{"id":384983,"date":"2023-03-15T09:04:23","date_gmt":"2023-03-15T08:04:23","guid":{"rendered":"https:\/\/www.stormshield.com\/?p=384983"},"modified":"2024-05-29T08:59:49","modified_gmt":"2024-05-29T07:59:49","slug":"alerte-securite-ransomware-skulllocker-la-reponse-des-produits-stormshield","status":"publish","type":"post","link":"https:\/\/www.stormshield.com\/fr\/actus\/alerte-securite-ransomware-skulllocker-la-reponse-des-produits-stormshield\/","title":{"rendered":"Alerte s\u00e9curit\u00e9 SkullLocker : la r\u00e9ponse des produits Stormshield"},"content":{"rendered":"<div class=\"wpb-content-wrapper\"><p>[vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text]<strong>SkullLocker est un ransomware Windows dont les premi\u00e8res traces remontent au 28 f\u00e9vrier 2023. Il s\u2019agit d\u2019une variante du ransomware Chaos d\u00e9couvert durant l\u2019\u00e9t\u00e9 2021. SkullLocker est diffus\u00e9 par l\u2019interm\u00e9diaire de mails de phishing et de sites de torrent. Le langage des instructions de ran\u00e7on semble indiquer que le malware vise la Pologne.<\/strong>[\/vc_column_text][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text]<\/p>\n<h2>Le sample du ransomware SkullLocker<\/h2>\n<p>Voici les informations d\u2019identification de l'\u00e9chantillon \u00e9tudi\u00e9.[\/vc_column_text][vc_empty_space]<div class=\"qode-advanced-pricing-table\">\n\t<div class=\"qode-apt-header qode-apt-row\">\n\t\t<div class=\"qode-apt-title-holder\">\n\t\t\t<h5 class=\"qode-apt-title\">\n\t\t\t\t\t\t\t<\/h5>\n\t\t<\/div>\n\t\t<div class=\"qode-apt-column-title-holder\">\n\t\t\t<h5 class=\"qode-apt-title\">\n\t\t\t\t\t\t\t<\/h5>\n\t\t<\/div>\n\t<\/div>\n\t\t\t<div class=\"qode-apt-items qode-apt-row\">\n\t\t\t<div class=\"qode-apt-item-title\">\n\t\t\t\tFichier\t\t\t<\/div>\n\t\t\t<div class=\"qode-apt-item-price\">\n\t\t\t\t$PE\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t<div class=\"qode-apt-items qode-apt-row\">\n\t\t\t<div class=\"qode-apt-item-title\">\n\t\t\t\tLangage de compilation\t\t\t<\/div>\n\t\t\t<div class=\"qode-apt-item-price\">\n\t\t\t\t$.NET\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t<div class=\"qode-apt-items qode-apt-row\">\n\t\t\t<div class=\"qode-apt-item-title\">\n\t\t\t\tArchitecture\t\t\t<\/div>\n\t\t\t<div class=\"qode-apt-item-price\">\n\t\t\t\t$32 bits\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t<div class=\"qode-apt-items qode-apt-row\">\n\t\t\t<div class=\"qode-apt-item-title\">\n\t\t\t\tCompilation\t\t\t<\/div>\n\t\t\t<div class=\"qode-apt-item-price\">\n\t\t\t\t$27\/02\/2023 21:09:41 UTC\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t<div class=\"qode-apt-items qode-apt-row\">\n\t\t\t<div class=\"qode-apt-item-title\">\n\t\t\t\tObfuscation\t\t\t<\/div>\n\t\t\t<div class=\"qode-apt-item-price\">\n\t\t\t\t$Aucune\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t<div class=\"qode-apt-items qode-apt-row\">\n\t\t\t<div class=\"qode-apt-item-title\">\n\t\t\t\tmd5\t\t\t<\/div>\n\t\t\t<div class=\"qode-apt-item-price\">\n\t\t\t\t$62e53bc5aa5f2a70a54e328bff51505f\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t<div class=\"qode-apt-items qode-apt-row\">\n\t\t\t<div class=\"qode-apt-item-title\">\n\t\t\t\tsha1\t\t\t<\/div>\n\t\t\t<div class=\"qode-apt-item-price\">\n\t\t\t\t$e7deceee97a09d539d81eb91f988ece5e2a2ff51\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t<div class=\"qode-apt-items qode-apt-row\">\n\t\t\t<div class=\"qode-apt-item-title\">\n\t\t\t\tsha256\t\t\t<\/div>\n\t\t\t<div class=\"qode-apt-item-price\">\n\t\t\t\t$bb5ca9d8de51734dbd14dc081c7c892d819cd14fafd7ccd62849d70f9e679369\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t<div class=\"qode-apt-items qode-apt-row\">\n\t\t\t<div class=\"qode-apt-item-title\">\n\t\t\t\tssdeep\t\t\t<\/div>\n\t\t\t<div class=\"qode-apt-item-price\">\n\t\t\t\t$6144:+B4mr9NzqHW7V5V9w\/UIRZizI1aqebq\/lsyp:+B40qHW7nU\/pZmiXqy\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t<\/div>[vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text]<\/p>\n<h2>Ransomware SkullLocker : analyse technique<\/h2>\n<p>Le sample est un ex\u00e9cutable PE \u00e9crit en .NET mais sans aucune couche d'obfuscation. Le sample \u00e9tant de petite taille, il est possible de mener une analyse compl\u00e8te des fonctionnalit\u00e9s du malware.<\/p>\n<p>Le sample pr\u00e9sente une fonction <em><code>Main<\/code><\/em> qui d\u00e9crit d'un point de vue macro toutes les actions du malware.[\/vc_column_text][vc_empty_space][vc_single_image image=\"384892\" img_size=\"large\" alignment=\"center\" qode_css_animation=\"\"][vc_empty_space][vc_column_text]Voici la liste des actions effectu\u00e9es par le ransomware\u00a0:<\/p>\n<ul>\n<li>v\u00e9rification que le malware n'est pas d\u00e9j\u00e0 en ex\u00e9cution ;<\/li>\n<li>\u00e9l\u00e9vation de privil\u00e8ges et d\u00e9placement de l'ex\u00e9cution dans <em><code>%AppData%<\/code><\/em>\u00a0;<\/li>\n<li>mise en place de la persistance ;<\/li>\n<li>chiffrement des fichiers ;<\/li>\n<li>d\u00e9sactivation des m\u00e9canismes de r\u00e9cup\u00e9ration des donn\u00e9es ;<\/li>\n<li>propagation ;<\/li>\n<li>mise en place des instructions de ran\u00e7on ;<\/li>\n<li>mise en place d'un m\u00e9canisme de d\u00e9tournement de transactions bitcoin.