奇安信攻防社区-【病毒分析】MEDUSA LOCKER勒索windows版本分析

【病毒分析】MEDUSA LOCKER勒索windows版本分析

1.背景 1.1 家族介绍 MEDUSA LOCKER 家族于 2019 年 9 月出现，MEDUSA LOCKER 家族通常通过有漏洞的远程桌面协议（RDP）配置获取受害者设备访问权限，攻击者还经常使用电子邮件钓鱼和垃圾邮件活...

**1.背景**
========

1.1 家族介绍
--------

MEDUSA LOCKER 家族于 2019 年 9 月出现，MEDUSA LOCKER 家族通常通过有漏洞的远程桌面协议（RDP）配置获取受害者设备访问权限，攻击者还经常使用电子邮件钓鱼和垃圾邮件活动——直接将勒索软件附加到电子邮件中——作为初始入侵渠道。

MEDUSA LOCKER 对受害者的数据进行加密，并在包含加密文件的每个文件夹中留下带有勒索信。勒索信指示受害者向特定的比特币钱包地址提供勒索软件付款。MEDUSA LOCKER 似乎根据观察到的赎金支付拆分作为勒索软件即服务 （RaaS） 模型运行。典型的 RaaS 模型涉及勒索软件开发人员和在受害者系统上部署勒索软件的各种附属公司。MEDUSA LOCKER 家族付款似乎始终在附属公司之间分配，附属公司收到 55% 到 60% 的赎金;以及接收剩余部分的开发人员。

1.2 平台介绍
--------

MEDUSA LOCKER家族提供两个暗网地址：一个是博客，另一个是聊天室。博客中留有Tox联系方式，并会公开受害者的信息，点击特定受害者后，可以查看其详细的泄露数据和赎金要求；聊天室则要求输入ID和联系邮箱，且支持上传一个被加密的文件进行测试。提交后，系统将为受害者生成一个聊天室，供其与MEDUSA LOCKER家族进行私密交流，其他人无法查看该对话内容。

### 1.2.1 博客页

![1.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-556406dcab68de9df1fd5477229f92f84b11d084.png)

博客首页

![2.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-a6e806aa2db4cf70da6f2fb236918c7954ef3c2f.png)

数据详情页

### 1.2.2 聊天室页

![3.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-ff7ed9fc97b852c714689d0d61363c40598ac74a.png)

加载进入聊天室

![4.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-39abd5ebfe77932216a03157a2695182f739dd34.png)

成功创建聊天室

![5.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-46c384489ef0d042767d6f8b15beae98452ab760.png)

聊天室页面

2.恶意文件基础信息
==========

2.1 恶意文件基本信息
------------

| 文件名 | bh538.exe |
|---|---|
| 编译器 | Microsoft Visual C/C++(19.36.34810)\[LTCG/C++\] |
| 大小 | 1.72 MB |
| 操作系统 | Windows(Vista)\[AMD64, 64位, Console\] |
| 模式 | 64 位 |
| 类型 | PE64 |
| 字节序 | LE |
| MD5 | 7d64ffeb603fbe96a4b47982e2a1dd3f |
| SHA1 | f983c9e9216ad026edad6accb8962d90f8230019 |
| SHA256 | ca4dfe28e1f18a1b8e0bcd825abe129ab46031ba4faed8777bc95da67371d83d |

2.2 勒索信
-------

![6.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-8af9782d080551fc24d13d0727b45100468860b5.png)

3.加密后文件分析
=========

3.1威胁分析
-------

| **病毒家族** | MEDUSA LOCKER |
|---|---|
| **首次出现时间/捕获分析时间** | 2025/09/9 \| 2025/09/11 |
| **威胁类型** | 勒索软件，加密病毒 |
| **加密文件扩展名** | .blackheart588 |
| **勒索信文件名** | read\_to\_decrypt\_files.html |
| **有无免费解密器？** | 无 |
| **联系邮箱** | [ecovery1@salamati.vip](mailto:recovery1@salamati.vip) <recovery1@amniyat.xyz> |
| **感染症状** | 无法打开存储在计算机上的文件，以前功能的文件现在具有不同的扩展名（例如，solar.docx.blackheart588）。桌面上会显示一条勒索要求消息。网络犯罪分子要求支付赎金（通常以比特币）来解锁您的文件。 |
| **感染方式** | 受感染的电子邮件附件（宏）、恶意广告、漏洞利用、恶意链接 |
| **受灾影响** | 文件都经过加密，如果不支付赎金就无法打开。其他密码窃取木马和恶意软件感染可以与勒索软件感染一起安装。 |

3.2 加密的测试文件
-----------

### 文件名

sierting.txt

### 具体内容：

![7.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-9e53e5a3e7cac1ed36e6089dbd74e1fc8f163e55.png)

![8.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-2db21c74dd31194c053c26bc632f349e59cb0d15.png)

### 加密文件名特征：

加密文件名 = 原始文件名+blackheart588 ，例如：sierting.txt.blackheart588

### 加密文件数据特征：

对于文件的加密根据如下配置，条状加密，其中每一条都为1136023字节，当加密字节累计超过3853566字节后就不再加密。

"bytesCryptAndSkip": 1136023,  
"bytesForEncrypt": 3853566,

![9.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-2e5c3b1874e6389429c192dca286c4131f233395.png)

### 加密算法：

#### chacha密钥生成：

##### KEY：

使用如下函数生成随机的key

![10.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-d00e2f042cbc2df8e5a2593c28a2af0418d55c64.png)

#### RSA密钥生成：

##### 公私钥对：

生成公私钥对

![11.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-073c9f775343a313860d3536900d667220f8d589.png)

### 程序执行流程：

![12.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-7d1bdf9a7da17caa457999461d0290ac64e97435.png)

4逆向分析
=====

4.1加密器逆向分析
----------

### 4.1.1main函数

创建多个线程

![13.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-6d53565400fc33c4d23421ef6317c4b765b92197.png)

![14.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-f3b337c02b6847cddbbb56f39514835e0aa070cc.png)

![15.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-b714c5f6b5205a0dd09d63cec8d035ef16bc67a4.png)

![16.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-8167fe33e26d545a6900fdb483a64e094b97394c.png)

执行如下命令

"rem Kill \\"SQL\\"",  
"taskkill -f -im sqlbrowser.exe",  
"taskkill -f -im sql writer.exe",  
"taskkill -f -im sqlserv.exe",  
"taskkill -f -im msmdsrv.exe",  
"taskkill -f -im MsDtsSrvr.exe",  
"taskkill -f -im sqlceip.exe",  
"taskkill -f -im fdlauncher.exe",  
"taskkill -f -im Ssms.exe",  
"taskkill -f -im SQLAGENT.EXE",  
"taskkill -f -im fdhost.exe",  
"taskkill -f -im ReportingServicesService.exe",  
"taskkill -f -im msftesql.exe",  
"taskkill -f -im pg\_ctl.exe",  
"taskkill -f -impostgres.exe",  
"net stop MSSQLServerADHelper100",  
"net stop MSSQL$ISARS",  
"net stop MSSQL$MSFW",  
"net stop SQLAgent$ISARS",  
"net stop SQLAgent$MSFW",  
"net stop SQLBrowser",  
"net stop REportServer$ISARS",  
"net stop SQLWriter",  
"vssadmin.exe Delete Shadows /All /Quiet",  
"wbadmin delete backup -keepVersion:0 -quiet",  
"wbadmin DELETE SYSTEMSTATEBACKUP",  
"wbadmin DELETE SYSTEMSTABACKUP -deleteOldest",  
"wmic.exe SHADOWCOPY /nointeractive",  
"bcdedit.exe /set {default} recoverynabled No",  
"bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"

