when believing many users all alone through certain search engine undertakes searching download.
Of course the official website that this also proves to these download station software origin to be not software, nobody knows they also contain virus no matter from the software package of where capture.
To the user we still suggest everybody downloads software to go as far as possible software official net downloads, if if all alone from certain search,engine is searched, majority is rubbish download station.
Sit basically solid it is what domestic aggressor is:
Pass a variety of data and judging aggressor country do not come, among them the mainest is group of hacker of this conceal shadow it is long-term and active the hacker group in home.
The code that code makes clear to WannaRen and group of conceal shadow hacker are used with source sex analysis and attack measure are very similar, shadow of OK and affirmatory conceal is its developer.
What analyse aggressor to use according to engineer of tinder safety lab next is easy language actually, using easy language to undertake developing can eliminating basically is foreign aggressor.
Should blackmail software to travel in home only at present finally, blue dot net has contacted safety net of much home abroad to stand, acquisition result is to do not have user feedback to contract this virus.
Can judging WannaRen basically from these information is domestic hacker aggressor be, of course this also is judgement cannot ensure only 100 percent accuracy rate.
Circuit of do sth over and over again is like nobody to pay ransom money:
Net of blue to blackmailing software dot also is pressed finally exemple go the income of aggressor of inquiry of area piece browser, the WannaRen when be being released to the article seems to had not received ransom money.
Because the keep bit money account of aggressor gets 9.49E-5 bit money only at present, by amount to of current market price the RMB is approximated 4.87 yuan merely 0.
Among them Bc1qnfhg3r5ywnzumknncav4nsk7lqe9pnph2tcjg0 address collects 4.116E-5 bit money to make an appointment with 2.1 yuan to aggressor account.
Bc1q8v***9etw and Bc1qe***wd2 account are total collect 5.374E-5 bit money to make an appointment with 2.77 yuan to aggressor, this is far under extortionary 0.05BTC.
Consider remittance amount is so small, if if not be him aggressor turns,Zhang checks, estimate even if have old man be at grass too dull and small turn Zhang dallies with aggressor.
Still remind everybody to notice safety is on guard daily finally, but if fruit is unfortunate really,also be not paid ransom money by infection, lest encourage blackmails software developer people arrogance.