<\/li>\n<\/ul>\n<p>Nous allons rentrer dans le d\u00e9tail de chacune de ces actions dans les paragraphes suivants.<\/p>\n<h3>V\u00e9rification que le malware n'est pas d\u00e9j\u00e0 en ex\u00e9cution<\/h3>\n<p>Le malware v\u00e9rifie qu\u2019il n\u2019est pas d\u00e9j\u00e0 lanc\u00e9 sur le poste. Pour cela, il liste les noms des ex\u00e9cutables des autres processus du syst\u00e8me et s\u2019arr\u00eate s\u2019il est d\u00e9j\u00e0 pr\u00e9sent.[\/vc_column_text][vc_empty_space][vc_single_image image=\"384897\" img_size=\"large\" alignment=\"center\" qode_css_animation=\"\"][vc_empty_space][vc_column_text]<\/p>\n<h3>\u00c9l\u00e9vation de privil\u00e8ges et d\u00e9placement de l'ex\u00e9cution dans %AppData%<\/h3>\n<p>Le malware effectue une \u00e9l\u00e9vation de privil\u00e8ges de mani\u00e8re tr\u00e8s basique : il copie son propre ex\u00e9cutable \u00e0 l'emplacement <em><code>%AppData%\\svchost.exe<\/code><\/em> puis demande son lancement avec les droits administrateur.<\/p>\n<p>Selon la configuration du syst\u00e8me, un prompt UAC va apparaitre. Il est possible pour un utilisateur averti de remarquer l\u2019attaque car le svchost.exe de Microsoft est un ex\u00e9cutable sign\u00e9, ce qui n\u2019est pas le cas de celui d\u00e9clench\u00e9 par le malware. Si l'utilisateur refuse la demande, le malware r\u00e9it\u00e8re la requ\u00eate en boucle jusqu'\u00e0 ce que l'utilisateur accepte.<\/p>\n<p>Une fois le process privil\u00e9gi\u00e9 lanc\u00e9, le processus originel s'arr\u00eate. Toutes les autres \u00e9tapes seront r\u00e9alis\u00e9es par le processus privil\u00e9gi\u00e9.[\/vc_column_text][vc_empty_space][vc_single_image image=\"384902\" img_size=\"large\" alignment=\"center\" qode_css_animation=\"\"][vc_empty_space][vc_column_text]Si l\u2019\u00e9l\u00e9vation de privil\u00e8ges \u00e9choue, le malware effectue tout de m\u00eame le d\u00e9placement de l\u2019ex\u00e9cutable vers <em><code>%AppData%<\/code><\/em>.<\/p>\n<h3>Mise en place de la persistance<\/h3>\n<p>Pour assurer une persistance sur le syst\u00e8me, le malware s'inscrit dans le dossier \u00ab Startup \u00bb en \u00e9crivant un fichier \u00e0 l'emplacement <em><code>%AppData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.url<\/code><\/em>. En renseignant son ex\u00e9cutable dans le fichier, le malware s'assure d'\u00eatre d\u00e9marr\u00e9 automatiquement par Windows \u00e0 chaque ouverture de session de cet utilisateur. MITRE cat\u00e9gorise cette technique sous l\u2019identifiant <a href=\"https:\/\/attack.mitre.org\/techniques\/T1547\/001\/\" target=\"_blank\" rel=\"noopener\">T1547.001<\/a>.<\/p>\n<p>Voici le contenu du fichier <em><code>svchost.url<\/code><\/em>\u00a0:<\/p>\n<p style=\"padding-left: 40px;\"><em><code>[InternetShortcut]<br \/>\nURL=file:\/\/\/C:\\Users\\admin\\AppData\\Roaming\\svchost.exe<br \/>\nIconIndex=0<br \/>\nIconFile=C:\/Users\/admin\/AppData\/Roaming\/svchost.exe<\/code><\/em><\/p>\n<p>L\u2019image ci-dessous montre le code du malware r\u00e9alisant cette action\u00a0:[\/vc_column_text][vc_empty_space][vc_single_image image=\"384907\" img_size=\"large\" alignment=\"center\" qode_css_animation=\"\"][vc_empty_space][vc_column_text]<\/p>\n<h3>Chiffrement des fichiers<\/h3>\n<p>Le malware liste les dossiers dans lesquels il va chiffrer r\u00e9cursivement les fichiers. On y retrouve :<\/p>\n<ul>\n<li>les disques mont\u00e9s autres que <em><code>C:<\/code><\/em> ;<\/li>\n<li>ces dossiers du profil de l'utilisateur courant ;\n<ul>\n<li>Desktop ;<\/li>\n<li>Links ;<\/li>\n<li>Contacts ;<\/li>\n<li>Documents ;<\/li>\n<li>Downloads ;<\/li>\n<li>Pictures ;<\/li>\n<li>Music ;<\/li>\n<li>OneDrive ;<\/li>\n<li>Saved Games ;<\/li>\n<li>Favorites ;<\/li>\n<li>Searches ;<\/li>\n<li>Videos ;<\/li>\n<\/ul>\n<\/li>\n<li>le dossier <em><code>%AppData%<\/code><\/em> ;<\/li>\n<li>ces dossiers communs \u00e0 tous les utilisateurs (par d\u00e9faut, pr\u00e9sents dans <em><code>C:\\Users\\Public<\/code><\/em>) :\n<ul>\n<li>Documents ;<\/li>\n<li>Pictures ;<\/li>\n<li>Music ;<\/li>\n<li>Videos ;<\/li>\n<li>Desktop.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Voici le code listant les diff\u00e9rents dossiers \u00e0 chiffrer\u00a0:[\/vc_column_text][vc_empty_space][vc_single_image image=\"384912\" img_size=\"large\" alignment=\"center\" qode_css_animation=\"\"][vc_empty_space][vc_column_text]<\/p>\n<h3>Chiffrement d\u2019un dossier<\/h3>\n<p>Dans chaque dossier parcouru, le malware v\u00e9rifie que les fichiers soient dans la liste de ceux cibl\u00e9s pour le chiffrement\u00a0:[\/vc_column_text][vc_empty_space][vc_single_image image=\"384917\" img_size=\"large\" alignment=\"center\" qode_css_animation=\"\"][vc_empty_space][vc_column_text]Pour cela, le malware se base sur l'extension. Si le fichier a une extension pr\u00e9sente dans cette liste, il sera trait\u00e9 par le malware\u00a0:<\/p>\n<p style=\"padding-left: 40px;\"><em><code>.txt .jar .dat .contact .settings .doc .docx .xls .xlsx .ppt .pptx .odt .jpg .mka .mhtml .oqy .png .csv .py .sql .mdb .php .asp .aspx .html .htm .xml .psd .pdf .xla .cub .dae .indd .cs .mp3 .mp4 .dwg .zip .rar .mov .rtf .bmp .mkv .avi .apk .lnk .dib .dic .dif .divx .iso .7zip .ace .arj .bz2 .cab .gzip .lzh .tar .jpeg .xz .mpeg .torrent .mpg .core .pdb .ico .pas .db .wmv .swf .cer .bak .backup .accdb .bay .p7c .exif .vss .raw .m4a .wma .flv .sie .sum .ibank .wallet .css .js .rb .crt .xlsm .xlsb .7z .cpp .java .jpe .ini .blob .wps .docm .wav .3gp .webm .m4v .amv .m4p .svg .ods .bk .vdi .vmdk .onepkg .accde .jsp .json .gif .log .gz .config .vb .m1v .sln .pst .obj .xlam .djvu .inc .cvs .dbf .tbi .wpd .dot .dotx .xltx .pptm .potx .potm .pot .xlw .xps .xsd .xsf .xsl .kmz .accdr .stm .accdt .ppam .pps .ppsm .1cd .3ds .3fr .3g2 .accda .accdc .accdw .adp .ai .ai3 .ai4 .ai5 .ai6 .ai7 .ai8 .arw .ascx .asm .asmx .avs .bin .cfm .dbx .dcm .dcr .pict .rgbe .dwt .f4v .exr .kwm .max .mda .mde .mdf .mdw .mht .mpv .msg .myi .nef .odc .geo .swift .odm .odp .oft .orf .pfx .p12 .pl .pls .safe .tab .vbs .xlk .xlm .xlt .xltm .svgz .slk .tar.gz .dmg .ps .psb .tif .rss .key .vob .epsp .dc3 .iff .onepkg .onetoc2 .opt .p7b .pam .r3d<\/code><\/em><\/p>\n<h3>Traitement des fichiers<\/h3>\n<p>Le malware effectue un traitement diff\u00e9rent suivant la taille du fichier. Si le fichier fait moins de 2\u00a0Mo, il sera chiffr\u00e9 (cf prochaine partie). S'il est plus grand, il sera \u00e9cras\u00e9 par des donn\u00e9es al\u00e9atoires.[\/vc_column_text][vc_empty_space][vc_single_image image=\"384922\" img_size=\"large\" alignment=\"center\" qode_css_animation=\"\"][vc_empty_space][vc_column_text]Important \u00e0 noter : il est donc impossible de retrouver les fichiers d'origine faisant plus de 2 Mo, m\u00eame en payant la ran\u00e7on...<\/p>\n<h3>Chiffrement d\u2019un fichier<\/h3>\n<p>Le chiffrement des fichiers s'effectue en AES, alors que la cl\u00e9 secr\u00e8te est, elle, chiffr\u00e9e en RSA. Plus pr\u00e9cis\u00e9ment, voici la proc\u00e9dure appliqu\u00e9e pour le chiffrement :[\/vc_column_text][vc_empty_space][vc_single_image image=\"384927\" img_size=\"large\" alignment=\"center\" qode_css_animation=\"\"][vc_empty_space][vc_column_text]Un mot de passe unique est g\u00e9n\u00e9r\u00e9 par fichier. Il est constitu\u00e9 de 20\u00a0caract\u00e8res tir\u00e9s al\u00e9atoirement dans l\u2019ensemble de caract\u00e8res suivant\u00a0: <em><code>abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890*!=&amp;?\/<\/code><\/em>. Ce mot de passe est ensuite utilis\u00e9 pour d\u00e9river la cl\u00e9 de chiffrement AES avec la fonction PBKDF2 (Base sur HMAC et SHA1). Le mot de passe est tout d\u2019abord chiffr\u00e9 via RSA en utilisant une cl\u00e9 publique de 1\u00a0024\u00a0bits, stock\u00e9e dans les donn\u00e9es du binaire.<\/p>\n<p>Voici le code d\u2019initialisation de la cl\u00e9 publique RSA\u00a0:[\/vc_column_text][vc_empty_space][vc_single_image image=\"384932\" img_size=\"large\" alignment=\"center\" qode_css_animation=\"\"][vc_empty_space][vc_column_text]Le contenu du fichier est chiffr\u00e9 via AES 256 en mode CBC, puis cod\u00e9 en base64. Dans le d\u00e9tail, le malware \u00e9crase les donn\u00e9es du fichier en commen\u00e7ant par le mot de passe chiffr\u00e9 et encod\u00e9 entre des balises <em><code>&lt;EncryptedKey&gt;<\/code><\/em>, avant de placer les donn\u00e9es originelles du fichier chiffr\u00e9es et encod\u00e9es.<\/p>\n<p>Voici par exemple le d\u00e9but d'un fichier une fois chiffr\u00e9\u00a0:[\/vc_column_text][vc_empty_space][vc_single_image image=\"384937\" img_size=\"large\" alignment=\"center\" qode_css_animation=\"\"][vc_empty_space][vc_column_text]Du fait de l'encodage en base64 et de l'ajout du header, les fichiers vont prendre plus de place sur le disque qu'avant le chiffrement. Les fichiers prennent environ 33% d\u2019espace en plus.<\/p>\n<p>Les fichiers chiffr\u00e9s sont renomm\u00e9s en leur ajoutant l'extension <em><code>\".skull\"<\/code><\/em>.<\/p>\n<p>Voici une vue d'un dossier et du bureau apr\u00e8s la proc\u00e9dure de chiffrement\u00a0:[\/vc_column_text][vc_empty_space][vc_single_image image=\"384942\" img_size=\"large\" alignment=\"center\" qode_css_animation=\"\"][vc_empty_space][vc_column_text]<\/p>\n<h3>D\u00e9sactivation des m\u00e9canismes de r\u00e9cup\u00e9ration des donn\u00e9es<\/h3>\n<p>Le malware d\u00e9sactive des m\u00e9canismes de Windows permettant la r\u00e9cup\u00e9ration des fichiers qu\u2019il a modifi\u00e9s.[\/vc_column_text][vc_empty_space][vc_single_image image=\"384947\" img_size=\"large\" alignment=\"center\" qode_css_animation=\"\"][vc_empty_space]<div class=\"qode-advanced-pricing-table\">\n\t<div class=\"qode-apt-header qode-apt-row\">\n\t\t<div class=\"qode-apt-title-holder\">\n\t\t\t<h5 class=\"qode-apt-title\">\n\t\t\t\tAction\t\t\t<\/h5>\n\t\t<\/div>\n\t\t<div class=\"qode-apt-column-title-holder\">\n\t\t\t<h5 class=\"qode-apt-title\">\n\t\t\t\tCommandes utilis\u00e9es\t\t\t<\/h5>\n\t\t<\/div>\n\t<\/div>\n\t\t\t<div class=\"qode-apt-items qode-apt-row\">\n\t\t\t<div class=\"qode-apt-item-title\">\n\t\t\t\tSuppression des Shadow Copies\t\t\t<\/div>\n\t\t\t<div class=\"qode-apt-item-price\">\n\t\t\t\t$vssadmin delete shadows \/all \/quiet\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t<div class=\"qode-apt-items qode-apt-row\">\n\t\t\t<div class=\"qode-apt-item-title\">\n\t\t\t\tSuppression des Shadow Copies\t\t\t<\/div>\n\t\t\t<div class=\"qode-apt-item-price\">\n\t\t\t\t$wmic shadowcopy delete\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t<div class=\"qode-apt-items qode-apt-row\">\n\t\t\t<div class=\"qode-apt-item-title\">\n\t\t\t\tD\u00e9sactivation de la partition de