{"id":510863,"date":"2024-04-09T15:50:00","date_gmt":"2024-04-09T14:50:00","guid":{"rendered":"https:\/\/www.stormshield.com\/?p=510863"},"modified":"2024-07-08T12:05:54","modified_gmt":"2024-07-08T11:05:54","slug":"analyse-technique-du-ransomware-crypt888","status":"publish","type":"post","link":"https:\/\/www.stormshield.com\/fr\/actus\/analyse-technique-du-ransomware-crypt888\/","title":{"rendered":"Analyse technique du ransomware Crypt888"},"content":{"rendered":"<div class=\"wpb-content-wrapper\"><p>[vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text]<strong>Suite \u00e0 la d\u00e9tection par nos partenaires de l\u2019activit\u00e9 r\u00e9cente d\u2019un ransomware en Asie, l\u2019\u00e9quipe de Cyber Threat Intelligence de Stormshield a proc\u00e9d\u00e9 \u00e0 l\u2019analyse approfondie de cette souche. Ce malware fait partie d\u2019une famille d\u00e9j\u00e0 identifi\u00e9e par d\u2019autres acteurs de la cybers\u00e9curit\u00e9, sous le nom de \u00ab\u00a0Crypt888\u00a0\u00bb, \u00ab\u00a0Strictor\u00a0\u00bb, \u00ab\u00a0Nymeria\u00a0\u00bb ou d\u2019autres encore. Le retour de ce malware est l\u2019occasion pour le Stormshield Customer Security Lab de fournir des \u00e9l\u00e9ments techniques derri\u00e8re cette attaque de ransomware.<\/strong><\/p>\n<p>Nous verrons dans cet article que \u00ab\u00a0888\u00a0\u00bb fait \u00e9cho \u00e0 une particularit\u00e9 technique du malware.<\/p>\n<p>&nbsp;<\/p>\n<h2>Vecteur initial de l\u2019attaque du ransomware Crypt888<\/h2>\n<p>Nous nous sommes procur\u00e9s deux samples que nous avons analys\u00e9s\u00a0:<\/p>\n<ul>\n<li>2e0f1385a0eb72f189c3d3cffa38020d71370ab621139c5688647c5bab6bc7f2<\/li>\n<li>ba2598fdd2e5c12e072fbe4c10fcdc6742bace92c0edba42ca4ca7bc195cb813<\/li>\n<\/ul>\n<p>Nous avons observ\u00e9 deux formes de phase initiale de l\u2019attaque\u00a0: dans la premi\u00e8re, le fichier se fait passer pour un installateur du navigateur web Google Chrome, dans l\u2019autre il se fait passer pour un document PDF.<\/p>\n<p>Dans le cas de l\u2019installeur du navigateur Google Chrome, le malware se pr\u00e9sente sous la forme d\u2019un ex\u00e9cutable reprenant l\u2019ic\u00f4ne de Google Chrome.<\/p>\n<p>Dans le cas du document PDF, le fichier est \u00e9galement un ex\u00e9cutable mais avec une double extension. Il s\u2019intitule <em><code>\u00ab\u00a0Academics.pdf.exe\u00a0\u00bb<\/code><\/em> mais si les param\u00e8tres sont r\u00e9gl\u00e9s par d\u00e9faut sur la session Windows, l\u2019explorateur de fichiers masque les extensions de fichiers connues (ici, .exe). Visuellement, sans notion d\u2019extension et avec une ic\u00f4ne tr\u00e8s suggestive, l\u2019utilisateur ne se rend pas compte qu'il a affaire \u00e0 un ex\u00e9cutable et non \u00e0 un document PDF.[\/vc_column_text][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_empty_space][vc_single_image image=\"510864\" img_size=\"large\" alignment=\"center\" qode_css_animation=\"\"][vc_column_text]<\/p>\n<p style=\"text-align: center;\"><em><small>Figure 1 : Affichage des samples dans l\u2019explorer Windows<\/small><\/em><\/p>\n<p>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text]Mis \u00e0 part le changement de nom et d'ic\u00f4ne, les attaquants n'ont pas r\u00e9alis\u00e9 d'efforts particuliers de personnalisation des samples utilis\u00e9s. Les informations d\u00e9claratives de d\u00e9tails des fichiers (description, nom de la soci\u00e9t\u00e9 ou du produit\u2026) sont absentes.[\/vc_column_text][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_empty_space][vc_single_image image=\"510869\" img_size=\"large\" alignment=\"center\" qode_css_animation=\"\"][vc_column_text]<\/p>\n<p style=\"text-align: center;\"><em><small>Figure 2 - D\u00e9tails des fichiers des deux samples<\/small><\/em><\/p>\n<p>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text]Nous n\u2019avons pas assez d\u2019\u00e9l\u00e9ments probants pour affirmer comment est distribu\u00e9 ce malware sur les ordinateurs des victimes. Toutefois, la volont\u00e9 de faire passer les samples pour des ex\u00e9cutables l\u00e9gitimes rendent probable la distribution par phishing (Document PDF) et les sites de sites de t\u00e9l\u00e9chargement (Installeur de logiciel).<\/p>\n<h2>Langages et obfuscation du ransomware Crypt888<\/h2>\n<p>En dehors de l\u2019ic\u00f4ne et du fond d\u2019\u00e9cran, les deux samples sont identiques, dans le sens o\u00f9 leurs codes sources ne sont pas diff\u00e9rents. Pour des raisons de simplicit\u00e9 et de lecture dans la suite de l\u2019article, nous allons consid\u00e9rer ces deux souches comme \u00e9tant des variantes du m\u00eame malware, pr\u00e9sent\u00e9 sous le nom du ransomware \u00ab\u00a0Crypt888\u00a0\u00bb.<\/p>\n<p>Le malware utilise plusieurs couches d'obfuscation. \u00c0 la base, la logique est d\u00e9velopp\u00e9e sous la forme d\u2019un script AutoIT, qui a ensuite \u00e9t\u00e9 pack\u00e9 pour retirer toutes les valeurs constantes du code (chaines de caract\u00e8res et valeurs num\u00e9riques).<\/p>\n<p>Les donn\u00e9es retir\u00e9es sont s\u00e9rialis\u00e9es et plac\u00e9es dans un fichier distribu\u00e9 avec le script. Ce script et tous les fichiers annexes sont ensuite compil\u00e9s dans un ex\u00e9cutable qui est \u00e0 son tour pack\u00e9 par UPX.<\/p>\n<p>Voici un extrait du code AutoIT. Les commentaires sont les valeurs qui ont \u00e9t\u00e9 reconstruites \u00e0 partir des fichiers annexes\u00a0:[\/vc_column_text][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_empty_space][vc_single_image image=\"510874\" img_size=\"large\" alignment=\"center\" qode_css_animation=\"\"][vc_column_text]<\/p>\n<p style=\"text-align: center;\"><em><small>Figure 3 - Extrait du code AutoIT d\u2019un des samples<\/small><\/em><\/p>\n<p>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text]<\/p>\n<h2>Chronologie de l\u2019attaque du ransomware Crypt888<\/h2>\n<p>La chronologie en version rapide est la suivante\u00a0: le ransomware commence par d\u00e9sactiver le m\u00e9canisme d'UAC\u00a0; il chiffre ensuite les fichiers situ\u00e9s dans les dossiers utilisateurs et les dossiers publics avec une cl\u00e9 fixe\u00a0; et enfin, il lance l\u2019affichage de la demande de ran\u00e7on via un changement du fond d'\u00e9cran.<\/p>\n<p>La chronologie en version d\u00e9taill\u00e9e est beaucoup plus complexe, r\u00e9capitul\u00e9e en image ci-dessous.