![17.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-2ad3bace310b562b3bb11e202c7cf15c6fb8abe7.png)

![18.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-908124b1996ad25340cd54fecaa3076242941a54.png)

![19.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-0ff4283b1a05df80c4886e020640a442b022d5bc.png)

![20.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-b8fd204812bee7cdf4b1fab9303ecf13fc4de87e.png)

检测输入的参数，如果是-h提供帮助信息

![21.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-0532c03c07917a7e549eb37ce42e2aaf7f854884.png)

### 4.1.2ui\_status\_thread函数

显示加密进度窗口

![22.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-54c98222fe2646682ccd64da80c5cfdd941ce30f.png)

![23.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-5215469ebf391dc587f6a066e5cd7f67166efa66.png)

![24.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-9ed0a179805f6b9bd75425051f09e3e96b77ea2c.png)

![25.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-71812a09fc885d9e06d2d5f1e39bc300f2e5a83e.png)

### 4.1.3add\_to\_startup函数

权限维持函数，添加自启动

![26.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-523adf19d01c1326fa68e668a2468d35b9d4abc9.png)

![27.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-2d23bb4f58f1389297dee4be9cb6fcd1b22ef1de.png)

### 4.1.4clear\_recycle\_bin函数

清空回收站

![28.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-3a62eeb75883294e74b83154f7f6f6977b6a7cd2.png)

### 4.1.5set\_background\_image函数

更换壁纸，由于该勒索的配置中启用该功能，因为不会更换壁纸

![29.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-9e70f7318cbb74f965c86fbef321c57c3c310979.png)

### 4.1.6file\_scan\_thread函数

给扫描到的每个驱动器都分配线程执行目录扫描和加密任务

![30.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-36c484991a4ff8b0783f287b5fdf2f8a1b886ecf.png)

### 4.1.7scan\_directory\_and\_encrypt函数

判断路径是否位于排除目录中，排除的目录路径如下：

"C:\\\\perflogs",  
"C:\\\\Intel",  
"C:\\\\HP",  
"C:\\\\AMD",  
"C:\\\\Dell",  
"C:\\\\Drivers",  
"C:\\\\inetpub",  
"B:\\\\Boot",  
"A:\\\\Boot",  
"B:\\\\EFI",  
"A:\\\\EFI",  
"C:\\\\ProgramData\\\\Anydesk",  
":\\\\Boot"

![31.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-a74f2499a5831533616c1443f0eba8f79cb045b0.png)

![32.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-aded0557b5fb81247554ca47bcf2a36c446b932b.png)

![33.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-091cd3d0826c8965d84765fae509db1e56eae068.png)

如果扫描到的是目录就递归扫描

![34.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-4c4208b838c5a279ab1710061bf6ec87bf3668bf.png)

判断后缀是否为黑名单，如果不是则进入加密，黑名单后缀如下：

".dll",  
".sys",  
".readtext\*",  
".readtext95"