r\u00e9cup\u00e9ration\t\t\t<\/div>\n\t\t\t<div class=\"qode-apt-item-price\">\n\t\t\t\t$bcdedit \/set {default} bootstatuspolicy ignoreallfailures\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t<div class=\"qode-apt-items qode-apt-row\">\n\t\t\t<div class=\"qode-apt-item-title\">\n\t\t\t\tD\u00e9sactivation de la partition de r\u00e9cup\u00e9ration\t\t\t<\/div>\n\t\t\t<div class=\"qode-apt-item-price\">\n\t\t\t\t$bcdedit \/set {default} recoveryenabled no\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t<div class=\"qode-apt-items qode-apt-row\">\n\t\t\t<div class=\"qode-apt-item-title\">\n\t\t\t\tSuppression du catalogue de sauvegardes\t\t\t<\/div>\n\t\t\t<div class=\"qode-apt-item-price\">\n\t\t\t\t$wbadmin delete catalog -quiet\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t<\/div>[vc_empty_space][vc_column_text]<\/p>\n<h3>Propagation<\/h3>\n<p>Le malware cherche \u00e9galement \u00e0 se propager \u00e0 travers les diff\u00e9rents disques mont\u00e9s par le syst\u00e8me. Il copie son ex\u00e9cutable sous le nom <em><code>skull.exe<\/code><\/em> \u00e0 la racine de tous les disques n'\u00e9tant pas <em><code>C:<\/code><\/em>.[\/vc_column_text][vc_empty_space][vc_single_image image=\"384952\" img_size=\"large\" alignment=\"center\" qode_css_animation=\"\"][vc_empty_space][vc_column_text]Le malware cherche ainsi \u00e0 se propager sur d'autres postes avec des capacit\u00e9s d\u2019air gap (propagation vers un autre poste sans l\u2019interm\u00e9diaire de connexions r\u00e9seau) en copiant son ex\u00e9cutable sur les supports USB.<\/p>\n<h3>Mise en place des instructions de ran\u00e7ons<\/h3>\n<p>Le malware place un fichier texte d\u2019instructions de ran\u00e7on dans chaque dossier qu\u2019il a parcouru et dans le dossier <em><code>%AppData%<\/code><\/em>. Il demande ensuite l'ouverture d\u2019un de ces fichiers texte afin que les instructions soient affich\u00e9es \u00e0 l'utilisateur.[\/vc_column_text][vc_empty_space][vc_single_image image=\"384957\" img_size=\"large\" alignment=\"center\" qode_css_animation=\"\"][vc_empty_space][vc_column_text]Ces instructions sont \u00e9crites en polonais.[\/vc_column_text][vc_empty_space][vc_single_image image=\"384962\" img_size=\"large\" alignment=\"center\" qode_css_animation=\"\"][vc_empty_space][vc_column_text]Une fois traduites en fran\u00e7ais, les instructions sont les suivantes\u00a0:<\/p>\n<p style=\"padding-left: 40px;\"><em>Bonjour,<\/em><\/p>\n<p style=\"padding-left: 40px;\"><em>Vos fichiers ont \u00e9t\u00e9 chiffr\u00e9s par le ransomware SkullLocker. Pour y acc\u00e9der \u00e0 nouveau, vous devez payer la ran\u00e7on dans les 72 heures. Sinon, vos donn\u00e9es seront d\u00e9finitivement perdues.<\/em><br \/>\n<em>Pour plus d'informations sur la mani\u00e8re de payer la ran\u00e7on et de r\u00e9cup\u00e9rer vos fichiers, consultez le site web ci-dessous.<\/em><br \/>\n<em>U6cQ2nV4KzL3H8jxSdGhTfMlR0N1wX7eJbO9mZyIaP5pgqWvEoBkYtAxDsFi.onion<\/em><\/p>\n<p style=\"padding-left: 40px;\"><em>Si vous avez des questions, vous pouvez nous contacter par courriel \u00e0 l'adresse [email\u00a0protected].<\/em><\/p>\n<p style=\"padding-left: 40px;\"><em>N'essayez pas de supprimer le ransomware ou de r\u00e9cup\u00e9rer vos donn\u00e9es \u00e0 l'aide d'un logiciel antivirus. Vous risqueriez d'endommager d\u00e9finitivement vos fichiers.<\/em><\/p>\n<p style=\"padding-left: 40px;\"><em>N'oubliez pas que le temps est un facteur essentiel. Plus vous tardez, moins vous avez de chances de r\u00e9cup\u00e9rer vos fichiers.<\/em><\/p>\n<p style=\"padding-left: 40px;\"><em>Salutations,<\/em><br \/>\n<em>L'\u00e9quipe du ransomware<\/em><\/p>\n<h3>Mise en place d'un m\u00e9canisme de d\u00e9tournement de transactions bitcoin<\/h3>\n<p>Le malware reste ensuite actif et tente de d\u00e9tourner des transactions bitcoin en se mettant en \u00e9coute des modifications du presse papier (m\u00e9canisme de copier\/coller).<\/p>\n<p>Le malware utilise une regex \u00e0 chaque changement du contenu du presse papier pour v\u00e9rifier la pr\u00e9sence d'une adresse de wallet bitcoin. Si le ransomware trouve une adresse, il la remplace par une adresse fixe contenue dans le binaire. Les auteurs du malware semblent ainsi\u00a0chercher \u00e0 remplacer l'adresse destinatrice d'une transaction par l\u2019adresse d\u2019un wallet d\u00e9tenu par les cyber-criminels et r\u00e9cup\u00e9rer les bitcoins envoy\u00e9s.[\/vc_column_text][vc_empty_space][vc_single_image image=\"384967\" img_size=\"large\" alignment=\"center\" qode_css_animation=\"\"][vc_empty_space][vc_column_text]Les deux adresses de wallets bitcoins utilis\u00e9es par le sample sont les suivantes\u00a0:<\/p>\n<ul>\n<li>bc1qw0ll8p9m8uezhqhyd7z459ajrk722yn8c5j4fg<\/li>\n<li>17CqMQFeuB3NTzJ2X28tfRmWaPyPQgvoHV<\/li>\n<\/ul>\n<h3>Synth\u00e8se<\/h3>\n<p>SkullLocker est un ransomware rustique, n'effectuant aucune communication r\u00e9seau pour contacter un serveur C2 et \u00e9crasant purement et simplement une bonne partie des fichiers de donn\u00e9es lors de la proc\u00e9dure de chiffrement. Il n'y a aucune confiance \u00e0 avoir vis-\u00e0-vis de la possible r\u00e9cup\u00e9ration des fichiers en payant la ran\u00e7on. Le chiffrement des fichiers les moins volumineux ne semble \u00eatre mis en place que pour \"prouver\" lors des n\u00e9gociations que les fichiers peuvent \u00eatre r\u00e9cup\u00e9r\u00e9s.