[\/vc_column_text][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_empty_space][vc_single_image image=\"510879\" img_size=\"large\" alignment=\"center\" qode_css_animation=\"\"][vc_column_text]<\/p>\n<p style=\"text-align: center;\"><em><small>Figure 4 - Sch\u00e9ma r\u00e9capitulatif du fonctionnement de Crypt888<\/small><\/em><\/p>\n<p>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text]L\u2019infection par le ransomware se compose quant \u00e0 lui en quatre \u00e9tapes, qui seront d\u00e9taill\u00e9es dans des paragraphes d\u00e9di\u00e9s\u00a0juste ensuite\u00a0:<\/p>\n<ul>\n<li>Bypass de l\u2019UAC via Side-Loading<\/li>\n<li>D\u00e9sactivation de l\u2019UAC<\/li>\n<li>Parcours et chiffrement des fichiers<\/li>\n<li>Affichage de la note de ran\u00e7on<\/li>\n<\/ul>\n<h3>Bypass de l\u2019UAC via Side-Loading<\/h3>\n<h4>Pr\u00e9paration d\u2019un Side-Loading<\/h4>\n<p>Le ransomware commence par placer deux archives au format CAB (32.cab et 64.cab) dans le dossier temporaire de l'utilisateur courant\u00a0: <em><code>\u00ab\u00a0C:\\Users\\&lt;userName&gt;\\AppData\\Local\\Temp\\\u00a0\u00bb<\/code><\/em>.<\/p>\n<p>Ces archives contiennent respectivement les versions 32 et 64 bits d'une librairie DLL nomm\u00e9e <em><code>\u00ab\u00a0cryptbase.dll\u00a0\u00bb<\/code><\/em>. Nous verrons plus tard que ce fichier DLL contient du code malveillant. Le malware tente ensuite de d\u00e9ployer la version correspondante \u00e0 l'architecture processeur dans le dossier syst\u00e8me <em><code>\u00ab\u00a0C:\\WINDOWS\\system32\\migwiz\\\u00a0\u00bb<\/code><\/em>.<\/p>\n<p>\u00c0 ce moment pr\u00e9cis, le malware va manquer de droits mais pour il va utiliser l'outil <em><code>\u00ab\u00a0Microsoft Windows Update Standalone Installer\u00a0\u00bb<\/code><\/em> (wusa.exe) avec le param\u00e8tre <em><code>\u00ab\u00a0\/extract\u00a0\u00bb<\/code><\/em> pour ne pas rester bloqu\u00e9. Cette commande permet de placer le contenu d'une archive \u00e0 un emplacement arbitraire sans pr\u00e9senter la fen\u00eatre d'avertissement de l'UAC sur un syst\u00e8me Windows ayant la configuration par d\u00e9faut.[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\" z_index=\"\" background_color=\"#060051\" side_padding=\"10\" padding_top=\"25\" padding_bottom=\"25\"][vc_column][vc_column_text]<span style=\"color: #ffffff;\"><strong>Note\u00a0: <\/strong>L'outil \u00ab\u00a0wusa.exe\u00a0\u00bb a \u00e9t\u00e9 introduit avec Windows Vista et est utilis\u00e9 dans le processus de mise \u00e0 jour de Windows. En r\u00e9ponse \u00e0 divers abus, Microsoft a d\u00e9cid\u00e9 de retirer le param\u00e8tre <em><code>\u00ab\u00a0\/extract\u00a0\u00bb<\/code><\/em> des versions fournies avec Windows 10. Cela implique donc que ce malware ne cible que les \u00ab\u00a0anciens\u00a0\u00bb Windows.<\/span>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_empty_space][vc_single_image image=\"510884\" img_size=\"large\" alignment=\"center\" qode_css_animation=\"\"][vc_column_text]<\/p>\n<p style=\"text-align: center;\"><em><small>Figure 5 - Sch\u00e9ma r\u00e9capitulatif de la mise en place du Side-Loading<\/small><\/em><\/p>\n<p>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text]<\/p>\n<h4>D\u00e9clenchement du Side-Loading<\/h4>\n<p>Le malware d\u00e9pose ensuite un script VBS nomm\u00e9 <em><code>\u00ab\u00a0888.vbs\u00a0\u00bb<\/code><\/em> dans le dossier temporaire de l'utilisateur puis l'ex\u00e9cute. Le contenu du script VBS montre un lancement de l'utilitaire <em><code>\u00ab\u00a0migwiz.exe\u00a0\u00bb<\/code><\/em> avec les param\u00e8tres suivants\u00a0:[\/vc_column_text][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_empty_space][vc_single_image image=\"510889\" img_size=\"large\" alignment=\"center\" qode_css_animation=\"\"][vc_empty_space][vc_column_text]<\/p>\n<p style=\"text-align: center;\"><em><small>Figure 6 - Contenu du script 888.vbs<\/small><\/em><\/p>\n<p>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text]Le programme <em><code>\u00ab\u00a0migwiz.exe\u00a0\u00bb<\/code><\/em> est un outil Microsoft l\u00e9gitime permettant de r\u00e9aliser des migrations de donn\u00e9es d'un poste Windows \u00e0 un autre. Il a aussi la particularit\u00e9 technique de b\u00e9n\u00e9ficier d\u2019une \u00e9l\u00e9vation UAC automatique, ce qui en fait un candidat potentiel pour des tentatives de bypass UAC.<\/p>\n<p>Les actions malveillantes ne sont pas r\u00e9alis\u00e9es directement par ce programme. Mais pour son fonctionnement, il a besoin de charger le module <em><code>\u00ab\u00a0cryptbase.dll\u00a0\u00bb<\/code><\/em>, lequel, dans le contexte technique de l\u2019attaque, a justement \u00e9t\u00e9 d\u00e9pos\u00e9 par le malware dans le r\u00e9pertoire de <em><code>\u00ab\u00a0migwiz.exe\u00a0\u00bb<\/code><\/em>.<\/p>\n<p>Cette version malveillante du module est donc prioritaire et sera charg\u00e9e \u00e0 la place de celle officielle fournie par Microsoft. Le code malveillant s\u2019ex\u00e9cutera donc dans le contexte de cet ex\u00e9cutable l\u00e9gitime qui d\u00e9marre automatiquement avec les droits d\u2019administrateur.[\/vc_column_text][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_empty_space][vc_single_image image=\"510894\" img_size=\"large\" alignment=\"center\" qode_css_animation=\"\"][vc_column_text]<\/p>\n<p style=\"text-align: center;\"><em><small>Figure 7 - Sch\u00e9ma r\u00e9capitulatif du d\u00e9clenchement du Side-Loading<\/small><\/em><\/p>\n<p>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text]<\/p>\n<h3>D\u00e9sactivation de l'UAC<\/h3>\n<p>Une fois le Side-Loading d\u00e9clench\u00e9, le module <em><code>\u00ab\u00a0cryptbase.dll\u00a0\u00bb<\/code><\/em> malveillant d\u00e9pos\u00e9 par le malware s\u2019assure qu'il est charg\u00e9 par le processus <em><code>\u00ab\u00a0migwiz.exe\u00a0\u00bb<\/code><\/em>. Si c'est le cas, il ex\u00e9cute la commande donn\u00e9e en param\u00e8tre de ligne de commande, ce qui permet donc d'ex\u00e9cuter des commandes dans le contexte du processus <em><code>\u00ab\u00a0migwiz.exe\u00a0\u00bb<\/code><\/em>, lequel b\u00e9n\u00e9ficie d'une auto-\u00e9l\u00e9vation UAC.<\/p>\n<p>Dans le cas de la chaine d\u2019attaque, la commande pass\u00e9e \u00e0 <em><code>\u00ab\u00a0migwiz.exe\u00a0\u00bb<\/code><\/em> permet d'\u00e9crire une valeur particuli\u00e8re dans la base de registres qui d\u00e9sactive le m\u00e9canisme d'UAC sur le syst\u00e8me. De cette mani\u00e8re, si Crypt888 effectue des actions n\u00e9cessitant des privil\u00e8ges, elles pourront \u00eatre r\u00e9alis\u00e9es directement sans que l'utilisateur n\u2019ait \u00e0 accepter un message de validation.