The blackmail virus is raging, and the Chinese campus network has become the hardest hit area. On the evening of May 12, nearly 100 netizens around the world suffered a malicious ransomware attack called WNCRYPT "Eternal Blue". The victim computer was "hijacked" by hackers, and a large number of files were encrypted and locked. Chinese enterprises, hospitals, government agencies and other units have not been spared in this attack, especially the campus network has become the hardest hit. At present, China's major universities have entered the graduation time. Many of the student files in the computer files are unfortunately "invulnerable" and cannot be opened, including graduation thesis, graduation design and defense PPT. The students who have been ransomware are very anxious, and many people have even started to re-do their graduation thesis and answer PPT. Figure 1: The computer is attacked by a malicious ransomware Successfully analyzed the ransomware encryption method, and the efficiency source launched a free data recovery product. As the world's leading data recovery company, Efficiency Source Technology has conducted long-term research and practice on Bitcoin ransomware, with rich technology and experience. In April 2017, Efficient Source Technology released the “Blackmail BT Coin Server Database Recovery Toolâ€, which successfully recovered key data for many companies infected with Wallet ransomware. In response to the outbreak of the "eternal blue" ransomware, the efficiency source technology overnight technical engineer to research and crack the virus, successfully analyzed the encryption method of the virus. The study found that there are two main ways to encrypt the "Eternal Blue" ransomware: 1. Encryption method of files larger than 0x180000 bytes (1.5MB) For files larger than 0x180000 bytes (1.5MB), divide by 3 according to the total size of the normal file, and get the size M of each interval block. Divide the file into two interval blocks of M and 2M size, and the first 512 of each interval block. The sector is filled with 0, the encrypted 512 sectors are filled with 0, and the encrypted multiple 512 sectors are written to the end of the file. Most of the file data is not encrypted, especially large files such as databases. We can directly use the efficiency source "blackmail BT coin server database recovery tool" for database record extraction, and its accuracy rate is above 93%. Figure 2: Efficiency Source Blackmail BT Coin Server Database Recovery Tool For special format documents, such as docx documents, you can perform fragment recovery. At present, the efficiency source technology and technology engineers have successfully developed a free tool - "Eternal Blue" bitcoin blackmail Office Data Recovery Tool V1.0. Open the software, import the encrypted file, select the storage path, click on the data analysis, you can restore the data, the operation is very simple, as shown in Figure 3. Figure 3: Efficiency Source "Eternal Blue" Bitcoin Blackmail Office Data Recovery Tool V1.0 Remarks: Efficiency source "eternal blue" bitcoin blackmail Office data recovery tool V1.0 download address: http://pan.baidu.com/s/1dE8wJS1?qq-pf-to=pcqq.discussion Extracting passwords: 2. Encryption method for files smaller than 0x180000 bytes (1.5MB) For files smaller than 0x180000 bytes, all the contents are encrypted, but when encrypting small files, the original files are deleted first. Therefore, if the computer is encrypted, for some small files, professional data recovery software, such as the efficiency source DRS data recovery system, R-Studio, WinHex, etc., can be used for data recovery. It should be noted that the success rate of such files will be affected by factors such as the number of files, time, and disk operation. In general, the sooner you recover after poisoning, the higher the chance of success. Figure 4: Efficiency Source DRS Data Recovery System Tips: For this efficiency source, the free tool - "Eternal Blue" Bitcoin blackmail Office Data Recovery Tool V1.0, if you have any questions and questions in use, you can call for advice. In addition, for the Bitcoin ransomware attack, there are public security customers who need technical support and assistance. They can also call this number for consultation. Efficiency source "eternal blue" bitcoin blackmail Office data recovery tool V1.0 download address: http://pan.baidu.com/s/1dE8wJS1?qq-pf-to=pcqq.discussion Extracting passwords: Soundproof Work Pods,acoustic booth,silent pod,quiet pod,sound booth Guangzhou Mingli Intelligent Equipment Co.,Ltd , https://www.minglibooth.com