<\/p>\n<p>Pour aller plus loin, les \u00e9quipes d\u2019un autre acteur de cybers\u00e9curit\u00e9 ont publi\u00e9 un <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/h\/chaos-ransomware-a-dangerous-proof-of-concept.html\" target=\"_blank\" rel=\"noopener\">article sur le malware Chaos<\/a> en fournissant des vues du builder (l\u2019outil permettant aux cyber-criminels de cr\u00e9er des ex\u00e9cutables du malware).<\/p>\n<p>Le sample \u00e9tudi\u00e9 durant notre analyse est une variante de Chaos dont seule la configuration change par rapport aux autres samples du malware. Les configurations possibles du malware permettent par exemple de changer\u00a0:<\/p>\n<ul>\n<li>l\u2019extension des fichiers chiffr\u00e9s ;<\/li>\n<li>le nom de l\u2019ex\u00e9cutable utilis\u00e9 pour l\u2019\u00e9l\u00e9vation de privil\u00e8ge ;<\/li>\n<li>le texte des instructions de ran\u00e7on ;<\/li>\n<li>l\u2019activation du chiffrement (sinon les fichiers de moins de 2\u00a0Mo sont aussi purement \u00e9cras\u00e9s).<\/li>\n<\/ul>\n<p>[\/vc_column_text][vc_empty_space][vc_single_image image=\"384972\" img_size=\"large\" alignment=\"center\" qode_css_animation=\"\"][vc_empty_space][vc_column_text]<\/p>\n<h2>Ransomware SkullLocker et moyens de protection Stormshield<\/h2>\n<h3>Breach Fighter<\/h3>\n<p>Le service de sandboxing Breach Fighter, disponible en option dans les firewalls Stormshield Network Security (sur le flux SMTP\/HTTP\/FTP) et \u00e9galement propos\u00e9 en API, d\u00e9tecte et bloque le malware.[\/vc_column_text][vc_empty_space][vc_single_image image=\"384977\" img_size=\"large\" alignment=\"center\" qode_css_animation=\"\"][vc_empty_space][vc_column_text]<\/p>\n<table class=\" aligncenter\" width=\"623\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\" width=\"312\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-227874\" src=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/indice.png\" alt=\"\" width=\"135\" height=\"101\" \/><\/p>\n<p><em>Indice de confiance de la protection propos\u00e9e par Stormshield<\/em><\/td>\n<td width=\"312\">\n<p style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-227874\" src=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/indice.png\" alt=\"\" width=\"135\" height=\"101\" \/><\/p>\n<p style=\"text-align: center;\"><em>Indice de confiance de l\u2019absence de faux positif<\/em><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>[\/vc_column_text][vc_empty_space][vc_column_text]<\/p>\n<h3>Stormshield Network Security<\/h3>\n<p>Les firewalls Stormshield Network Security d\u00e9tectent \u00e9galement le transport du malware avec l\u2019option Advanced Antivirus, m\u00eame sans la pr\u00e9sence de l\u2019option Breach Fighter.<\/p>\n<table class=\" aligncenter\" width=\"623\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\" width=\"312\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-227874\" src=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/indice.png\" alt=\"\" width=\"135\" height=\"101\" \/><\/p>\n<p><em>Indice de confiance de la protection propos\u00e9e par Stormshield<\/em><\/td>\n<td width=\"312\">\n<p style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-227874\" src=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/indice.png\" alt=\"\" width=\"135\" height=\"101\" \/><\/p>\n<p style=\"text-align: center;\"><em>Indice de confiance de l\u2019absence de faux positif<\/em><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>[\/vc_column_text][vc_empty_space][vc_column_text]<\/p>\n<h3>Stormshield Endpoint Security Evolution<\/h3>\n<p>La solution SES Evolution est capable de d\u00e9tecter et de bloquer le malware lors de son ex\u00e9cution, avant m\u00eame le commencement du chiffrement.<\/p>\n<p>La protection anti ransomware d\u00e9tecte et bloque le malware durant deux \u00e9tapes\u00a0: lors du chiffrement des fichiers et lors de la d\u00e9sactivation des fonctionnalit\u00e9s Windows de r\u00e9cup\u00e9ration de fichiers.<\/p>\n<table class=\" aligncenter\" width=\"623\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\" width=\"312\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-227874\" src=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/indice.png\" alt=\"\" width=\"135\" height=\"101\" \/><\/p>\n<p><em>Indice de confiance de la protection propos\u00e9e par Stormshield<\/em><\/td>\n<td width=\"312\">\n<p style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-233125\" src=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/indice-3.png\" alt=\"\" width=\"135\" height=\"101\" \/><\/p>\n<p style=\"text-align: center;\"><em>Indice de confiance de l\u2019absence de faux positif<\/em><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>[\/vc_column_text][vc_empty_space][vc_column_text]<\/p>\n<h2>SkullLocker &amp; IOC<\/h2>\n<p><strong>SkullLocker IOCs :<\/strong> retrouvez ici les r\u00e9f\u00e9rences des \u00e9chantillons \u00e9tudi\u00e9s pour cette analyse.