[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\" z_index=\"\" background_color=\"#060051\" side_padding=\"10\" padding_top=\"25\" padding_bottom=\"25\"][vc_column][vc_column_text]<span style=\"color: #ffffff;\"><strong>Note\u00a0: <\/strong>Sur les versions \u00e0 partir de Windows 8, cette \u00e9tape ne fonctionne plus car <em><code>\u00ab\u00a0migwiz.exe\u00a0\u00bb<\/code><\/em> n'est plus pr\u00e9sent par d\u00e9faut. Cela implique encore une fois que ce malware ne cible que les \u00ab\u00a0anciens\u00a0\u00bb Windows.<\/span>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text]<\/p>\n<h3>Parcours et chiffrement des fichiers<\/h3>\n<h4>Fichiers cibl\u00e9s<\/h4>\n<p>L'ex\u00e9cutable initial de Crypt888 cherche \u00e0 chiffrer tous les fichiers situ\u00e9s dans les sous r\u00e9pertoires \u00ab\u00a0Documents\u00a0\u00bb, \u00ab\u00a0Pictures\u00a0\u00bb, \u00ab\u00a0Videos\u00a0\u00bb, \u00ab\u00a0Desktop\u00a0\u00bb et \u00ab\u00a0Music\u00a0\u00bb du dossier de l'utilisateur courant et du dossier partag\u00e9 entre les utilisateurs\u00a0: \u00ab\u00a0Public\u00a0\u00bb.[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\" z_index=\"\" background_color=\"#060051\" side_padding=\"10\" padding_top=\"25\" padding_bottom=\"25\"][vc_column][vc_column_text]<span style=\"color: #ffffff;\"><strong>Note\u00a0: <\/strong>Les samples \u00e9tudi\u00e9s sont \u00e9tonnants par le fait de chercher \u00e0 acqu\u00e9rir un niveau de privil\u00e8ge plus \u00e9lev\u00e9 au travers de bypass UAC, alors que les fichiers cibl\u00e9s peuvent \u00eatre modifi\u00e9s avec les droits par d\u00e9faut de l\u2019utilisateur.[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text]<\/span><\/p>\n<h4>Chiffrement des fichiers<\/h4>\n<p>Les fichiers trouv\u00e9s sont chiffr\u00e9s en utilisant une cl\u00e9 fixe appliqu\u00e9e \u00e0 l'algorithme DES. Ci-dessous le contenu d\u2019un fichier avant et apr\u00e8s chiffrement\u00a0:[\/vc_column_text][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_empty_space][vc_single_image image=\"510899\" img_size=\"large\" alignment=\"center\" qode_css_animation=\"\"][vc_column_text]<\/p>\n<p style=\"text-align: center;\"><em><small>Figure 8 - Contenu d\u2019un fichier avant et apr\u00e8s chiffrement<\/small><\/em><\/p>\n<p>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\" z_index=\"\" background_color=\"#060051\" side_padding=\"10\" padding_top=\"25\" padding_bottom=\"25\"][vc_column][vc_column_text]<span style=\"color: #ffffff;\"><strong>Note\u00a0: <\/strong>L\u2019algorithme de chiffrement DES est d\u00e9pr\u00e9ci\u00e9 depuis le d\u00e9but des ann\u00e9es 2000 car il est devenu faible compar\u00e9 aux puissances de calculs. On se serait attendu \u00e0 l\u2019emploi d\u2019un algorithme de chiffrement plus \u00ab\u00a0fort\u00a0\u00bb de la part d\u2019un ransomware\u00a0; ce qui nous pousse une nouvelle fois \u00e0 penser qu\u2019il n\u2019est pas tr\u00e8s \u00e9volu\u00e9.<\/span>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_empty_space][vc_column_text]<\/p>\n<h4>Renommage des fichiers chiffr\u00e9s<\/h4>\n<p>Une fois les donn\u00e9es chiffr\u00e9es, le nom du fichier est pr\u00e9fix\u00e9 de la chaine <em><code>\u00ab\u00a0Lock\u00a0\u00bb<\/code><\/em>. Il est donc possible de d\u00e9chiffrer les fichiers alt\u00e9r\u00e9s car les fichiers chiffr\u00e9s sont clairement identifiables d\u2019une part et l'algorithme de chiffrement est r\u00e9versible et utilise une clef fixe d\u2019autre part.<\/p>\n<p>Voici le contenu d\u2019un dossier avant et apr\u00e8s chiffrement\u00a0:[\/vc_column_text][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_empty_space][vc_single_image image=\"510904\" img_size=\"large\" alignment=\"center\" qode_css_animation=\"\"][vc_empty_space height=\"12px\"][vc_single_image image=\"510909\" img_size=\"large\" alignment=\"center\" qode_css_animation=\"\"][vc_column_text]<\/p>\n<p style=\"text-align: center;\"><em><small>Figures 9 et 10 - Listing de fichiers avant et apr\u00e8s chiffrement<\/small><\/em><\/p>\n<p>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text]<\/p>\n<h3>Affichage de la note de ran\u00e7on<\/h3>\n<p>Voici les fonds d'\u00e9cran configur\u00e9s par les deux samples\u00a0:[\/vc_column_text][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_empty_space][vc_single_image image=\"510914\" img_size=\"large\" alignment=\"center\" qode_css_animation=\"\"][vc_column_text]<\/p>\n<p style=\"text-align: center;\"><em><small>Figure 11 - Fonds d\u2019\u00e9cran potentiels de demande de ran\u00e7on<\/small><\/em><\/p>\n<p>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\" z_index=\"\" background_color=\"#060051\" side_padding=\"10\" padding_top=\"25\" padding_bottom=\"25\"][vc_column][vc_column_text]<span style=\"color: #ffffff;\"><strong>Note\u00a0: <\/strong>Un des samples affichent une demande ran\u00e7on en se pr\u00e9sentant comme le malware \u00ab\u00a0Pablukl0cker\u00a0\u00bb. Une analyse de ce malware a cependant montr\u00e9 qu\u2019il n\u2019est en rien similaire aux samples \u00e9tudi\u00e9s dans ce rapport. Nous ne disposons pas d\u2019\u00e9l\u00e9ments concrets pour affirmer pourquoi ces cyber-criminels veulent se faire passer pour un autre mais plusieurs hypoth\u00e8ses sont plausibles comme profiter de la notori\u00e9t\u00e9 d\u2019un autre groupe de cyber-criminels Ou donner de fausses indications pour tromper les victimes et \u00e9viter une r\u00e9action efficace.<\/span>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text]<\/p>\n<h2>Synth\u00e8se et mod\u00e9lisation de l\u2019attaque du ransomware Crypt888<\/h2>\n<p><strong>En synth\u00e8se, \u00ab\u00a0Crypt888\u00a0\u00bb est un ransomware tr\u00e8s simpliste visant d'anciennes versions de Windows (Vista et 7).<\/strong> Le malware semble avoir demand\u00e9 peu de moyens pour son d\u00e9veloppement et les motivations d'utilisation doivent s\u00fbrement r\u00e9sider dans sa simplicit\u00e9 d'utilisation, sa sobri\u00e9t\u00e9 et son efficacit\u00e9. Il n'y a par exemple pas besoin de maintenir une infrastructure de C&amp;C pour g\u00e9n\u00e9rer les cl\u00e9s de chiffrement. Bien que le ransomware soit de conception ancienne (on en trouve les premi\u00e8res traces d\u00e8s 2016), il semble toujours actif dans certaines r\u00e9gions g\u00e9ographiques comme dans le sud-est de l\u2019Asie.