文章总结： 文章通过逆向分析一起UNIX服务器勒索事件，定位恶意程序由UPX加壳、AES-CBC加密文件；从硬编码URL下载32B密钥文件updater并提取IV，成功解密恢复文件；同时给出攻击者BTC地址与100万英镑赎金要求，并透露CEO扩张市场及拟收购银行信息。 综合评分： 82 文章分类： 应急响应,恶意软件,漏洞分析,逆向分析,实战经验

Lockpick2.0

原创

漫路修行

微痕鉴远

2026年1月9日 17:22 广东

We’ve been hit by Ransomware again, but this time the threat actor seems to have upped their skillset. Once again a they’ve managed to encrypt a large set of our files. It is our policy NOT to negotiate with criminals. Please recover the files they have encrypted – we have no other option! Unfortunately our CEO is on a no-tech retreat and so can’t be reached.

In this Sherlock, you confront another serious ransomware threat at Forela: another significant number of UNIX servers have been infected by a suspected ransomware. Forela has decided not to negotiate with the attackers, putting the onus on the you to recover the encrypted files. This task demands players to utilize their understanding of ransomware operations, UNIX server structures, and digital forensics to restore the affected files. It’s another high-pressure race against time, testing the your resilience, ingenuity, and technical prowess.

What was used to pack the malware?

upx

What type of encryption has been utilised to encrypt the files provided?

解包之后翻一翻函数就能看出来。

AES

What is the BTC wallet address the TA is asking for payment to?

How much is the TA asking for?

要一百万英镑

剩下的问题都是需要分析和解密才能回答的，接下来进入分析环节：分析AES加密逻辑。

追踪加密逻辑，先定位到encrypt_file：

这个函数为handle_directory函数所调用

handle_directory->encrypt_file

查看发现main中调用handle_directory

其中有个参数v6 ，这个参数经过get_key_from_url函数的处理：

get_key_from_url函数，发现是使用curl库实现的，找一下url

xor_chiper这个函数用来做字符串加密用，main中已经见过多次。来解密一下aClig字符串

解密字符串

得到url

访问下载得到一个名为updater的文件：

根据 EVP_EncryptInit_ex 这个API的函数原型去找key

看到长度是32位，是作为aes加密的key

那就取前面32位作为key

看到模式是cbc，那还需要找IV

IV在反编译的伪代码中并不直观：

顶多只能追踪到局部变量v7，v8，但v7，v8和src[32]局部变量在内存中其实是连续的。

剩下的刚好16个bytes，可以作为IV，测试解密：

还原两个文件。

What is the file name of the key utlised by the attacker?

updater

What is the file hash of the key utilised by the attacker?

Which market is our CEO planning on expanding into? (Please answer with the wording utilised in the PDF)

Please confirm the name of the bank our CEO would like to takeover?

免责声明：

本文所载程序、技术方法仅面向合法合规的安全研究与教学场景，旨在提升网络安全防护能力，具有明确的技术研究属性。

任何单位或个人未经授权，将本文内容用于攻击、破坏等非法用途的，由此引发的全部法律责任、民事赔偿及连带责任，均由行为人独立承担，本站不承担任何连带责任。

本站内容均为技术交流与知识分享目的发布，若存在版权侵权或其他异议，请通过邮件联系处理，具体联系方式可点击页面上方的联系我。

本文转载自：微痕鉴远 漫路修行《Lockpick2.0》