寒武

寒武

Record: An experience of being infected by the WIS ransomware virus

1. Receiving Virus Report#

The incident started like this
On the evening of January 24, 2024, at 7 o'clock, I received an email on my phone.

Image

However, at that time, I was having dinner and did not click on the email to view it, so I didn't pay much attention to it. Because before this, I didn't think anyone would bother attacking my computer. However, after finishing my meal, I wanted to unlock my computer and play a few rounds of CF's Biohazard mode as usual (By the way, there are too many Biohazard mode experts in CF now. One "Mutant Cleaner" can easily defeat the mother body). However, no matter how I entered the password on the lock screen, it kept showing "Password incorrect". After repeatedly failing to unlock, I came to a conclusion
=="The password has been tampered with"==

2. Computer Brute Force Attack#

I logged into the PE system and deleted the password for the local account. After entering the desktop, I found that all files, except for .exe files, had been appended with this suffix. At the same time, the desktop background was also replaced with this.

Image
Image
How could I tolerate this! So I opened the letter left by the intruder on the desktop. The content of the letter is as follows:
Image

I don't have the patience to translate this letter, but I can guess the general content is that your computer has been hacked, please make a payment to obtain the unlock key, and so on. But what I am puzzled about is how did the intruder gain access to my computer? So with this question in mind, I searched for related virus information on Google.

WIS Ransomware#

The wis extension belongs to the Makop family of ransomware. Other common extensions include: makop, mkp. This ransomware has been appearing since 2019, and its main attack method is to obtain remote desktop login passwords through brute force. After obtaining the remote desktop password, the attacker logs into the user's machine and manually injects the virus. A ransom note named "important_information.hta" is left in each directory.

3. Rebuilding the Website through Google Snapshot#

I didn't expect that it was because my remote desktop password was too simple and was brute-forced. I looked at the script running log automatically recorded by Huorong and found that the intruder first brute-forced my own account password, then used the net command to obtain administrator account privileges, and after modifying my login password, implanted the WIS virus program. But after careful consideration, my remote desktop port is not 3389, and the remote address has never been exposed. The addresses displayed externally are also the ones after going through Cloudflare's CDN. How did the intruder know this information? This is something I can't figure out. There's nothing I can do now, so I can only choose to reinstall the system. Unfortunately, all my blog data has been encrypted by the virus and can only be discarded. Fortunately, I didn't have too many articles. I retrieved them all through Google Snapshot. I am very grateful that Google's crawler has indexed my website.

Snapshot address (https://kuaizhao.coderschool.cc/)

So I reinstalled the system and rebuilt the website based on this information. All the difficulties were caused by the virus.

Here, I advise everyone to change their passwords to strong passwords!

This article is synchronized and updated to xLog by Mix Space
The original link is https://www.xiaozhengyang.com/posts/life/WIS


Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.