<\/p>\n<p>Plusieurs indices nous laissent penser que peu d\u2019efforts ont \u00e9t\u00e9 d\u00e9di\u00e9s au d\u00e9veloppement du ransomware\u00a0:<\/p>\n<ul>\n<li>l'algorithme de chiffrement (DES) est d\u00e9pr\u00e9ci\u00e9 depuis le d\u00e9but des ann\u00e9es 2000\u00a0;<\/li>\n<li>les d\u00e9veloppeurs n\u2019ont pas maintenu le malware pour supporter les \u00e9volutions du syst\u00e8me Windows au court des ann\u00e9es\u00a0: la d\u00e9sactivation de l'UAC ne fonctionne donc pas sur les versions de Windows 8 et sup\u00e9rieures\u00a0;<\/li>\n<li>la conception du syst\u00e8me cryptographique rend les donn\u00e9es facilement d\u00e9chiffrables (cl\u00e9 de chiffrement fixe)\u00a0;<\/li>\n<li>aucune action n'est r\u00e9alis\u00e9e pour d\u00e9sactiver le m\u00e9canisme de Shadow Copies (sauvegardes natives de Windows permettant de restaurer les fichiers)\u00a0;<\/li>\n<li>le ransomware ne cible pas les fichiers des autres utilisateurs ou les partages r\u00e9seaux par exemple.<\/li>\n<\/ul>\n<p>Ce ransomware est un nouvel exemple qui illustre l'attrait des criminels pour les malwares simples d'utilisation, ne n\u00e9cessitant aucune maintenance et tr\u00e8s peu de comp\u00e9tences techniques. Pour d\u00e9velopper le ransomware et l\u2019exploiter, les n\u2019ont besoin que de peu de comp\u00e9tences en programmation et aucune en administration syst\u00e8me. De fait, aucun frais d\u2019infrastructure n\u2019est n\u00e9cessaire pour h\u00e9berger le serveur C&amp;C. De plus, le malware est facilement r\u00e9utilisable sans poss\u00e9der le code source. Il est alors fort possible que des groupes cyber-criminels autres que les d\u00e9veloppeurs utilisent le ransomware.<\/p>\n<p>Pour aller plus loin sur le sujet, voici la kill chain MITRE ATT&amp;CK mise en \u0153uvre par le ransomware Crypt888\u00a0:[\/vc_column_text][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_empty_space][vc_column_text]<\/p>\n<table>\n<tbody>\n<tr>\n<td width=\"175\"><span style=\"color: #000000;\"><span style=\"color: #000000;\"><a style=\"color: #000000;\" href=\"https:\/\/attack.mitre.org\/tactics\/TA0003\/\" target=\"_blank\" rel=\"noopener\"><strong>Persistence<\/strong><\/a><\/span><\/span><\/p>\n<hr \/>\n<\/td>\n<td width=\"175\"><span style=\"color: #000000;\"><span style=\"color: #000000;\"><a style=\"color: #000000;\" href=\"https:\/\/attack.mitre.org\/tactics\/TA0004\/\" target=\"_blank\" rel=\"noopener\"><strong>Privilege Escalation<\/strong><\/a><\/span><\/span><\/p>\n<hr \/>\n<\/td>\n<td width=\"175\"><span style=\"color: #000000;\"><span style=\"color: #000000;\"><a style=\"color: #000000;\" href=\"https:\/\/attack.mitre.org\/tactics\/TA0005\/\" target=\"_blank\" rel=\"noopener\"><strong>Defense Evasion<\/strong><\/a><\/span><\/span><\/p>\n<hr \/>\n<\/td>\n<td width=\"175\"><span style=\"color: #000000;\"><span style=\"color: #000000;\"><a style=\"color: #000000;\" href=\"https:\/\/attack.mitre.org\/tactics\/TA0040\/\" target=\"_blank\" rel=\"noopener\"><strong>Impact<\/strong><\/a><\/span><\/span><\/p>\n<hr \/>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"175\"><span style=\"color: #000000;\"><a style=\"color: #000000;\" href=\"https:\/\/attack.mitre.org\/techniques\/T1574\/002\/\" target=\"_blank\" rel=\"noopener\">T1574.002-Hijack Execution Flow: DLL Side-Loading<\/a><\/span><\/td>\n<td width=\"175\"><span style=\"color: #000000;\"><a style=\"color: #000000;\" href=\"https:\/\/attack.mitre.org\/techniques\/T1548\/002\/\" target=\"_blank\" rel=\"noopener\">T1548.002-Abuse Elevation Control Mechanism: Bypass User Account Control<\/a><\/span><\/p>\n<p><span style=\"color: #000000;\"><a style=\"color: #000000;\" href=\"https:\/\/attack.mitre.org\/techniques\/T1574\/002\/\" target=\"_blank\" rel=\"noopener\">T1574.002-Hijack Execution Flow: DLL Side-Loading<\/a><\/span><\/td>\n<td width=\"175\"><span style=\"color: #000000;\"><a style=\"color: #000000;\" href=\"https:\/\/attack.mitre.org\/techniques\/T1548\/002\/\" target=\"_blank\" rel=\"noopener\">T1548.002-Abuse Elevation Control Mechanism: Bypass User Account Control<\/a><\/span><\/p>\n<p><span style=\"color: #000000;\"><a style=\"color: #000000;\" href=\"https:\/\/attack.mitre.org\/techniques\/T1574\/002\/\" target=\"_blank\" rel=\"noopener\">T1574.002-Hijack Execution Flow: DLL Side-Loading<\/a><\/span><\/td>\n<td width=\"175\"><span style=\"color: #000000;\"><a style=\"color: #000000;\" href=\"https:\/\/attack.mitre.org\/techniques\/T1486\/\" target=\"_blank\" rel=\"noopener\">T1486-Data Encrypted for Impact<\/a><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text]Voici le d\u00e9tail de l\u2019utilisation des techniques MITRE ATT&amp;CK par le ransomware Crypt888\u00a0:[\/vc_column_text][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_empty_space][vc_column_text]<div id=\"footable_parent_510997\"\n         class=\" footable_parent ninja_table_wrapper loading_ninja_table wp_table_data_press_parent semantic_ui \">\n                <table data-ninja_table_instance=\"ninja_table_instance_0\" data-footable_id=\"510997\" data-filter-delay=\"1000\" aria-label=\"Voici le d\u00e9tail de l\u2019utilisation des techniques MITRE ATT&amp;CK par le ransomware Crypt888\"            id=\"footable_510997\"\n           data-unique_identifier=\"ninja_table_unique_id_3958894382_510997\"\n           class=\" foo-table ninja_footable foo_table_510997 ninja_table_unique_id_3958894382_510997 ui table  nt_type_ajax_table selectable celled striped compact vertical_centered  footable-paging-right ninja_table_search_disabled\">\n                <colgroup>\n                            <col class=\"ninja_column_0 \">\n                            <col class=\"ninja_column_1 \">\n                            <col class=\"ninja_column_2 \">\n                    <\/colgroup>\n            <\/table>\n    \n    \n    \n<\/div>\n[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text]<\/p>\n<h2>IOC du ransomware Crypt888<\/h2>\n<p>[\/vc_column_text][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_empty_space][vc_column_text]<div id=\"footable_parent_510993\"\n         class=\" footable_parent ninja_table_wrapper loading_ninja_table wp_table_data_press_parent semantic_ui \">\n                <table data-ninja_table_instance=\"ninja_table_instance_1\" data-footable_id=\"510993\" data-filter-delay=\"1000\" aria-label=\"IOC du ransomware Crypt888\"            id=\"footable_510993\"\n           data-unique_identifier=\"ninja_table_unique_id_3466568180_510993\"\n           class=\" foo-table ninja_footable foo_table_510993 