如果没有配置信息的话加密后缀为crypt，但是当前程序的配置信息如下，因此加密后缀为.blackheart588

{  
"backgroundImage": false,  
"backgroundImageData": "",  
"bytesCryptAndSkip": 1136023,  
"bytesForEncrypt": 3853566,  
"chiperDrives": true,  
"encryptedFileExtension": ".blackheart588",  
"hideConsole": false,  
"masterPublicKey": "BgIAAACkAABSU0ExAAgAAAEAAQARdxsz/cuLEbEvHU8So1S/Gy+W8lMxU402zgeRJYdmOl27aMCNQuH6OdDOIe7uMU7IJcxoPPadwV3yZyL4Hzn+ywknxMurdAbWwX91z3OGGDwhvA3bO2NcU4Yc7uOCnRRjvGapShKe4JlF+OjFdOrOvc+80Yc6v27HBQdHwpRVW12AKm7x9uwdjBre9PgQ5UgqYIaPbtlqx5fKwja713PELH34IZ1gc8XIvZymkTVIgx8XVSTwPBkCuLtD61Qvmwy/NYxAcsNghdv+YuLMcW85RA/wRlY6h8PeExHfdLwt/ZVFV3hJ20lwMDF1l6DSHVCJIVyxQUozjD2uRl3agu6l\\u0000",  
"openRequirementsOnFinish": false,  
"postRunCommands": \[\],  
"preRunCommands": \[  
"rem Kill \\"SQL\\"",  
"taskkill -f -im sqlbrowser.exe",  
"taskkill -f -im sql writer.exe",  
"taskkill -f -im sqlserv.exe",  
"taskkill -f -im msmdsrv.exe",  
"taskkill -f -im MsDtsSrvr.exe",  
"taskkill -f -im sqlceip.exe",  
"taskkill -f -im fdlauncher.exe",  
"taskkill -f -im Ssms.exe",  
"taskkill -f -im SQLAGENT.EXE",  
"taskkill -f -im fdhost.exe",  
"taskkill -f -im ReportingServicesService.exe",  
"taskkill -f -im msftesql.exe",  
"taskkill -f -im pg\_ctl.exe",  
"taskkill -f -impostgres.exe",  
"net stop MSSQLServerADHelper100",  
"net stop MSSQL$ISARS",  
"net stop MSSQL$MSFW",  
"net stop SQLAgent$ISARS",  
"net stop SQLAgent$MSFW",  
"net stop SQLBrowser",  
"net stop REportServer$ISARS",  
"net stop SQLWriter",  
"vssadmin.exe Delete Shadows /All /Quiet",  
"wbadmin delete backup -keepVersion:0 -quiet",  
"wbadmin DELETE SYSTEMSTATEBACKUP",  
"wbadmin DELETE SYSTEMSTABACKUP -deleteOldest",  
"wmic.exe SHADOWCOPY /nointeractive",  
"bcdedit.exe /set {default} recoverynabled No",  
"bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"  
\],  
"regenerateKeysAlways": false,  
"removeRecycle": true,  
"requirementsFileDataUTF8": "&lt;!DOCTYPE html&gt;\\n&lt;html lang=\\"en\\"&gt;\\n&lt;head&gt;\\n &lt;meta charset=\\"UTF-8\\"&gt;\\n &lt;meta http-equiv=\\"Content-Type\\" content=\\"text/html; charset=utf-8\\"&gt;\\n &lt;meta name=\\"viewport\\" content=\\"width=device-width, initial-scale=1.0\\"&gt;\\n &lt;title&gt;Network Security Notification &amp; Regulatory Report&lt;/title&gt;\\n &lt;link href=\\"<https://fonts.googleapis.com/css?family=Montserrat:100,200,300,regular,500,600,700,800,900,100italic,200italic,300italic,italic,500italic,600italic,700italic,800italic,900italic>\\" rel=\\"stylesheet\\"&gt;\\n &lt;link rel=\\"stylesheet\\" href=\\"[https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/css/all.min.css\\"&gt;\\n](https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/css/all.min.css%5C) &lt;style&gt;\\n / *Base styles* /\\n  *{\\n margin: 0;\\n padding: 0;\\n box-sizing: border-box;\\n font-family: 'Montserrat', sans-serif;\\n }\\n \\n body {\\n background: linear-gradient(135deg, #0a0c14 0%, #191c25 100%);\\n color: #e0e0e0;\\n min-height: 100vh;\\n line-height: 1.6;\\n overflow-x: hidden;\\n position: relative;\\n }\\n \\n /* Background pattern */\\n .background {\\n position: fixed;\\n inset: 0;\\n background: \\n radial-gradient(circle at 10% 20%, rgba(220, 53, 70, 0.1) 0%, transparent 15%),\\n radial-gradient(circle at 90% 80%, rgba(220, 53, 70, 0.1) 0%, transparent 15%),\\n repeating-linear-gradient(45deg, rgba(25, 28, 37, 0.8) 0px, rgba(25, 28, 37, 0.8) 2px, transparent 2px, transparent 4px);\\n opacity: 0.6;\\n z-index: -1;\\n }\\n \\n /* Container for content */\\n .container {\\n max-width: 1200px;\\n margin: 0 auto;\\n padding: 20px;\\n }\\n \\n /* Notification header */\\n .notification-header {\\n text-align: center;\\n padding: 30px 0;\\n position: relative;\\n margin-bottom: 20px;\\n }\\n \\n .notification-header h1 {\\n font-size: 2.5rem;\\n margin-bottom: 15px;\\n background: linear-gradient(to right, #ff4d61, #dc3546);\\n -webkit-background-clip: text;\\n -webkit-text-fill-color: transparent;\\n text-shadow: 0 2px 10px rgba(220, 53, 70, 0.3);\\n }\\n \\n .identifier {\\n display: inline-block;\\n font-size: 1.2rem;\\n word-break: break-all;\\n background: rgba(220, 53, 70, 0.2);\\n padding: 15px 25px;\\n border-radius: 8px;\\n margin-top: 15px;\\n border: 1px solid #dc3546;\\n font-weight: 600;\\n letter-spacing: 1px;\\n }\\n \\n /* Main notification content */\\n .notification-content {\\n background: rgba(23, 23, 25, 0.9);\\n border-radius: 12px;\\n overflow: hidden;\\n box-shadow: 0 15px 40px rgba(0, 0, 0, 0.6);\\n margin-bottom: 50px;\\n backdrop-filter: blur(5px);\\n border: 1px solid rgba(255, 255, 255, 0.05);\\n }\\n \\n .notification-banner {\\n padding: 40px 20px;\\n text-align: center;\\n background: linear-gradient(90deg, #dc3546, #a71e2d);\\n position: relative;\\n overflow: hidden;\\n }\\n \\n .notification-banner::before {\\n content: \\"\\";\\n position: absolute;\\n top: 0;\\n left: 0;\\n right: 0;\\n height: 5px;\\n background: linear-gradient(90deg, transparent, #fff, transparent);\\n }\\n \\n .notification-banner h2 {\\n font-size: 2rem;\\n line-height: 1.4;\\n margin-bottom: 15px;\\n text-shadow: 0 2px 4px rgba(0, 0, 0, 0.4);\\n }\\n \\n .highlight {\\n background: rgba(0, 0, 0, 0.3);\\n padding: 8px 20px;\\n border-radius: 30px;\\n display: inline-block;\\n margin-top: 15px;\\n font-weight: 700;\\n font-size: 1.8rem;\\n letter-spacing: 1px;\\n border: 2px solid rgba(255, 255, 255, 0.2);\\n }\\n \\n .notification-body {\\n padding: 40px;\\n display: grid;\\n gap: 30px;\\n }\\n \\n .text-center {\\n text-align: center;\\n }\\n \\n .warning-box {\\n background: rgba(36, 37, 41, 0.8);\\n padding: 25px;\\n border-radius: 8px;\\n border-left: 5px solid #dc3546;\\n box-shadow: 0 5px 15px rgba(0, 0, 0, 0.3);\\n }\\n \\n .warning-box b {\\n color: #ff4d61;\\n