<\/p>\n<h3>Hashes<\/h3>\n<ul>\n<li>Executable\n<ul>\n<li>MD5: 62e53bc5aa5f2a70a54e328bff51505f<\/li>\n<li>SHA1: E7DECEEE97A09D539D81EB91F988ECE5E2A2FF51<\/li>\n<li>SHA256: BB5CA9D8DE51734DBD14DC081C7C892D819CD14FAFD7CCD62849D70F9E679369<\/li>\n<\/ul>\n<\/li>\n<li>Instructions de ran\u00e7on\n<ul>\n<li>MD5: A23E76CE33ADF72409FB0C43393D3087<\/li>\n<li>SHA1: 502620245BE1D0912AB9C4FB5390AB14E27778A8<\/li>\n<li>SHA256: 88702C38B8BEA9555A13AE747CBFDF2947FFF6060F4FEF75486025E0152DDF3A<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Paths<\/h3>\n<ul>\n<li>.skull<\/li>\n<li>read_it.txt<\/li>\n<li>%AppData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.url<\/li>\n<li>%AppData%\\svchost.exe<\/li>\n<li>X:\\skull.exe<\/li>\n<\/ul>\n<h3>Processes<\/h3>\n<ul>\n<li>vssadmin delete shadows \/all \/quiet<\/li>\n<li>wmic shadowcopy delete<\/li>\n<li>bcdedit \/set {default} bootstatuspolicy ignoreallfailures<\/li>\n<li>bcdedit \/set {default} recoveryenabled no<\/li>\n<li>wbadmin delete catalog -quiet<\/li>\n<\/ul>\n<h3>Portail Breach Fighter<\/h3>\n<ul>\n<li><a href=\"https:\/\/breachfighter.stormshieldcs.eu\/bb5ca9d8de51734dbd14dc081c7c892d819cd14fafd7ccd62849d70f9e679369\" target=\"_blank\" rel=\"noopener\">bf.stormshieldcs.eu\/bb5ca9d8de51734dbd14dc081c7c892d819cd14fafd7ccd62849d70f9e679369<\/a><\/li>\n<\/ul>\n<p>[\/vc_column_text][\/vc_column][\/vc_row]<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>[vc_row css_animation=\u00a0\u00bb\u00a0\u00bb row_type=\u00a0\u00bbrow\u00a0\u00bb use_row_as_full_screen_section=\u00a0\u00bbno\u00a0\u00bb type=\u00a0\u00bbfull_width\u00a0\u00bb angled_section=\u00a0\u00bbno\u00a0\u00bb text_align=\u00a0\u00bbleft\u00a0\u00bb background_image_as_pattern=\u00a0\u00bbwithout_pattern\u00a0\u00bb][vc_column][vc_column_text]SkullLocker est un ransomware Windows dont les premi\u00e8res traces remontent au 28 f\u00e9vrier 2023. Il s\u2019agit d\u2019une variante du ransomware Chaos d\u00e9couvert durant l\u2019\u00e9t\u00e9 2021. SkullLocker est diffus\u00e9 par l\u2019interm\u00e9diaire de mails de phishing et de sites de&#8230;<\/p>\n","protected":false},"author":83,"featured_media":190179,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1503],"tags":[4368],"business_size":[],"industry":[],"help_mefind":[],"features":[],"type_security":[],"maintenance":[],"offer":[],"administration_tools":[],"cloud_offers":[],"listing_product":[1565,1530],"class_list":["post-384983","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-alertes","tag-la-cybersecurite-par-stormshield","listing_product-ses-fr","listing_product-sns-fr"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>SkullLocker : quelles protections avec les produits Stormshield ?<\/title>\n<meta name=\"description\" content=\"IOCs, exploit, et moyens de protection : pour tout savoir sur la menace de s\u00e9curit\u00e9 SkullLocker, une variante du ransomware Chaos.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.stormshield.com\/fr\/actus\/alerte-securite-ransomware-skulllocker-la-reponse-des-produits-stormshield\/\" \/>\n<meta property=\"og:locale\" content=\"fr_FR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SkullLocker : quelles protections avec les produits Stormshield ?\" \/>\n<meta property=\"og:description\" content=\"IOCs, exploit, et moyens de protection : pour tout savoir sur la menace de s\u00e9curit\u00e9 SkullLocker, une variante du ransomware Chaos.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.stormshield.com\/fr\/actus\/alerte-securite-ransomware-skulllocker-la-reponse-des-produits-stormshield\/\" \/>\n<meta property=\"og:site_name\" content=\"Stormshield\" \/>\n<meta property=\"article:published_time\" content=\"2023-03-15T08:04:23+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-05-29T07:59:49+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/shutterstock_1534485395-scaled.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"1422\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Stormshield Customer Security Lab\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@Stormshield\" \/>\n<meta name=\"twitter:site\" content=\"@Stormshield\" \/>\n<meta name=\"twitter:label1\" content=\"\u00c9crit par\" \/>\n\t<meta name=\"twitter:data1\" content=\"Stormshield Customer Security Lab\" \/>\n\t<meta name=\"twitter:label2\" content=\"Dur\u00e9e de lecture estim\u00e9e\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/alerte-securite-ransomware-skulllocker-la-reponse-des-produits-stormshield\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/alerte-securite-ransomware-skulllocker-la-reponse-des-produits-stormshield\\\/\"},\"author\":{\"name\":\"Stormshield Customer Security Lab\",\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/#\\\/schema\\\/person\\\/a05f467cec789f90c8a355b178743249\"},\"headline\":\"Alerte s\u00e9curit\u00e9 SkullLocker : la r\u00e9ponse des produits Stormshield\",\"datePublished\":\"2023-03-15T08:04:23+00:00\",\"dateModified\":\"2024-05-29T07:59:49+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/alerte-securite-ransomware-skulllocker-la-reponse-des-produits-stormshield\\\/\"},\"wordCount\":2888,\"commentCount\":0,\"image\":{\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/alerte-securite-ransomware-skulllocker-la-reponse-des-produits-stormshield\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.stormshield.com\\\/wp-content\\\/uploads\\\/shutterstock_1534485395-scaled.jpg\",\"keywords\":[\"La cybers\u00e9curit\u00e9 - par Stormshield\"],\"articleSection\":[\"Alertes\"],\"inLanguage\":\"fr-FR\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/alerte-securite-ransomware-skulllocker-la-reponse-des-produits-stormshield\\\/\",\"url\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/alerte-securite-ransomware-skulllocker-la-reponse-des-produits-stormshield\\\/\",\"name\":\"SkullLocker : quelles protections avec les produits Stormshield ?