ninja_table_unique_id_3466568180_510993 ui table  nt_type_ajax_table selectable celled striped compact vertical_centered  footable-paging-right ninja_table_search_disabled\">\n                <colgroup>\n                            <col class=\"ninja_column_0 \">\n                            <col class=\"ninja_column_1 \">\n                            <col class=\"ninja_column_2 \">\n                    <\/colgroup>\n            <\/table>\n    \n    \n    \n<\/div>\n[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text]Lors de nos recherches, nous avons trouv\u00e9 d\u2019autres \u00ab samples initiaux \u00bb, tr\u00e8s proches de ceux analys\u00e9s dans cet article. Sans les avoir \u00e9tudi\u00e9s pr\u00e9cis\u00e9ment, nous nous permettons de les citer\u00a0:<\/p>\n<ul>\n<li>130550cf5ec5ec37a4985b0fd3c66582d941c80e35e804e98a842dc5bef38c27<\/li>\n<li>134516fee6594208afbe6c4fe9dec0926130afecd9f46e26989f202176cea01e<\/li>\n<li>1480cc9e090d2edaf3de59b1b4e76a43c8f1fe40f66e73c5c6b9c91b69ba7a00<\/li>\n<li>1585208cccb80adbaa116c96f0efae1ccfdbc0fe7d9cff97c9c5ba714d18fd92<\/li>\n<li>15ba088d5cbc5a367f44e2a36beccee4ba90fec855c20e2b18adc889bd3b1bff<\/li>\n<li>1850cae22f29cb94c33b33a2361ed7de3c4a94c42cb3b3bda69b2b26dbec3259<\/li>\n<li>1aea04f6ca6974cbed14b9858dd6731b0d38d1313db23a38145dacdace725932<\/li>\n<li>219789b31182abc8cbd83b5fee52d72f9a1bf20a38557c2d5b9a2aa96281e5de<\/li>\n<li>234f4ac3322a8f958a20d7e68ea60a95732ede2d4b4050bb800d66a6b6c23636<\/li>\n<li>2f8d4e1d4a358d31716fcb5f7bc8d00913708ac47e5607265b33d47b201fa58b<\/li>\n<li>340aff7b8b16baa0878296d974b3a3114fb84dde6dd891bfe64adc8c12bd2cb5<\/li>\n<li>35c278afce8c96e43d556ed58e82108cbef6253e52e6ffcb04edac695d1bafbf<\/li>\n<li>3f0cc63d786e4f582a2bf200ac2fde5f44a3e095b5cf40a1a8dedcbe4fb1aded<\/li>\n<li>4cdaecbad21f704af5cdfb089a88c2947ebe3dc4c6965f5d273533c6810162ea<\/li>\n<li>53422a8efff6d48f7a985a6cb48b26035ca1cda53c40b1aeea1864270c324831<\/li>\n<li>5574d56d513187f1c174c30f07c7d8b61d312cd0c303012e53a7877e0564bee8<\/li>\n<li>5e0a2630d8bbc20de8b90ccd89389f8c01298b475fd8330738fe5519a6e01cfb<\/li>\n<li>6410f220fdbd34dae565f5fba45e85107741c13d19a91b3126e735fbe0425606<\/li>\n<li>642565dfff9850356709a6a094c169e1ee83cba56ac1bd92477e7de01e965ac3<\/li>\n<li>6659bf0069dfeabc33ec7ac5ec0c50e5a8cf70aa10f4201a83b870aa6c115627<\/li>\n<li>66bf9854472002fdfba5974f8fcba00b08b721c7241a1f0df06d18fd0858a387<\/li>\n<li>6bfe111be2d46f80abf6eea2371059d8e5dbaa3cecdf9aaf242f23ef894869f3<\/li>\n<li>6d8a15c8fdda25a9c1ac11028a93c0a6d95e1dd8327e7558a67bcf0ac39e2da6<\/li>\n<li>70d76ed4d836413447756b708875881f2afcf1bf7a00609e8cd37fa04fff354e<\/li>\n<li>72c83f54ef705cfd6ec86ac5e1a28810744670f6064c2b9a9501d5208b1d54b1<\/li>\n<li>72dd91677f6f8e8d5587d4a9c684f46eda77ede9dfcf22c699af8651cb407d34<\/li>\n<li>85f34cc8fe6247cfc13b3521a4678030a120f623bfc85bca186a8291a926d0b0<\/li>\n<li>8b726e8f27d6241d914588a1bd39fb37cf4ba5b181ff013c083e71f0f1ee4ff9<\/li>\n<li>82a576880faa9c4c5f017688ea414f54e10d7db78a83def90eb8a98c88c078cb<\/li>\n<li>90dab08c9499bf6bbe9795116f9207d047283eccfee792894335b8ea1afbcac7<\/li>\n<li>99ff99963727eac3b9766674faf1660348453c4509741be7d975f88a69a83331<\/li>\n<li>a046b579a3bcd7eb5e044bfa10161ca5ae78dc3ebd395244d3f764b179f4a827<\/li>\n<li>a1d09a7202623cbdb4278d980a522320be83ceb1f99d5f4ed87b4844fb8064a9<\/li>\n<li>aa74b00f92a43501e52e20a8c214dd2e9c3d86c14935b3cbb01e2a81fca2c9e3<\/li>\n<li>acc6114839d91d04b44de3f4483abcbbaeadb16294ce058348046f089bc65283<\/li>\n<li>acd106cb5ac9eb0ca722b3453c9641e536db573dbf5e6dc03591b5158b751a41<\/li>\n<li>b10a289269fea8392fae69aef57ed8fd7ed1faaec188bb4526927a37d99b22a8<\/li>\n<li>b19bf8d7c338fdbbf4c15cf91749796ed7d9bd6ff2bd39c0d8a1b9a439db0bf7<\/li>\n<li>bb243a3d07a96ff26c89496a9901c14772f235d0a678798f30faa389a25b1bb7<\/li>\n<li>cf7a2ca1077093ada33b15a0ed40067eee421e084d2fefb544d865352b1138d5<\/li>\n<li>d25176c86fdaa192fdf02abc04842f05c40bb7c0f6bfce8864f166031bd0ba32<\/li>\n<li>d7c797ecf5135e96cf7a6936ac5eb53d6cd39e019159789d6ba857f6285eaddb<\/li>\n<li>daa2b6c8201bd33d3bb871e2b94ec3beb4b4de471104082b0eafece5bd68ccc3<\/li>\n<li>dd99e24f05e4b1ffcfcc8823826fb098db7a3793b0c798f8fc195351812330f7<\/li>\n<li>e0c82339cbf535b0b30cef16dcb590cbdfe3898605776c6ca296070c5b11c9d9<\/li>\n<li>e3d2dd6e47f0b1b1f9b0816b83107c94d5fc46cc299e7dd9470610130bb8ce13<\/li>\n<li>e65d2f61b97db8f22a370b987ddc50fd26b1c95e1ec545c2777484796fbf942a<\/li>\n<li>ecf420df36237d9c0b360bbde960ddf398759a128f56f4a0ff8717f107741c8b<\/li>\n<li>ee372cd7a3457e169a7b8ebaabce843531d67c6f0c72cf17ec2fb7b292f43b4a<\/li>\n<li>f1648b93c9f1fd740aaf2e367284c6e23ecebe8238b9dfd50c06c2a664184ee7<\/li>\n<li>f582b4211193f0db6e45196677949425618306d270e47ac720cfe58a537147ff<\/li>\n<li>f59dc4c4dceb805f083b4aad13705e2a4dde67967e9dd29fa8bb6fce3e00b1f0<\/li>\n<li>d25176c86fdaa192fdf02abc04842f05c40bb7c0f6bfce8864f166031bd0ba32<\/li>\n<li>d7c797ecf5135e96cf7a6936ac5eb53d6cd39e019159789d6ba857f6285eaddb<\/li>\n<li>daa2b6c8201bd33d3bb871e2b94ec3beb4b4de471104082b0eafece5bd68ccc3<\/li>\n<li>dd99e24f05e4b1ffcfcc8823826fb098db7a3793b0c798f8fc195351812330f7<\/li>\n<li>e0c82339cbf535b0b30cef16dcb590cbdfe3898605776c6ca296070c5b11c9d9<\/li>\n<li>e3d2dd6e47f0b1b1f9b0816b83107c94d5fc46cc299e7dd9470610130bb8ce13<\/li>\n<li>e65d2f61b97db8f22a370b987ddc50fd26b1c95e1ec545c2777484796fbf942a<\/li>\n<li>ecf420df36237d9c0b360bbde960ddf398759a128f56f4a0ff8717f107741c8b<\/li>\n<li>ee372cd7a3457e169a7b8ebaabce843531d67c6f0c72cf17ec2fb7b292f43b4a<\/li>\n<li>f1648b93c9f1fd740aaf2e367284c6e23ecebe8238b9dfd50c06c2a664184ee7<\/li>\n<li>f582b4211193f0db6e45196677949425618306d270e47ac720cfe58a537147ff<\/li>\n<li>f59dc4c4dceb805f083b4aad13705e2a4dde67967e9dd29fa8bb6fce3e00b1f0<\/li>\n<li>dd99e24f05e4b1ffcfcc8823826fb098db7a3793b0c798f8fc195351812330f7<\/li>\n<li>e0c82339cbf535b0b30cef16dcb590cbdfe3898605776c6ca296070c5b11c9d9<\/li>\n<li>e3d2dd6e47f0b1b1f9b0816b83107c94d5fc46cc299e7dd9470610130bb8ce13<\/li>\n<li>e65d2f61b97db8f22a370b987ddc50fd26b1c95e1ec545c2777484796fbf942a<\/li>\n<li>ecf420df36237d9c0b360bbde960ddf398759a128f56f4a0ff8717f107741c8b<\/li>\n<li>ee372cd7a3457e169a7b8ebaabce843531d67c6f0c72cf17ec2fb7b292f43b4a<\/li>\n<li>f1648b93c9f1fd740aaf2e367284c6e23ecebe8238b9dfd50c06c2a664184ee7<\/li>\n<li>f582b4211193f0db6e45196677949425618306d270e47ac720cfe58a537147ff<\/li>\n<li>f59dc4c4dceb805f083b4aad13705e2a4dde67967e9dd29fa8bb6fce3e00b1f0<\/li>\n<li>ee372cd7a3457e169a7b8ebaabce843531d67c6f0c72cf17ec2fb7b292f43b4a<\/li>\n<li>f1648b93c9f1fd740aaf2e367284c6e23ecebe8238b9dfd50c06c2a664184ee7<\/li>\n<li>f582b4211193f0db6e45196677949425618306d270e47ac720cfe58a537147ff<\/li>\n<li>f59dc4c4dceb805f083b4aad13705e2a4dde67967e9dd29fa8bb6fce3e00b1f0<\/li>\n<\/ul>\n<p>[\/vc_column_text][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text]<\/p>\n<h2>Moyens de protection Stormshield<\/h2>\n<h3>Breach Fighter face au ransomware Crypt888<\/h3>\n<p>Le service de sandboxing Breach Fighter, disponible en option dans les firewalls Stormshield Network Security (sur le flux SMTP\/HTTP\/FTP) et \u00e9galement en API, d\u00e9tecte et bloque le malware.