font-size: 1.1rem;\\n }\\n \\n p {\\n margin: 15px 0;\\n font-size: 1.05rem;\\n line-height: 1.7;\\n }\\n \\n a {\\n color: #ff4d61;\\n text-decoration: none;\\n transition: all 0.3s;\\n word-break: break-all;\\n font-weight: 500;\\n }\\n \\n a:hover {\\n color: white;\\n text-decoration: underline;\\n }\\n \\n .contact-container {\\n display: flex;\\n flex-wrap: wrap;\\n gap: 20px;\\n align-items: flex-start;\\n margin: 20px 0;\\n }\\n \\n .contact-container &gt; div {\\n flex: 1;\\n min-width: 250px;\\n }\\n \\n .urgent-alert {\\n color: #ff4d61;\\n font-weight: 700;\\n text-align: center;\\n padding: 20px;\\n background: rgba(220, 53, 70, 0.15);\\n border-radius: 8px;\\n margin: 30px 0;\\n border: 2px solid #dc3546;\\n animation: pulse 2s infinite;\\n font-size: 1.2rem;\\n }\\n \\n .contact-info {\\n margin: 25px 0;\\n padding: 15px;\\n background: rgba(36, 37, 41, 0.5);\\n border-radius: 8px;\\n }\\n \\n .tox-id {\\n font-family: monospace;\\n font-size: 0.95rem;\\n word-break: break-all;\\n background: rgba(255, 255, 255, 0.05);\\n padding: 12px;\\n border-radius: 6px;\\n margin-top: 8px;\\n border: 1px solid rgba(255, 255, 255, 0.1);\\n }\\n \\n @keyframes pulse {\\n 0% { box-shadow: 0 0 0 0 rgba(220, 53, 70, 0.4); }\\n 70% { box-shadow: 0 0 0 15px rgba(220, 53, 70, 0); }\\n 100% { box-shadow: 0 0 0 0 rgba(220, 53, 70, 0); }\\n }\\n \\n /* Report section divider */\\n .report-divider {\\n text-align: center;\\n margin: 60px 0 40px;\\n position: relative;\\n }\\n \\n .report-divider h2 {\\n display: inline-block;\\n background: linear-gradient(90deg, #dc3546, #8b0000);\\n padding: 18px 50px;\\n border-radius: 50px;\\n font-size: 1.8rem;\\n position: relative;\\n z-index: 2;\\n box-shadow: 0 5px 20px rgba(220, 53, 70, 0.4);\\n }\\n \\n .report-divider::before {\\n content: \\"\\";\\n position: absolute;\\n top: 50%;\\n left: 0;\\n right: 0;\\n height: 3px;\\n background: linear-gradient(90deg, transparent, #dc3546, transparent);\\n z-index: 1;\\n }\\n \\n /* Report content styles */\\n .report-content {\\n background: rgba(23, 23, 25, 0.9);\\n color: #e0e0e0;\\n border-radius: 12px;\\n box-shadow: 0 15px 40px rgba(0, 0, 0, 0.6);\\n padding: 40px;\\n margin-bottom: 50px;\\n backdrop-filter: blur(5px);\\n border: 1px solid rgba(255, 255, 255, 0.05);\\n }\\n \\n .report-content h1 {\\n color: #ff4d61;\\n text-align: center;\\n border-bottom: 3px solid #dc3546;\\n padding-bottom: 15px;\\n margin-bottom: 40px;\\n font-size: 2.3rem;\\n text-shadow: 0 2px 4px rgba(0, 0, 0, 0.4);\\n }\\n \\n .report-content h2 {\\n color: #ff4d61;\\n border-left: 5px solid #3498db;\\n padding-left: 20px;\\n margin-top: 40px;\\n font-size: 1.7rem;\\n }\\n \\n .report-content h3 {\\n color: #ff4d61;\\n margin-top: 30px;\\n font-size: 1.4rem;\\n }\\n \\n .region-section {\\n margin-bottom: 40px;\\n padding: 25px;\\n background: rgba(36, 37, 41, 0.5);\\n border-radius: 10px;\\n border-left: 5px solid #3498db;\\n box-shadow: 0 5px 15px rgba(0, 0, 0, 0.3);\\n }\\n \\n .eu-section {\\n border-left-color: #3498db;\\n }\\n \\n .usa-section {\\n border-left-color: #e74c3c;\\n }\\n \\n .asia-section {\\n border-left-color: #f39c12;\\n }\\n \\n .report-content table {\\n width: 100%;\\n border-collapse: collapse;\\n margin: 25px 0;\\n background: rgba(36, 37, 41, 0.7);\\n box-shadow: 0 5px 15px rgba(0, 0, 0, 0.3);\\n border-radius: 8px;\\n overflow: hidden;\\n }\\n \\n .report-content th, .report-content td {\\n border: 1px solid rgba(68, 68, 68, 0.5);\\n padding: 15px;\\n text-align: left;\\n }\\n \\n .report-content th {\\n background-color: #dc3546;\\n color: white;\\n font-weight: bold;\\n font-size: 1.1rem;\\n }\\n \\n .report-content tr:nth-child(even) {\\n background-color: rgba(255, 255, 255, 0.03);\\n }\\n \\n .report-content tr:hover {\\n background-color: rgba(220, 53, 70, 0.1);\\n }\\n \\n .report-content .highlight {\\n background-color: rgba(255, 193, 7, 0.1);\\n padding: 20px;\\n border-left: 4px solid #ffc107;\\n margin: 25px 0;\\n border-radius: 8px;\\n }\\n \\n .report-content .fine-amount {\\n font-weight: bold;\\n color: #ff4d61;\\n }\\n \\n .report-content .case-study {\\n background: rgba(39, 174, 96, 0.1);\\n padding: 20px;\\n margin: 20px 0;\\n border-radius: 8px;\\n border-left: 4px solid #27ae60;\\n }\\n \\n .report-content .key-stats {\\n display: grid;\\n grid-template-columns: repeat(auto-fit, minmax(250px, 1fr));\\n gap: 25px;\\n margin: 40px 0;\\n }\\n \\n .report-content .stat-card {\\n background: linear-gradient(135deg, #dc3546 0%, #8b0000 100%);\\n color: white;\\n padding: 25px;\\n border-radius: 12px;\\n text-align: center;\\n box-shadow: 0 8px 20px rgba(0, 0, 0, 0.4);\\n transition: transform 0.3s;\\n }\\n \\n .report-content .stat-card:hover {\\n transform: translateY(-5px);\\n }\\n \\n .report-content .stat-number {\\n font-size: 2.5rem;\\n font-weight: bold;\\n display: block;\\n margin-bottom: 10px;\\n text-shadow: 0 2px 4px rgba(0, 0, 0, 0.4);\\n }\\n \\n .report-content .references {\\n background: rgba(255, 255, 255, 0.05);\\n padding: 25px;\\n margin-top: 50px;\\n border-radius: 10px;\\n font-size: 0.95rem;\\n }\\n \\n .report-content .references h3 {\\n color: #ff4d61;\\n margin-bottom: 20px;\\n text-align: center;\\n }\\n \\n .report-content .summary-section {\\n background: rgba(255, 193, 7, 0.1);\\n padding: 30px;\\n margin: 40px 0;\\n border-radius: 12px;\\n border: 2px solid #ffc107;\\n }\\n \\n .report-content ul {\\n padding-left: 30px;\\n margin: 20px 0;\\n }\\n \\n .report-content li {\\n margin-bottom: 12px;\\n line-height: 1.7;\\n }\\n \\n /* Footer */\\n .footer {\\n text-align: center;\\n padding: 30px;\\n color: #aaa;\\n font-size: 0.9rem;\\n border-top: 1px solid rgba(255, 255, 255, 0.1);\\n margin-top: 50px;\\n }\\n \\n /* Scroll to top button */\\n .scroll-top {\\n position: fixed;\\n bottom: 30px;\\n right: 30px;\\n background: #dc3546;\\n color: white;\\n width: 60px;\\n height: 60px;\\n border-radius: 50%;\\n display: flex;\\n align-items: center;\\n justify-content: center;\\n cursor: pointer;\\n opacity: 0.8;\\n transition: all 0.3s;\\n z-index: 1000;\\n box-shadow: 0 5px 15px rgba(220, 53, 70, 0.4);\\n font-size: 1.5rem;\\n }\\n \\n .scroll-top:hover {\\n opacity: 1;\\n transform: translateY(-5px);\\n }\\n \\n /* Responsive design \*/\\n @media (max-width: 768px) {\\n .container {\\n padding: 15px;\\n }\\n \\n .notification-header h1 {\\n font-size: 1.8rem;\\n }\\n \\n .notification-banner h2 {\\n font-size: 1.5rem;\\n }\\n \\n .highlight {\\n font-size: 1.4rem;\\n }\\n \\n .notification-body, .report-content {\\n padding: 25px;\\n }\\n \\n .report-content h1 {\\n font-size: 1.8rem;\\n }\\n \\n .report-content h2 {\\n font-size: 1.4rem;\\n }\\n \\n .report-divider h2 {\\n font-size: 1.4rem;\\n padding: 12px 30px;\\n }\\n \\n .report-content .key-stats {\\n grid-template-columns: 1fr;\\n }\\n \\n .contact-container {\\n flex-direction: column;\\n }\\n \\n .scroll-top {\\n width: 50px;\\n height: 50px;\\n font-size: 1.2rem;\\n }\\n }\\n \\n @media (max-width: 480px) {\\n .notification-header h1 {\\n font-size: 1.6rem;\\n }\\n \\n .notification-banner h2 {\\n font-size: 1.3rem;\\n }\\n \\n .identifier {\\n font-size: 1rem;\\n padding: 12px 20px;\\n }\\n \\n .report-content {\\n padding: 20px;\\n }\\n \\n .report-content table {\\n font-size: 0.85rem;\\n }\\n \\n .report-content th, .report-content td {\\n padding: 10px;\\n }\\n }\\n &lt;/style&gt;\\n&lt;/head&gt;\\n&lt;body&gt;\\n &lt;div class=\\"background\\"&gt;&lt;/div&gt;\\n \\n &lt;div class=\\"container\\"&gt;\\n &lt;!-- Ransomware Notification Section --&gt;\\n &lt;div class=\\"notification-header\\"&gt;\\n &lt;h1&gt;NETWORK SECURITY NOTIFICATION&lt;/h1&gt;\\n &lt;div class=\\"identifier\\"&gt;YOUR PERSONAL ID: \[IDENTIFIER\]&lt;/div&gt;\\n &lt;/div&gt;\\n \\n &lt;div class=\\"notification-content\\"&gt;\\n &lt;div class=\\"notification-banner\\"&gt;\\n &lt;h2&gt;\\n YOUR CORPORATE NETWORK HAS BEEN\\n &lt;/h2&gt;\\n &lt;div class=\\"highlight\\"&gt;COMPROMISED &amp; ENCRYPTED&lt;/div&gt;\\n &lt;/div&gt;\\n \\n &lt;div class=\\"notification-body\\"&gt;\\n &lt;h3 class=\\"text-center\\"&gt;\\n &lt;i class=\\"fas fa-lock\\"&gt;&lt;/i&gt; Your files are secured with military-grade encryption (RSA-4096 + AES-256)\\n &lt;/h3&gt;\\n \\n &lt;div class=\\"warning-box\\"&gt;\\n &lt;b&gt;\\n &lt;i class=\\"fas fa-exclamation-triangle\\"&gt;&lt;/i&gt; WARNING: ANY ATTEMPT TO RESTORE FILES WITH THIRD-PARTY SOFTWARE WILL CAUSE PERMANENT DATA CORRUPTION. DO NOT MODIFY OR RENAME ENCRYPTED FILES.\\n &lt;/b&gt;\\n &lt;/div&gt;\\n \\n &lt;p&gt;\\n We have successfully infiltrated your network and encrypted critical data. All compromised information including confidential documents, financial records, and personal data is securely stored on our private servers. This server will be permanently destroyed upon confirmation of your payment. Failure to comply will result in public release of all data to media outlets and data brokers.\\n &lt;/p&gt;\\n \\n &lt;p&gt;\\n We operate purely for financial gain, not to damage your operations. To verify our capability, we offer free decryption of 2–3 non-critical files as proof of our solution.\\n &lt;/p&gt;\\n \\n &lt;h3 class=\\"text-center\\"&gt;Contact us immediately for pricing and decryption software&lt;/h3&gt;\\n \\n &lt;div class=\\"warning-box\\"&gt;\\n &lt;div class=\\"contact-container\\"&gt;\\n &lt;p&gt;&lt;b&gt;&lt;i class=\\"fas fa-envelope\\"&gt;&lt;/i&gt; EMAIL:&lt;/b&gt;&lt;/p&gt;\\n &lt;div class=\\"contact-info\\"&gt;\\n &lt;p&gt;&lt;a href=\\"mailto:recovery1@salamati.vip\\"&gt;&lt;i class=\\"fas fa-at\\"&gt;&lt;/i&gt; recovery1@salamati.vip&lt;/a&gt;&lt;/p&gt;\\n &lt;p&gt;&lt;a href=\\"mailto:recovery1@amniyat.xyz\\"&gt;&lt;i class=\\"fas fa-at\\"&gt;&lt;/i&gt; recovery1@amniyat.xyz&lt;/a&gt;&lt;/p&gt;\\n &lt;/div&gt;\\n &lt;/div&gt;\\n \\n &lt;p class=\\"text-center\\"&gt;\\n &lt;i class=\\"fas fa-shield-alt\\"&gt;&lt;/i&gt; For secure communication, create a new account at: \\n &lt;a href=\\"<https://protonmail.com>\\" target=\\"\_blank\\"&gt;protonmail.com&lt;/a&gt;\\n &lt;/p&gt;\\n \\n &lt;div class=\\"urgent-alert\\"&gt;\\n &lt;i class=\\"fas fa-clock\\"&gt;&lt;/i&gt; CONTACT US WITHIN 72 HOURS TO PREVENT PRICE INCREASE\\n &lt;/div&gt;\\n \\n &lt;div class=\\"contact-info\\"&gt;\\n &lt;p&gt;&lt;i class=\\"fas fa-user-secret\\"&gt;&lt;/i&gt; TOR CHAT (24/7 SUPPORT):&lt;/p&gt;\\n &lt;a href=\\"<a href="">http://qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion\\"&gt;\\n</a> <a href="">http://qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion\\n</a> &lt;/a&gt;\\n &lt;/div&gt;\\n \\n &lt;div class=\\"contact-info\\"&gt;\\n &lt;p&gt;&lt;i class=\\"fas fa-comment-dots\\"&gt;&lt;/i&gt; qTox ID:&lt;/p&gt;\\n &lt;div class=\\"tox-id\\"&gt;7C564920870C0D33535D2012ECDDE389FE25BAF7AF427DD584EE39C04AF8CF024F8BFA93D8DB&lt;/div&gt;\\n &lt;/div&gt;\\n &lt;/div&gt;\\n &lt;/div&gt;\\n &lt;/div&gt;\\n \\n &lt;!-- Report Section Divider --&gt;\\n &lt;div class=\\"report-divider\\"&gt;\\n &lt;h2&gt;&lt;i class=\\"fas fa-file-contract\\"&gt;&lt;/i&gt; DATA BREACH REGULATORY CONSEQUENCES REPORT&lt;/h2&gt;\\n &lt;/div&gt;\\n \\n &lt;!