\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/alerte-securite-ransomware-skulllocker-la-reponse-des-produits-stormshield\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/alerte-securite-ransomware-skulllocker-la-reponse-des-produits-stormshield\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.stormshield.com\\\/wp-content\\\/uploads\\\/shutterstock_1534485395-scaled.jpg\",\"datePublished\":\"2023-03-15T08:04:23+00:00\",\"dateModified\":\"2024-05-29T07:59:49+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/#\\\/schema\\\/person\\\/a05f467cec789f90c8a355b178743249\"},\"description\":\"IOCs, exploit, et moyens de protection : pour tout savoir sur la menace de s\u00e9curit\u00e9 SkullLocker, une variante du ransomware Chaos.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/alerte-securite-ransomware-skulllocker-la-reponse-des-produits-stormshield\\\/#breadcrumb\"},\"inLanguage\":\"fr-FR\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/alerte-securite-ransomware-skulllocker-la-reponse-des-produits-stormshield\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-FR\",\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/alerte-securite-ransomware-skulllocker-la-reponse-des-produits-stormshield\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.stormshield.com\\\/wp-content\\\/uploads\\\/shutterstock_1534485395-scaled.jpg\",\"contentUrl\":\"https:\\\/\\\/www.stormshield.com\\\/wp-content\\\/uploads\\\/shutterstock_1534485395-scaled.jpg\",\"width\":2560,\"height\":1422},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/alerte-securite-ransomware-skulllocker-la-reponse-des-produits-stormshield\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Alerte s\u00e9curit\u00e9 SkullLocker : la r\u00e9ponse des produits Stormshield\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/#website\",\"url\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/\",\"name\":\"Stormshield\",\"description\":\"Stormshield\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"fr-FR\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/#\\\/schema\\\/person\\\/a05f467cec789f90c8a355b178743249\",\"name\":\"Stormshield Customer Security Lab\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-FR\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/46b9416c400398c1a9fc878c7a35bd2ae4f79caeeda138facd5cb65a4ab91c5d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/46b9416c400398c1a9fc878c7a35bd2ae4f79caeeda138facd5cb65a4ab91c5d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/46b9416c400398c1a9fc878c7a35bd2ae4f79caeeda138facd5cb65a4ab91c5d?s=96&d=mm&r=g\",\"caption\":\"Stormshield Customer Security Lab\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"SkullLocker : quelles protections avec les produits Stormshield ?","description":"IOCs, exploit, et moyens de protection : pour tout savoir sur la menace de s\u00e9curit\u00e9 SkullLocker, une variante du ransomware Chaos.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.stormshield.com\/fr\/actus\/alerte-securite-ransomware-skulllocker-la-reponse-des-produits-stormshield\/","og_locale":"fr_FR","og_type":"article","og_title":"SkullLocker : quelles protections avec les produits Stormshield ?","og_description":"IOCs, exploit, et moyens de protection : pour tout savoir sur la menace de s\u00e9curit\u00e9 SkullLocker, une variante du ransomware Chaos.","og_url":"https:\/\/www.stormshield.com\/fr\/actus\/alerte-securite-ransomware-skulllocker-la-reponse-des-produits-stormshield\/","og_site_name":"Stormshield","article_published_time":"2023-03-15T08:04:23+00:00","article_modified_time":"2024-05-29T07:59:49+00:00","og_image":[{"width":2560,"height":1422,"url":"https:\/\/www.stormshield.com\/wp-content\/uploads\/shutterstock_1534485395-scaled.jpg","type":"image\/jpeg"}],"author":"Stormshield Customer Security Lab","twitter_card":"summary_large_image","twitter_creator":"@Stormshield","twitter_site":"@Stormshield","twitter_misc":{"\u00c9crit par":"Stormshield Customer Security Lab","Dur\u00e9e de lecture estim\u00e9e":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.stormshield.com\/fr\/actus\/alerte-securite-ransomware-skulllocker-la-reponse-des-produits-stormshield\/#article","isPartOf":{"@id":"https:\/\/www.stormshield.com\/fr\/actus\/alerte-securite-ransomware-skulllocker-la-reponse-des-produits-stormshield\/"},"author":{"name":"Stormshield Customer Security Lab","@id":"https:\/\/www.stormshield.com\/fr\/#\/schema\/person\/a05f467cec789f90c8a355b178743249"},"headline":"Alerte s\u00e9curit\u00e9 SkullLocker : la r\u00e9ponse des produits Stormshield","datePublished":"2023-03-15T08:04:23+00:00","dateModified":"2024-05-29T07:59:49+00:00","mainEntityOfPage":{"@id":"https:\/\/www.stormshield.com\/fr\/actus\/alerte-securite-ransomware-skulllocker-la-reponse-des-produits-stormshield\/"},"wordCount":2888,"commentCount":0,"image":{"@id":"https:\/\/www.stormshield.com\/fr\/actus\/alerte-securite-ransomware-skulllocker-la-reponse-des-produits-stormshield\/#primaryimage"},"thumbnailUrl":"https:\/\/www.stormshield.com\/wp-content\/uploads\/shutterstock_1534485395-scaled.jpg","keywords":["La