[\/vc_column_text][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_empty_space][vc_single_image image=\"510919\" img_size=\"large\" alignment=\"center\" onclick=\"custom_link\" img_link_target=\"_blank\" qode_css_animation=\"\" link=\"https:\/\/breachfighter.stormshieldcs.eu\/2e0f1385a0eb72f189c3d3cffa38020d71370ab621139c5688647c5bab6bc7f2\"][vc_column_text]<\/p>\n<p style=\"text-align: center;\"><em><small>Figure 12 - D\u00e9tection par Breach Fighter du premier sample \u00e9tudi\u00e9<\/small><\/em><\/p>\n<p>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_empty_space][vc_single_image image=\"510924\" img_size=\"large\" alignment=\"center\" onclick=\"custom_link\" img_link_target=\"_blank\" qode_css_animation=\"\" link=\"https:\/\/breachfighter.stormshieldcs.eu\/ba2598fdd2e5c12e072fbe4c10fcdc6742bace92c0edba42ca4ca7bc195cb813\"][vc_column_text]<\/p>\n<p style=\"text-align: center;\"><em><small>Figure 13 - D\u00e9tection par Breach Fighter du second sample \u00e9tudi\u00e9<\/small><\/em><\/p>\n<p>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text]<\/p>\n<table class=\" aligncenter\" width=\"623\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\" width=\"312\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-227874\" src=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/indice.png\" alt=\"\" width=\"135\" height=\"101\" \/><\/p>\n<p><em>Indice de confiance de la protection propos\u00e9e par Stormshield<\/em><\/td>\n<td width=\"312\">\n<p style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-227874\" src=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/indice.png\" alt=\"\" width=\"135\" height=\"101\" \/><\/p>\n<p style=\"text-align: center;\"><em>Indice de confiance de l\u2019absence de faux positif<\/em><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>[\/vc_column_text][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text]<\/p>\n<h3>Stormshield Network Security face au ransomware Crypt888<\/h3>\n<p>Les firewalls Stormshield Network Security ne peuvent pas d\u00e9tecter l\u2019activit\u00e9 du malware, car il n\u2019effectue aucune communication r\u00e9seau. Ils peuvent toutefois d\u00e9tecter le transport du malware avec l\u2019option Advanced Antivirus, m\u00eame sans la pr\u00e9sence de l\u2019option Breach Fighter.<\/p>\n<p>Les signatures de d\u00e9tection sont\u00a0: \u00ab\u00a0AIT:Trojan.Nymeria.4490\u00a0\u00bb et \u00ab\u00a0Gen:Variant.Strictor.54686\u00a0\u00bb.[\/vc_column_text][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text]<\/p>\n<table class=\" aligncenter\" width=\"623\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\" width=\"312\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-227874\" src=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/indice.png\" alt=\"\" width=\"135\" height=\"101\" \/><\/p>\n<p><em>Indice de confiance de la protection propos\u00e9e par Stormshield<\/em><\/td>\n<td width=\"312\">\n<p style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-227874\" src=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/indice.png\" alt=\"\" width=\"135\" height=\"101\" \/><\/p>\n<p style=\"text-align: center;\"><em>Indice de confiance de l\u2019absence de faux positif<\/em><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>[\/vc_column_text][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text]<\/p>\n<h3>Stormshield Endpoint Security Evolution face au ransomware Crypt888<\/h3>\n<p>La solution SES Evolution, \u00e9quip\u00e9e des politiques de s\u00e9curit\u00e9 v2403a, est capable de d\u00e9tecter et de bloquer le malware lors de son ex\u00e9cution, avant m\u00eame le commencement du chiffrement.[\/vc_column_text][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text]<\/p>\n<table class=\" aligncenter\" width=\"623\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\" width=\"312\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-227874\" src=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/indice.png\" alt=\"\" width=\"135\" height=\"101\" \/><\/p>\n<p><em>Indice de confiance de la protection propos\u00e9e par Stormshield<\/em><\/td>\n<td width=\"312\">\n<p style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-227874\" src=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/indice.png\" alt=\"\" width=\"135\" height=\"101\" \/><\/p>\n<p style=\"text-align: center;\"><em>Indice de confiance de l\u2019absence de faux positif<\/em><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>[\/vc_column_text][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text]<\/p>\n<h3>Recommandations face au ransomware Crypt888<\/h3>\n<p>Autres recommandations applicables\u00a0:<\/p>\n<ul>\n<li>veillez \u00e0 maintenir vos syst\u00e8mes d\u2019exploitations \u00e0 jour\u00a0;<\/li>\n<li>si ce n\u2019est pas d\u00e9j\u00e0 fait, veuillez appliquer la version la plus r\u00e9cente des politiques de SES Evolution (v2403a \u00e0 ce jour)\u00a0;<\/li>\n<li>en cas d\u2019infection, faites-vous accompagner par des professionnels si vos \u00e9quipes ne peuvent traiter l\u2019incident.<\/li>\n<\/ul>\n<p>[\/vc_column_text][\/vc_column][\/vc_row]<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>[vc_row css_animation=\u00a0\u00bb\u00a0\u00bb row_type=\u00a0\u00bbrow\u00a0\u00bb use_row_as_full_screen_section=\u00a0\u00bbno\u00a0\u00bb type=\u00a0\u00bbfull_width\u00a0\u00bb angled_section=\u00a0\u00bbno\u00a0\u00bb text_align=\u00a0\u00bbleft\u00a0\u00bb background_image_as_pattern=\u00a0\u00bbwithout_pattern\u00a0\u00bb][vc_column][vc_column_text]Suite \u00e0 la d\u00e9tection par nos partenaires de l\u2019activit\u00e9 r\u00e9cente d\u2019un ransomware en Asie, l\u2019\u00e9quipe de Cyber Threat Intelligence de Stormshield a proc\u00e9d\u00e9 \u00e0 l\u2019analyse approfondie de cette souche. Ce malware fait partie d\u2019une famille d\u00e9j\u00e0 identifi\u00e9e par&#8230;<\/p>\n","protected":false},"author":83,"featured_media":510978,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[7065],"tags":[4368],"business_size":[],"industry":[],"help_mefind":[],"features":[],"type_security":[],"maintenance":[],"offer":[],"administration_tools":[],"cloud_offers":[],"listing_product":[1595,1565,1530],"class_list":["post-510863","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technical-posts-fr","tag-la-cybersecurite-par-stormshield","listing_product-breach-fighter-fr","listing_product-ses-fr","listing_product-sns-fr"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Ransomware Crypt888 : analyse technique du malware<\/title>\n<meta name=\"description\" content=\"Vecteur d&#039;attaque, langages, obfuscation, chronologie : analyse compl\u00e8te du ransomware Crypt888 avec l&#039;\u00e9quipe CTI de Stormshield.