正文
公司OA系统部署在自己的服务器上,一天突然不能用了,发现项目文件中多了个文件 READ_ME.html,
还有几个文件被加密了,后缀名是 .locked,如 autoload.php.locked,打开查看是乱码。
查看READ_ME.html内容:
send 0.2btc to my address:bc1q22xcf2667tjq9ug0fgsmxmfm2kmz32lwtn4m7v. contact email:service@sunshinegirls.space with id: ATNICTpe0+OBHRljroM6Hz76oliwJ37DFiea2aHY/2DlJ+XVgJbr0Dyu3BUsy/tsAc3zEvJClPl9a7EIdYou9ROqPWwdnjyar1uzxHTzqBOo0lsK5hf87tgaBPwhc00Ah2JB5TjmWDnYmwdaYjzMuVeWBmw3vp6l2B0blu04VrrRGy5/m8BOs68X2dvDYiA600SzPCaWAyY9Cw8J9kW7XEJ8fbGAmRlMPIMOr98YxB++zW0T2B3hGiHrH+Et9bsvvkq4yh6x1T5GE8FDQo+3CY0BCodXRGKJjkZqnYK1hSm6vLh1gb1CZlgSZC0XFfYRZfObKlx58hII7mCRgqpcnVtmxw6TbyEYPSceZx1fgKng6EKL0owkaXU4wpRWPbsqGvhBdy2tc8vx4dQ0yk3hJ/sW8vVpQe5h+JofcBDo0RBEbwh1sDhRUP+TVCF+3Fvkpx4R9k3xb+fB0OVctOwqVHrm55SdKPOgE0efFLrAhmxS/ut0r3KshupJNC34hDY57fPOE5HX8+z6ldPNjALWVM0YZzls5r36lb8bjzzjinGTev9h35tLulG2AsRwu6nyrGFE9SjPPVFFqgecE7Ab2JNLq1wcdXxzvyJT/vs5+aSh0dMEnsePjBJqcPkjPzJYJ55wjXcQfuBdTQvpV5H6zwYOM5MF8MNOZ5QtRMDKLQf+x55ixNcH9T0wvUVrqWIdK0i2ElNdl2tcJvCRX4SPtIj76Q3A05XUWKJ7GWCh1WCP41F8rdiae2FszBScP888umpycsXd7UXwQ+8OgrJLwmpzEDYqgDGe7MMikbbixApEdlNWVMlSFg55UJkHGkJ4UTF4VzOvzFDuxka68iXBrRqbQmrcjX26YntrCAplKP+RtdaTOPJn5elmX5X2539MV6ZbF0fwk0nzo1UlxaWqRajPqZ2akjNYPWR4tJZ+d6Rnf3nutk4EvMpobf+clMvSgNsSfYUfL7ngDomFlQnVexh3tQx0e/CsOn2ox5gLoauAQ3b4uTRakdPRSGvXNjIk7UcpFp/VBVan6+jlAiDrm47Z/ck6Y7cE8PfnFqB3J7s0JRNbPYXXber3yROwLBtxxJICfsMcS9Qhlg5MmQtq6jhWnoWTHhpJ/MjG9hKZKCB3gXkVjwHrqHi4j/9ATuqmcTEIqapG4/+wuqYj2/fqYe5ueSK0J1AwHoXDcR8syhrKVA=
大意是 将0.2btc发送到指定账户,联系它邮箱,内容是指定的id。
这是一个典型的勒索病毒。
勒索病毒搜索引擎:
https://lesuobingdu.qianxin.com/index/getFile
https://lesuo.venuseye.com.cn/
勒索病毒解密工具速查:
https://cloud.tencent.com/developer/article/1738529?from=15425