-- Regulatory Consequences Report --&gt;\\n &lt;div class=\\"report-content\\"&gt;\\n &lt;h1&gt;Global Data Breach Regulatory Liability Analysis&lt;/h1&gt;\\n \\n &lt;div class=\\"key-stats\\"&gt;\\n &lt;div class=\\"stat-card\\"&gt;\\n &lt;span class=\\"stat-number\\"&gt;€20M&lt;/span&gt;\\n &lt;div&gt;Maximum EU GDPR Fine&lt;/div&gt;\\n &lt;/div&gt;\\n &lt;div class=\\"stat-card\\"&gt;\\n &lt;span class=\\"stat-number\\"&gt;$4.88M&lt;/span&gt;\\n &lt;div&gt;Average Breach Cost (2024)&lt;/div&gt;\\n &lt;/div&gt;\\n &lt;div class=\\"stat-card\\"&gt;\\n &lt;span class=\\"stat-number\\"&gt;277&lt;/span&gt;\\n &lt;div&gt;Days Recovery Time&lt;/div&gt;\\n &lt;/div&gt;\\n &lt;div class=\\"stat-card\\"&gt;\\n &lt;span class=\\"stat-number\\"&gt;65%&lt;/span&gt;\\n &lt;div&gt;Customer Attrition Rate&lt;/div&gt;\\n &lt;/div&gt;\\n &lt;/div&gt;\\n\\n &lt;div class=\\"region-section eu-section\\"&gt;\\n &lt;h2&gt;European Union Regulations&lt;/h2&gt;\\n \\n &lt;div class=\\"highlight\\"&gt;\\n &lt;strong&gt;Primary Regulation:&lt;/strong&gt; General Data Protection Regulation (GDPR) – Regulation (EU) 2016/679\\n &lt;/div&gt;\\n \\n &lt;h3&gt;Key Requirements&lt;/h3&gt;\\n &lt;ul&gt;\\n &lt;li&gt;&lt;strong&gt;Articles 33–34:&lt;/strong&gt; Mandatory 72-hour breach notification to authorities&lt;/li&gt;\\n &lt;li&gt;&lt;strong&gt;Article 83:&lt;/strong&gt; Fines up to &lt;span class=\\"fine-amount\\"&gt;€20 million or 4% of global annual revenue&lt;/span&gt; (whichever is higher)&lt;/li&gt;\\n &lt;li&gt;&lt;strong&gt;Article 82:&lt;/strong&gt; Right to compensation for damages&lt;/li&gt;\\n &lt;/ul&gt;\\n \\n &lt;h3&gt;Notable Enforcement Actions&lt;/h3&gt;\\n &lt;div class=\\"case-study\\"&gt;\\n &lt;strong&gt;Meta (Facebook):&lt;/strong&gt; &lt;span class=\\"fine-amount\\"&gt;€1.2 billion&lt;/span&gt; (2023) – Data transfers violation&lt;br&gt;\\n &lt;strong&gt;Amazon:&lt;/strong&gt; &lt;span class=\\"fine-amount\\"&gt;€746 million&lt;/span&gt; (2021) – Inadequate consent mechanisms&lt;br&gt;\\n &lt;strong&gt;British Airways:&lt;/strong&gt; &lt;span class=\\"fine-amount\\"&gt;€229 million&lt;/span&gt; – 500,000 customer records compromised\\n &lt;/div&gt;\\n \\n &lt;p&gt;&lt;strong&gt;Average Cost of Breach:&lt;/strong&gt; &lt;span class=\\"fine-amount\\"&gt;€4.67 million&lt;/span&gt; (IBM Security 2024 Report)&lt;/p&gt;\\n &lt;/div&gt;\\n\\n &lt;div class=\\"region-section usa-section\\"&gt;\\n &lt;h2&gt;United States Regulations&lt;/h2&gt;\\n \\n &lt;h3&gt;Federal Compliance Frameworks&lt;/h3&gt;\\n \\n &lt;h4&gt;Health Insurance Portability and Accountability Act (HIPAA)&lt;/h4&gt;\\n &lt;ul&gt;\\n &lt;li&gt;&lt;strong&gt;Civil penalties:&lt;/strong&gt; $141 – &lt;span class=\\"fine-amount\\"&gt;$2,134,831&lt;/span&gt; per violation&lt;/li&gt;\\n &lt;li&gt;&lt;strong&gt;Criminal penalties:&lt;/strong&gt; Up to 10 years imprisonment + $250,000 fines&lt;/li&gt;\\n &lt;/ul&gt;\\n \\n &lt;h4&gt;California Consumer Privacy Act (CCPA/CPRA)&lt;/h4&gt;\\n &lt;ul&gt;\\n &lt;li&gt;&lt;strong&gt;Regulatory fines:&lt;/strong&gt; $2,500–$7,500 per violation&lt;/li&gt;\\n &lt;li&gt;&lt;strong&gt;Private actions:&lt;/strong&gt; $100–$750 per affected California resident&lt;/li&gt;\\n &lt;/ul&gt;\\n \\n &lt;h3&gt;Major Settlements&lt;/h3&gt;\\n &lt;div class=\\"case-study\\"&gt;\\n &lt;strong&gt;Equifax:&lt;/strong&gt; &lt;span class=\\"fine-amount\\"&gt;$575 million&lt;/span&gt; – 147 million consumers impacted&lt;br&gt;\\n &lt;strong&gt;Facebook/Meta:&lt;/strong&gt; &lt;span class=\\"fine-amount\\"&gt;$5 billion&lt;/span&gt; – FTC privacy violation penalty&lt;br&gt;\\n &lt;strong&gt;Anthem Inc:&lt;/strong&gt; &lt;span class=\\"fine-amount\\"&gt;$115 million&lt;/span&gt; – 79 million medical records breached\\n &lt;/div&gt;\\n \\n &lt;h3&gt;Sector-Specific Impacts&lt;/h3&gt;\\n &lt;ul&gt;\\n &lt;li&gt;&lt;strong&gt;Healthcare:&lt;/strong&gt; &lt;span class=\\"fine-amount\\"&gt;$10.93 million&lt;/span&gt; average breach cost&lt;/li&gt;\\n &lt;li&gt;&lt;strong&gt;Financial Services:&lt;/strong&gt; &lt;span class=\\"fine-amount\\"&gt;$5.9 million&lt;/span&gt; average breach cost&lt;/li&gt;\\n &lt;li&gt;&lt;strong&gt;Critical Infrastructure:&lt;/strong&gt; Mandatory reporting within 72 hours (CIRCIA 2022)&lt;/li&gt;\\n &lt;/ul&gt;\\n &lt;/div&gt;\\n\\n &lt;div class=\\"region-section asia-section\\"&gt;\\n &lt;h2&gt;Asia-Pacific Regulations&lt;/h2&gt;\\n \\n &lt;table&gt;\\n &lt;thead&gt;\\n &lt;tr&gt;\\n &lt;th&gt;Jurisdiction&lt;/th&gt;\\n &lt;th&gt;Governing Law&lt;/th&gt;\\n &lt;th&gt;Maximum Fine&lt;/th&gt;\\n &lt;th&gt;Criminal Liability&lt;/th&gt;\\n &lt;/tr&gt;\\n &lt;/thead&gt;\\n &lt;tbody&gt;\\n &lt;tr&gt;\\n &lt;td&gt;&lt;strong&gt;South Korea&lt;/strong&gt;&lt;/td&gt;\\n &lt;td&gt;Personal Information Protection Act (PIPA)&lt;/td&gt;\\n &lt;td&gt;&lt;span class=\\"fine-amount\\"&gt;₩30M + 3% revenue&lt;/span&gt;&lt;/td&gt;\\n &lt;td&gt;6 months imprisonment&lt;/td&gt;\\n &lt;/tr&gt;\\n &lt;tr&gt;\\n &lt;td&gt;&lt;strong&gt;Singapore&lt;/strong&gt;&lt;/td&gt;\\n &lt;td&gt;Personal Data Protection Act (PDPA)&lt;/td&gt;\\n &lt;td&gt;&lt;span class=\\"fine-amount\\"&gt;S$1M or 10% revenue&lt;/span&gt;&lt;/td&gt;\\n &lt;td&gt;2 years imprisonment&lt;/td&gt;\\n &lt;/tr&gt;\\n &lt;tr&gt;\\n &lt;td&gt;&lt;strong&gt;Japan&lt;/strong&gt;&lt;/td&gt;\\n &lt;td&gt;Act on Protection of Personal Information (APPI)&lt;/td&gt;\\n &lt;td&gt;&lt;span class=\\"fine-amount\\"&gt;¥100 million&lt;/span&gt;&lt;/td&gt;\\n &lt;td&gt;1 year imprisonment&lt;/td&gt;\\n &lt;/tr&gt;\\n &lt;tr&gt;\\n &lt;td&gt;&lt;strong&gt;Thailand&lt;/strong&gt;&lt;/td&gt;\\n &lt;td&gt;Personal Data Protection Act (PDPA)&lt;/td&gt;\\n &lt;td&gt;&lt;span class=\\"fine-amount\\"&gt;฿7 million&lt;/span&gt;&lt;/td&gt;\\n &lt;td&gt;Administrative sanctions&lt;/td&gt;\\n &lt;/tr&gt;\\n &lt;/tbody&gt;\\n &lt;/table&gt;\\n \\n &lt;h3&gt;Notable Cases&lt;/h3&gt;\\n &lt;div class=\\"case-study\\"&gt;\\n &lt;strong&gt;SK Telecom (South Korea):&lt;/strong&gt; &lt;span class=\\"fine-amount\\"&gt;₩643 billion market cap loss&lt;/span&gt; – 26.96 million records&lt;br&gt;\\n &lt;strong&gt;Singapore IHiS:&lt;/strong&gt; &lt;span