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.stormshield.com\/fr\/actus\/analyse-technique-du-ransomware-crypt888\/\" \/>\n<meta property=\"og:locale\" content=\"fr_FR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Ransomware Crypt888 : analyse technique du malware\" \/>\n<meta property=\"og:description\" content=\"Vecteur d&#039;attaque, langages, obfuscation, chronologie : analyse compl\u00e8te du ransomware Crypt888 avec l&#039;\u00e9quipe CTI de Stormshield.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.stormshield.com\/fr\/actus\/analyse-technique-du-ransomware-crypt888\/\" \/>\n<meta property=\"og:site_name\" content=\"Stormshield\" \/>\n<meta property=\"article:published_time\" content=\"2024-04-09T14:50:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-07-08T11:05:54+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/shutterstock-321562145-scaled.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"2560\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Stormshield Customer Security Lab\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@Stormshield\" \/>\n<meta name=\"twitter:site\" content=\"@Stormshield\" \/>\n<meta name=\"twitter:label1\" content=\"\u00c9crit par\" \/>\n\t<meta name=\"twitter:data1\" content=\"Stormshield Customer Security Lab\" \/>\n\t<meta name=\"twitter:label2\" content=\"Dur\u00e9e de lecture estim\u00e9e\" \/>\n\t<meta name=\"twitter:data2\" content=\"16 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/analyse-technique-du-ransomware-crypt888\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/analyse-technique-du-ransomware-crypt888\\\/\"},\"author\":{\"name\":\"Stormshield Customer Security Lab\",\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/#\\\/schema\\\/person\\\/a05f467cec789f90c8a355b178743249\"},\"headline\":\"Analyse technique du ransomware Crypt888\",\"datePublished\":\"2024-04-09T14:50:00+00:00\",\"dateModified\":\"2024-07-08T11:05:54+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/analyse-technique-du-ransomware-crypt888\\\/\"},\"wordCount\":5835,\"commentCount\":0,\"image\":{\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/analyse-technique-du-ransomware-crypt888\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.stormshield.com\\\/wp-content\\\/uploads\\\/shutterstock-321562145-scaled.jpg\",\"keywords\":[\"La cybers\u00e9curit\u00e9 - par Stormshield\"],\"articleSection\":[\"Billets techniques\"],\"inLanguage\":\"fr-FR\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/analyse-technique-du-ransomware-crypt888\\\/\",\"url\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/analyse-technique-du-ransomware-crypt888\\\/\",\"name\":\"Ransomware Crypt888 : analyse technique du malware\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/analyse-technique-du-ransomware-crypt888\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/analyse-technique-du-ransomware-crypt888\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.stormshield.com\\\/wp-content\\\/uploads\\\/shutterstock-321562145-scaled.jpg\",\"datePublished\":\"2024-04-09T14:50:00+00:00\",\"dateModified\":\"2024-07-08T11:05:54+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/#\\\/schema\\\/person\\\/a05f467cec789f90c8a355b178743249\"},\"description\":\"Vecteur d'attaque, langages, obfuscation, chronologie : analyse compl\u00e8te du ransomware Crypt888 avec l'\u00e9quipe CTI de Stormshield.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/analyse-technique-du-ransomware-crypt888\\\/#breadcrumb\"},\"inLanguage\":\"fr-FR\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/analyse-technique-du-ransomware-crypt888\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-FR\",\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/analyse-technique-du-ransomware-crypt888\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.stormshield.com\\\/wp-content\\\/uploads\\\/shutterstock-321562145-scaled.jpg\",\"contentUrl\":\"https:\\\/\\\/www.stormshield.com\\\/wp-content\\\/uploads\\\/shutterstock-321562145-scaled.jpg\",\"width\":2560,\"height\":2560},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/analyse-technique-du-ransomware-crypt888\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Analyse technique du ransomware Crypt888\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/#website\",\"url\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/\",\"name\":\"Stormshield\",\"description\":\"Stormshield\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"fr-FR\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/#\\\/schema\\\/person\\\/a05f467cec789f90c8a355b178743249\",\"name\":\"Stormshield Customer Security Lab\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-FR\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/46b9416c400398c1a9fc878c7a35bd2ae4f79caeeda138facd5cb65a4ab91c5d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/46b9416c400398c1a9fc878c7a35bd2ae4f79caeeda138facd5cb65a4ab91c5d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/46b9416c400398c1a9fc878c7a35bd2ae4f79caeeda138facd5cb65a4ab91c5d?s=96&d=mm&r=g\",\"caption\":\"Stormshield Customer Security Lab\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Ransomware Crypt888 : analyse technique du malware","description":"Vecteur d'attaque, langages, obfuscation, chronologie : analyse compl\u00e8te du ransomware Crypt888 avec l'\u00e9quipe CTI de Stormshield.