#Ransomware #BlackKingdom

Nocria

EMSISOFT
阻止后未见异常。

hsks

HT分析为勒索
勒索信息：
***************************
| We Are Back            ?
***************************

We hacked your (( Network )), and now all files, documents, images,
databases and other important data are safely encrypted using the strongest algorithms ever.
You cannot access any of your files or services .
But do not worry. You can restore everthing and get back business very soon ( depends on your actions )

before I tell how you can restore your data, you have to know certain things :

We have downloaded most of your data ( especially important data ) , and if you don't  contact us within 2 days, your data will be released to the public.

To see what happens to those who didn't contact us, just google : (  Blackkingdom Ransomware  )

***************************
| What  guarantees        ?
***************************

We understand your stress and anxiety. So you have a free opportunity to test our service by instantly decrypting one or two files for free
just send the files you want to decrypt to (support_blackkingdom2@protonmail.com

***************************************************
| How to contact us and recover all of your files  ?
***************************************************

The only way to recover your files and protect from data leaks, is to purchase a unique private key for you that we only posses .


[ + ] Instructions:

1- Send the decrypt_file.txt file to the following email ===> support_blackkingdom2@protonmail.com

2- send the following amount of US dollars ( 10,000 ) worth of bitcoin to this address :

[ 1Lf8ZzcEhhRiXpk6YNQFpCJcUisiXb34FT ]

3- confirm your payment by sending the transfer url to our email address

4- After you submit the payment, the data will be removed from our servers, and the decoder will be given to you,
so that you can recover all your files.

## Note ##

Dear system administrators, do not think you can handle it on your own. Notify your supervisors as soon as possible.
By hiding the truth and not communicating with us, what happened will be published on social media and yet in news websites.

Your ID ==>
gAhmHQIZrniAIQvWcGBn
难道是BlackKingdom勒索？

心痛的伤不起

瑞星剑

anthonyqian

FS HEUR/APC

761773275

实际上是个PS1释放器，被Sophos干了，没有文件被加密

hsks

761773275 发表于 2021-3-20 22:22
实际上是个PS1释放器，被Sophos干了，没有文件被加密

确实
它是个PyInstaller，过一会后会运行PS脚本，然后之后估计就是BlackKingdom勒索了
BK勒索似乎有一些样本就是这样的套路

c/mm

防御失败已手动提前结束进程！！！


周六,2021/3/20 22:07:16  AntiRansomeare      Potential threat            Allowed
Suspicious access to your file system has been detected that indicate an encryption Trojan.

The following processes were therefore interrupted Bfor security reasons:
        ----------------------------------------------------------------
        C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe (PID 10988)
        C:\Program Files\AMD\CNext\CNext\AMDRSServ.exe (PID 4060)
        C:\Windows\explorer.exe (PID 3036)
        C:\Program Files\AMD\CNext\CNext\RadeonSoftware.exe (PID 6088)
        C:\Users\cbwf521\Desktop\asd\1.exe (PID 7444)
        C:\Users\cbwf521\Desktop\asd\1.exe (PID 10532)
        C:\Windows\System32\cmd.exe (PID 6060)
        C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe (PID 8504)
        D:\sogouexplorer\SogouExplorer.exe (PID 6384)
        C:\Users\cbwf521\Desktop\asd\1.exe (PID 5136)
        C:\Windows\System32\svchost.exe (PID 4432)
        C:\Windows\System32\RuntimeBroker.exe (PID 6544)
        C:\Windows\System32\RuntimeBroker.exe (PID 9164)
        C:\Windows\System32\cmd.exe (PID 9692)
        C:\Users\cbwf521\Desktop\asd\1.exe (PID 5828)
        ----------------------------------------------------------------

If blocked, the following programs responsible will be moved to Quarantine:
        ----------------------------------------------------------------
        C:\Users\cbwf521\Desktop\酷狗音乐.lnk
        ----------------------------------------------------------------

Detected suspicious activities:
        ----------------------------------------------------------------
        Written: C:\Users\cbwf521\Desktop\everything-v1.4.1.996.b\Everything-1.4.1.996.x86.zip
        Written: C:\Users\cbwf521\Desktop\捕获.PNG
        Written: C:\Users\cbwf521\Desktop\2\comando_03.16.2021.doc
        Written: C:\Users\cbwf521\Desktop\2\2.xls
        Created: C:\Users\cbwf521\AppData\Local\D3DSCache\b712cb29446caeae\52264C4C-172F-41B9-91B8-7F0C3B1E9021_VEN_1002&DEV_67DF&SUBSYS_D570&REV_EF.lock
        Created: C:\Users\cbwf521\AppData\Local\AMD\CN\RSX_Common.log_2021-3-20_21_22_47.log
        Created: C:\Users\cbwf521\AppData\Local\Microsoft\Windows\INetCache\IE\1BQ5ZZ9B\all[1].json
        Created: C:\Users\cbwf521\AppData\Local\AMD\Radeonsoftware\QtWebEngine\Default\Platform Notifications\LOG.old~RF6fa3a6.TMP
        Created: C:\Users\cbwf521\AppData\Local\AMD\Radeonsoftware\QtWebEngine\Default\Platform Notifications\LOCK

        ----------------------------------------------------------------

The user allowed access.

761773275

hsks 发表于 2021-3-20 22:24
确实
它是个PyInstaller，过一会后会运行PS脚本，然后之后估计就是BlackKingdom勒索了
BK勒索似乎有一 ...

他先是释放并运行PS1 ，然后在执行加密，然后还会把explorer干掉

vm001

病毒名称：Ransom/Rattrap.D
病毒路径：C:\Users\vm001\Desktop\1\1.exe
操作结果：已处理

进程ID：3172
操作进程命令行："C:\Users\vm001\Desktop\1\1.exe"
父进程：C:\Users\vm001\Desktop\1\1.exe
父进程命令行："C:\Users\vm001\Desktop\1\1.exe"

火绒行为防御拦截，不过晚了，文件基本都被破坏。

vm001

秋日之殇 发表于 2021-3-20 21:40
卡巴扫描不报，双击杀，回滚了一大堆文件

应该只是回滚了释放的文件，被破坏的文档图片等文件没有保护住。