class=\\"fine-amount\\"&gt;S$750,000 fine&lt;/span&gt; – 1.5 million patient records&lt;br&gt;\\n &lt;strong&gt;Thai Company:&lt;/strong&gt; &lt;span class=\\"fine-amount\\"&gt;฿7 million&lt;/span&gt; – First PDPA violation fine\\n &lt;/div&gt;\\n &lt;/div&gt;\\n\\n &lt;div class=\\"summary-section\\"&gt;\\n &lt;h2&gt;Global Regulatory Penalty Comparison&lt;/h2&gt;\\n \\n &lt;table&gt;\\n &lt;thead&gt;\\n &lt;tr&gt;\\n &lt;th&gt;Region/Jurisdiction&lt;/th&gt;\\n &lt;th&gt;Maximum Financial Penalty&lt;/th&gt;\\n &lt;th&gt;Criminal Liability&lt;/th&gt;\\n &lt;/tr&gt;\\n &lt;/thead&gt;\\n &lt;tbody&gt;\\n &lt;tr&gt;\\n &lt;td&gt;&lt;strong&gt;European Union (GDPR)&lt;/strong&gt;&lt;/td&gt;\\n &lt;td&gt;&lt;span class=\\"fine-amount\\"&gt;€20M or 4% global revenue&lt;/span&gt;&lt;/td&gt;\\n &lt;td&gt;Member state determination&lt;/td&gt;\\n &lt;/tr&gt;\\n &lt;tr&gt;\\n &lt;td&gt;&lt;strong&gt;USA Federal (HIPAA)&lt;/strong&gt;&lt;/td&gt;\\n &lt;td&gt;&lt;span class=\\"fine-amount\\"&gt;$2.13M per violation&lt;/span&gt;&lt;/td&gt;\\n &lt;td&gt;10 years imprisonment&lt;/td&gt;\\n &lt;/tr&gt;\\n &lt;tr&gt;\\n &lt;td&gt;&lt;strong&gt;California (CCPA)&lt;/strong&gt;&lt;/td&gt;\\n &lt;td&gt;&lt;span class=\\"fine-amount\\"&gt;$7,500 per violation&lt;/span&gt;&lt;/td&gt;\\n &lt;td&gt;Not applicable&lt;/td&gt;\\n &lt;/tr&gt;\\n &lt;tr&gt;\\n &lt;td&gt;&lt;strong&gt;South Korea (PIPA)&lt;/strong&gt;&lt;/td&gt;\\n &lt;td&gt;&lt;span class=\\"fine-amount\\"&gt;₩30M + 3% revenue&lt;/span&gt;&lt;/td&gt;\\n &lt;td&gt;6 months imprisonment&lt;/td&gt;\\n &lt;/tr&gt;\\n &lt;tr&gt;\\n &lt;td&gt;&lt;strong&gt;Singapore (PDPA)&lt;/strong&gt;&lt;/td&gt;\\n &lt;td&gt;&lt;span class=\\"fine-amount\\"&gt;S$1M or 10% revenue&lt;/span&gt;&lt;/td&gt;\\n &lt;td&gt;2 years imprisonment&lt;/td&gt;\\n &lt;/tr&gt;\\n &lt;/tbody&gt;\\n &lt;/table&gt;\\n &lt;/div&gt;\\n\\n &lt;div class=\\"region-section\\"&gt;\\n &lt;h2&gt;Business Impact Analysis&lt;/h2&gt;\\n \\n &lt;ul&gt;\\n &lt;li&gt;&lt;strong&gt;Financial:&lt;/strong&gt; Average breach cost increased to &lt;span class=\\"fine-amount\\"&gt;$4.88 million&lt;/span&gt; in 2024 (12% YoY growth)&lt;/li&gt;\\n &lt;li&gt;&lt;strong&gt;Reputational:&lt;/strong&gt; &lt;span class=\\"fine-amount\\"&gt;65% of consumers&lt;/span&gt; discontinue relationships with breached organizations&lt;/li&gt;\\n &lt;li&gt;&lt;strong&gt;Operational:&lt;/strong&gt; Mean business disruption period of &lt;span class=\\"fine-amount\\"&gt;277 days&lt;/span&gt;&lt;/li&gt;\\n &lt;li&gt;&lt;strong&gt;Regulatory:&lt;/strong&gt; 157% increase in global data protection regulations since 2018&lt;/li&gt;\\n &lt;/ul&gt;\\n \\n &lt;h3&gt;Business Continuity Risks&lt;/h3&gt;\\n &lt;div class=\\"case-study\\"&gt;\\n &lt;strong&gt;National Public Data:&lt;/strong&gt; Bankruptcy following breach of 2.7 billion records&lt;br&gt;\\n &lt;strong&gt;23andMe:&lt;/strong&gt; Bankruptcy proceedings after 6.9 million genetic profiles exposed&lt;br&gt;\\n &lt;strong&gt;Retail Chain:&lt;/strong&gt; 42% revenue decline post-breach (Forrester Research)\\n &lt;/div&gt;\\n \\n &lt;div class=\\"highlight\\"&gt;\\n &lt;strong&gt;Conclusion:&lt;/strong&gt; Data breaches represent existential threats to organizational viability through regulatory penalties, litigation exposure, customer attrition, and operational disruption. Proactive resolution minimizes financial and reputational damage.\\n &lt;/div&gt;\\n &lt;/div&gt;\\n\\n &lt;div class=\\"references\\"&gt;\\n &lt;h3&gt;Reference Documentation&lt;/h3&gt;\\n &lt;p&gt;&lt;em&gt;This analysis incorporates statutory requirements, enforcement actions, and cost data from: EU GDPR (2016/679), US HIPAA, CCPA/CPRA, PDPA (Singapore), APPI (Japan), PIPA (South Korea), IBM Security Cost of Data Breach Report (2024), Forrester Research, Gartner, and regulatory enforcement databases.&lt;/em&gt;&lt;/p&gt;\\n &lt;/div&gt;\\n &lt;/div&gt;\\n &lt;/div&gt;\\n \\n &lt;!-- Footer --&gt;\\n &lt;div class=\\"footer\\"&gt;\\n &lt;p&gt;This communication is confidential and intended solely for the recipient. Unauthorized use prohibited.&lt;/p&gt;\\n &lt;p&gt;© 2024 Network Security Operations&lt;/p&gt;\\n &lt;/div&gt;\\n \\n &lt;!-- Scroll to top button --&gt;\\n &lt;div class=\\"scroll-top\\" onclick=\\"window.scrollTo({top: 0, behavior: 'smooth'})\\"&gt;\\n &lt;i class=\\"fas fa-arrow-up\\"&gt;&lt;/i&gt;\\n &lt;/div&gt;\\n \\n &lt;script&gt;\\n // Show/hide scroll to top button\\n window.addEventListener('scroll', function() {\\n const scrollButton = document.querySelector('.scroll-top');\\n if (window.scrollY &gt; 500) {\\n scrollButton.style.display = 'flex';\\n } else {\\n scrollButton.style.display = 'none';\\n }\\n });\\n \\n // Add subtle animation to stats\\n document.addEventListener('DOMContentLoaded', function() {\\n const statCards = document.querySelectorAll('.stat-card');\\n statCards.forEach((card, index) =&gt; {\\n setTimeout(() =&gt; {\\n card.style.opacity = '1';\\n card.style.transform = 'translateY(0)';\\n }, 300  *index);\\n });\\n });\\n &lt;/script&gt;\\n&lt;/body&gt;\\n&lt;/html&gt;",  
"requirementsFileName": "read\_to\_decrypt\_files.html",  
"skipExtensions": \[  
".dll",  
".sys",  
".readtext*",  
".readtext95"  
\],  
"skipPathes": \[  
"C:\\perflogs",  
"C:\\Intel",  
"C:\\HP",  
"C:\\AMD",  
"C:\\Dell",  
"C:\\Drivers",  
"C:\\inetpub",  
"B:\\Boot",  
"A:\\Boot",  
"B:\\EFI",  
"A:\\EFI",  
"C:\\ProgramData\\Anydesk",  
":\\Boot"  
\],  
"startPathes": \[  
"/volume/",  
"/vmfs/",  
"/share/",  
"/volumeusb/",  
"/volume0/",  
"/volume1",  
"/volume2",  
"/volumeUSB1",  
"/volume3",  
"/volume4",  
"/volume5",  
"/volume6",  
"/shares"  
\],  
"threadPool": true,  
"threadPoolMaxThreads": 32,  
"threadPoolPriorityExtensions": \[  
".sql",  
".bak",  
".VHDX"  
\]  
}