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.stormshield.com\/fr\/actus\/analyse-technique-du-ransomware-crypt888\/","og_locale":"fr_FR","og_type":"article","og_title":"Ransomware Crypt888 : analyse technique du malware","og_description":"Vecteur d'attaque, langages, obfuscation, chronologie : analyse compl\u00e8te du ransomware Crypt888 avec l'\u00e9quipe CTI de Stormshield.","og_url":"https:\/\/www.stormshield.com\/fr\/actus\/analyse-technique-du-ransomware-crypt888\/","og_site_name":"Stormshield","article_published_time":"2024-04-09T14:50:00+00:00","article_modified_time":"2024-07-08T11:05:54+00:00","og_image":[{"width":2560,"height":2560,"url":"https:\/\/www.stormshield.com\/wp-content\/uploads\/shutterstock-321562145-scaled.jpg","type":"image\/jpeg"}],"author":"Stormshield Customer Security Lab","twitter_card":"summary_large_image","twitter_creator":"@Stormshield","twitter_site":"@Stormshield","twitter_misc":{"\u00c9crit par":"Stormshield Customer Security Lab","Dur\u00e9e de lecture estim\u00e9e":"16 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.stormshield.com\/fr\/actus\/analyse-technique-du-ransomware-crypt888\/#article","isPartOf":{"@id":"https:\/\/www.stormshield.com\/fr\/actus\/analyse-technique-du-ransomware-crypt888\/"},"author":{"name":"Stormshield Customer Security Lab","@id":"https:\/\/www.stormshield.com\/fr\/#\/schema\/person\/a05f467cec789f90c8a355b178743249"},"headline":"Analyse technique du ransomware Crypt888","datePublished":"2024-04-09T14:50:00+00:00","dateModified":"2024-07-08T11:05:54+00:00","mainEntityOfPage":{"@id":"https:\/\/www.stormshield.com\/fr\/actus\/analyse-technique-du-ransomware-crypt888\/"},"wordCount":5835,"commentCount":0,"image":{"@id":"https:\/\/www.stormshield.com\/fr\/actus\/analyse-technique-du-ransomware-crypt888\/#primaryimage"},"thumbnailUrl":"https:\/\/www.stormshield.com\/wp-content\/uploads\/shutterstock-321562145-scaled.jpg","keywords":["La cybers\u00e9curit\u00e9 - par Stormshield"],"articleSection":["Billets techniques"],"inLanguage":"fr-FR"},{"@type":"WebPage","@id":"https:\/\/www.stormshield.com\/fr\/actus\/analyse-technique-du-ransomware-crypt888\/","url":"https:\/\/www.stormshield.com\/fr\/actus\/analyse-technique-du-ransomware-crypt888\/","name":"Ransomware Crypt888 : analyse technique du malware","isPartOf":{"@id":"https:\/\/www.stormshield.com\/fr\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.stormshield.com\/fr\/actus\/analyse-technique-du-ransomware-crypt888\/#primaryimage"},"image":{"@id":"https:\/\/www.stormshield.com\/fr\/actus\/analyse-technique-du-ransomware-crypt888\/#primaryimage"},"thumbnailUrl":"https:\/\/www.stormshield.com\/wp-content\/uploads\/shutterstock-321562145-scaled.jpg","datePublished":"2024-04-09T14:50:00+00:00","dateModified":"2024-07-08T11:05:54+00:00","author":{"@id":"https:\/\/www.stormshield.com\/fr\/#\/schema\/person\/a05f467cec789f90c8a355b178743249"},"description":"Vecteur d'attaque, langages, obfuscation, chronologie : analyse compl\u00e8te du ransomware Crypt888 avec l'\u00e9quipe CTI de Stormshield.","breadcrumb":{"@id":"https:\/\/www.stormshield.com\/fr\/actus\/analyse-technique-du-ransomware-crypt888\/#breadcrumb"},"inLanguage":"fr-FR","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.stormshield.com\/fr\/actus\/analyse-technique-du-ransomware-crypt888\/"]}]},{"@type":"ImageObject","inLanguage":"fr-FR","@id":"https:\/\/www.stormshield.com\/fr\/actus\/analyse-technique-du-ransomware-crypt888\/#primaryimage","url":"https:\/\/www.stormshield.com\/wp-content\/uploads\/shutterstock-321562145-scaled.jpg","contentUrl":"https:\/\/www.stormshield.com\/wp-content\/uploads\/shutterstock-321562145-scaled.jpg","width":2560,"height":2560},{"@type":"BreadcrumbList","@id":"https:\/\/www.stormshield.com\/fr\/actus\/analyse-technique-du-ransomware-crypt888\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.stormshield.com\/fr\/"},{"@type":"ListItem","position":2,"name":"Analyse technique du ransomware Crypt888"}]},{"@type":"WebSite","@id":"https:\/\/www.stormshield.com\/fr\/#website","url":"https:\/\/www.stormshield.com\/fr\/","name":"Stormshield","description":"Stormshield","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.stormshield.com\/fr\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"fr-FR"},{"@type":"Person","@id":"https:\/\/www.stormshield.com\/fr\/#\/schema\/person\/a05f467cec789f90c8a355b178743249","name":"Stormshield Customer Security Lab","image":{"@type":"ImageObject","inLanguage":"fr-FR","@id":"https:\/\/secure.gravatar.com\/avatar\/46b9416c400398c1a9fc878c7a35bd2ae4f79caeeda138facd5cb65a4ab91c5d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/46b9416c400398c1a9fc878c7a35bd2ae4f79caeeda138facd5cb65a4ab91c5d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/46b9416c400398c1a9fc878c7a35bd2ae4f79caeeda138facd5cb65a4ab91c5d?s=96&d=mm&r=g","caption":"Stormshield Customer Security Lab"}}]}},"_links":{"self":[{"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/posts\/510863","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/users\/83"}],"replies":[{"embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/comments?post=510863"}],"version-history":[{"count":13,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/posts\/510863\/revisions"}],"predecessor-version":[{"id":549327,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/posts\/510863\/revisions\/549327"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/media\/510978"}],"wp:attachment":[{"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/media?parent=510863"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/categories?post=510863"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/tags?post=510863"},{"taxonomy":"business_size","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/business_size?post=510863"},{"taxonomy":"industry","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/industry?post=510863"},{"taxonomy":"help_mefind","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/help_mefind?post=510863"},{"taxonomy":"features","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/features?post=510863"},{"taxonomy":"type_security","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/type_security?post=510863"},{"taxonomy":"maintenance","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/maintenance?post=510863"},{"taxonomy":"offer","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/offer?post=510863"},{"taxonomy":"administration_tools","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/administration_tools?post=510863"},{"taxonomy":"cloud_offers","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/cloud_offers?post=510863"},{"taxonomy":"listing_product","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/listing_product?post=510863"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}