cybers\u00e9curit\u00e9 - par Stormshield"],"articleSection":["Alertes"],"inLanguage":"fr-FR"},{"@type":"WebPage","@id":"https:\/\/www.stormshield.com\/fr\/actus\/alerte-securite-ransomware-skulllocker-la-reponse-des-produits-stormshield\/","url":"https:\/\/www.stormshield.com\/fr\/actus\/alerte-securite-ransomware-skulllocker-la-reponse-des-produits-stormshield\/","name":"SkullLocker : quelles protections avec les produits Stormshield ?","isPartOf":{"@id":"https:\/\/www.stormshield.com\/fr\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.stormshield.com\/fr\/actus\/alerte-securite-ransomware-skulllocker-la-reponse-des-produits-stormshield\/#primaryimage"},"image":{"@id":"https:\/\/www.stormshield.com\/fr\/actus\/alerte-securite-ransomware-skulllocker-la-reponse-des-produits-stormshield\/#primaryimage"},"thumbnailUrl":"https:\/\/www.stormshield.com\/wp-content\/uploads\/shutterstock_1534485395-scaled.jpg","datePublished":"2023-03-15T08:04:23+00:00","dateModified":"2024-05-29T07:59:49+00:00","author":{"@id":"https:\/\/www.stormshield.com\/fr\/#\/schema\/person\/a05f467cec789f90c8a355b178743249"},"description":"IOCs, exploit, et moyens de protection : pour tout savoir sur la menace de s\u00e9curit\u00e9 SkullLocker, une variante du ransomware Chaos.","breadcrumb":{"@id":"https:\/\/www.stormshield.com\/fr\/actus\/alerte-securite-ransomware-skulllocker-la-reponse-des-produits-stormshield\/#breadcrumb"},"inLanguage":"fr-FR","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.stormshield.com\/fr\/actus\/alerte-securite-ransomware-skulllocker-la-reponse-des-produits-stormshield\/"]}]},{"@type":"ImageObject","inLanguage":"fr-FR","@id":"https:\/\/www.stormshield.com\/fr\/actus\/alerte-securite-ransomware-skulllocker-la-reponse-des-produits-stormshield\/#primaryimage","url":"https:\/\/www.stormshield.com\/wp-content\/uploads\/shutterstock_1534485395-scaled.jpg","contentUrl":"https:\/\/www.stormshield.com\/wp-content\/uploads\/shutterstock_1534485395-scaled.jpg","width":2560,"height":1422},{"@type":"BreadcrumbList","@id":"https:\/\/www.stormshield.com\/fr\/actus\/alerte-securite-ransomware-skulllocker-la-reponse-des-produits-stormshield\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.stormshield.com\/fr\/"},{"@type":"ListItem","position":2,"name":"Alerte s\u00e9curit\u00e9 SkullLocker : la r\u00e9ponse des produits Stormshield"}]},{"@type":"WebSite","@id":"https:\/\/www.stormshield.com\/fr\/#website","url":"https:\/\/www.stormshield.com\/fr\/","name":"Stormshield","description":"Stormshield","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.stormshield.com\/fr\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"fr-FR"},{"@type":"Person","@id":"https:\/\/www.stormshield.com\/fr\/#\/schema\/person\/a05f467cec789f90c8a355b178743249","name":"Stormshield Customer Security Lab","image":{"@type":"ImageObject","inLanguage":"fr-FR","@id":"https:\/\/secure.gravatar.com\/avatar\/46b9416c400398c1a9fc878c7a35bd2ae4f79caeeda138facd5cb65a4ab91c5d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/46b9416c400398c1a9fc878c7a35bd2ae4f79caeeda138facd5cb65a4ab91c5d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/46b9416c400398c1a9fc878c7a35bd2ae4f79caeeda138facd5cb65a4ab91c5d?s=96&d=mm&r=g","caption":"Stormshield Customer Security Lab"}}]}},"_links":{"self":[{"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/posts\/384983","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/users\/83"}],"replies":[{"embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/comments?post=384983"}],"version-history":[{"count":16,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/posts\/384983\/revisions"}],"predecessor-version":[{"id":385135,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/posts\/384983\/revisions\/385135"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/media\/190179"}],"wp:attachment":[{"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/media?parent=384983"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/categories?post=384983"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/tags?post=384983"},{"taxonomy":"business_size","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/business_size?post=384983"},{"taxonomy":"industry","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/industry?post=384983"},{"taxonomy":"help_mefind","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/help_mefind?post=384983"},{"taxonomy":"features","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/features?post=384983"},{"taxonomy":"type_security","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/type_security?post=384983"},{"taxonomy":"maintenance","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/maintenance?post=384983"},{"taxonomy":"offer","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/offer?post=384983"},{"taxonomy":"administration_tools","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/administration_tools?post=384983"},{"taxonomy":"cloud_offers","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/cloud_offers?post=384983"},{"taxonomy":"listing_product","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/listing_product?post=384983"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}