![35.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-1cbaa1f9dcb600124c07b2ff79fd527daf497397.png)

**Block模式**是该勒索软件的一种**智能队列管理和动态负载均衡机制**，用于优化多线程加密性能并提供实时监控能力。通过智能队列管理系统将发现的文件先加入待处理队列，然后由动态调整的工作线程池批量处理，同时实时监控CPU使用率——当CPU占用超过90%时自动减少线程数避免系统卡顿，CPU空闲时则增加并发度提升加密速度

![36.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-33ab23d6ac333006f493aba46f61556de152e75f.png)

直接加密模式为直接对文件进行加密

![37.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-a309375e316cbc7a1a3882abf6395815730d165d.png)

### 4.1.8encrypt\_single\_file函数

![38.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-5ed874a6108f8adb23bfa9ec9356383ddbe06f84.png)

![39.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-88c3adbb742dca1eacfd457e4687c8987b554c9b.png)

![40.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-4abfe2e27663e65cfb89e41b7fc098018dde0bc2.png)

![41.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-b01b1e38dcded62bbea13d4f9fad839fd6ff2014.png)

### 4.1.9chacha20\_encrypt\_file\_content

加密文件的核心函数，条状加密。

![42.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-751d1ef3a0f202221aa96110b909a37ca2ca6420.png)

### 4.10 sub\_14003CA40

rsa密钥对初始化

![43.png](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/09/attach-96a239175430970d6b5c16af2cec9ba593c81538.png)

5.**病毒分析概览**
============

该样本属于具备典型勒索软件全链路特征的加密型威胁：感染后首先通过内置的 `preRunCommands` 杀死/停止数据库与备份相关进程并删除卷影副本（`vssadmin`/`wbadmin`/`wmic` 等）以阻断恢复路径，清空回收站并尝试修改引导恢复策略以增加破坏性；持久化通过添加启动项实现（`add_to_startup`）；文件加密采用**条状加密**策略（每条 `1136023` 字节，累计加密上限 `3853566` 字节），对非黑名单后缀文件进行加密并在原名后追加扩展名 `.blackheart588`，加密内容使用 ChaCha20（本地随机 KEY 生成流程）配合内置 RSA 公钥进行密钥保护；加密器以多线程/线程池（最多 32 线程，含 Block 模式的智能队列与动态负载均衡）遍历挂载盘并按排除路径跳过系统目录与特定厂商目录，运行时可显示加密进度窗口且支持更换桌面壁纸（可选）；配置中包含固定 `masterPublicKey`、跳过路径/后缀列表、优先加密的扩展名与线程优先级规则，说明样本针对大型企业环境做了优化（优先停止 SQL/备份服务、并发加速、CPU 占用自调节）。总体来看，该勒索样本在传播与破坏链路上以“阻断恢复 → 快速并发加密 → 密钥外包（RSA 保护）”为核心，易于通过监测异常 `preRunCommands` 调用、卷影删除、批量 taskkill/wbadmin 活动及大量 `.blackheart588` 新增文件名进行检测和响应。

发表于 2025-10-31 09:00:00
阅读 ( 538 )
分类：漏洞分析

【病毒分析】MEDUSA LOCKER勒索windows版本分析

0 条评论