勒索病毒应急 - Windows
勒索病毒(Ransomware)是Windows环境中破坏性最强的威胁之一——直接导致业务中断和数据丢失
本章覆盖: 勒索行为检测、VSS删除识别、恢复选项、家族识别、加固措施
交叉参考: 14.6-勒索病毒应急
一、勒索病毒攻击链概述
1.1 典型攻击流程
1
| 初始入侵 → 权限提升 → 横向移动 → 数据窃取(双重勒索) → 禁用防护 → 删除备份 → 加密文件 → 投放勒索信
|
从入侵到加密的时间(Dwell Time): 从数小时(自动化)到数周(人工操作APT)
现代勒索多为**人工操作(Human-Operated Ransomware)**——攻击者手动渗透后批量部署加密
关键时间窗口: 攻击者删除备份和加密文件之间通常只有分钟级间隔
1.2 常见勒索家族(2024-2026)
| 家族 |
加密后缀 |
勒索信文件名 |
特征 |
| LockBit 3.0/4.0 |
随机字符串 |
RESTORE-MY-FILES.txt |
速度快,多线程 |
| BlackCat/ALPHV |
随机7字符 |
RECOVER-[ID]-FILES.txt |
Rust编写 |
| Royal/BlackSuit |
.royal/.blacksuit |
README.BlackSuit.txt |
无RaaS模式 |
| Akira |
.akira |
akira_readme.txt |
多平台 |
| Play |
.play |
ReadMe.txt |
无RaaS |
| Clop |
.clop |
ClopReadMe.txt |
大规模数据泄露 |
| Phobos |
.phobos/.eking |
info.txt + info.hta |
主攻RDP入侵 |
| Medusa |
.MEDUSA |
!!!READ_ME_MEDUSA!!!.txt |
数据泄露站 |
二、VSS (Volume Shadow Copy) 删除检测 ★关键
2.1 为什么攻击者删除VSS
VSS(卷影副本)是Windows内置的备份机制,存储文件的历史版本
如果VSS存在,受害者可直接从卷影副本恢复文件,无需支付赎金
因此,几乎所有勒索病毒都会在加密前删除VSS
检测VSS删除 = 检测勒索病毒的前兆行为
2.2 VSS删除方式与检测
vssadmin delete shadows
最常见的VSS删除命令:
1
2
3
| vssadmin delete shadows /all /quiet
vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB
vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded
|
检测:
1
2
3
4
5
6
7
8
|
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} |
Where-Object { $_.Properties[8].Value -match 'vssadmin.*delete|vssadmin.*resize' } |
Select-Object TimeCreated,
@{N='User';E={$_.Properties[1].Value}},
@{N='Process';E={$_.Properties[5].Value}},
@{N='CommandLine';E={$_.Properties[8].Value}} |
Format-List
|
wmic shadowcopy delete
1
2
| wmic shadowcopy delete
wmic shadowcopy list brief
|
检测:
1
2
3
| Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} |
Where-Object { $_.Properties[8].Value -match 'wmic.*shadowcopy.*delete' } |
Select-Object TimeCreated, @{N='Cmd';E={$_.Properties[8].Value}}
|
PowerShell方式
1
2
3
| Get-WmiObject Win32_ShadowCopy | ForEach-Object { $_.Delete() }
Get-CimInstance Win32_ShadowCopy | Remove-CimInstance
|
检测: 查看PowerShell 4104日志中的ShadowCopy/Delete关键词
WMI Provider日志
1
2
3
4
5
6
7
8
9
|
Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSS'} -ErrorAction SilentlyContinue |
Select-Object TimeCreated, Id, LevelDisplayName, Message -First 20 | Format-List
Get-WinEvent -FilterHashtable @{LogName='System'} -ErrorAction SilentlyContinue |
Where-Object { $_.Message -match 'shadow cop' -or $_.ProviderName -match 'VSS' } |
Select-Object TimeCreated, Id, ProviderName, Message -First 20 | Format-List
|
diskshadow.exe (少见但有效)
1
2
3
| :: 使用diskshadow脚本删除
diskshadow /s delete_shadows.txt
:: 脚本内容: delete shadows all
|
检测同理,搜索4688中的diskshadow执行
2.3 综合VSS删除检测脚本
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
$vssPatterns = @(
'vssadmin.*delete.*shadows',
'vssadmin.*resize.*shadowstorage',
'wmic.*shadowcopy.*delete',
'Win32_ShadowCopy.*Delete',
'Remove-CimInstance.*ShadowCopy',
'diskshadow.*delete',
'bcdedit.*recoveryenabled.*no',
'bcdedit.*bootstatuspolicy.*ignoreallfailures',
'wbadmin.*delete.*catalog',
'wbadmin.*delete.*systemstatebackup'
)
$regex = ($vssPatterns -join '|')
Write-Host "=== Checking Security 4688 ===" -ForegroundColor Cyan
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} -ErrorAction SilentlyContinue |
Where-Object { $_.Properties[8].Value -match $regex } |
Select-Object TimeCreated,
@{N='User';E={$_.Properties[1].Value}},
@{N='CommandLine';E={$_.Properties[8].Value}} |
Format-List
Write-Host "=== Checking Sysmon ID 1 ===" -ForegroundColor Cyan
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; Id=1} -ErrorAction SilentlyContinue |
Where-Object { $_.Properties[10].Value -match $regex } |
Select-Object TimeCreated,
@{N='Image';E={$_.Properties[4].Value}},
@{N='CommandLine';E={$_.Properties[10].Value}} |
Format-List
Write-Host "=== Checking PowerShell 4104 ===" -ForegroundColor Cyan
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; Id=4104} -ErrorAction SilentlyContinue |
Where-Object { $_.Properties[2].Value -match 'ShadowCopy|vssadmin|shadowstorage' } |
Select-Object TimeCreated,
@{N='Script';E={$_.Properties[2].Value.Substring(0, [Math]::Min(300, $_.Properties[2].Value.Length))}} |
Format-List
|
三、BCDEdit恢复禁用检测
3.1 攻击者操作
1
2
3
4
5
6
| :: 禁用Windows恢复模式
bcdedit /set {default} recoveryenabled No
:: 忽略所有启动失败
bcdedit /set {default} bootstatuspolicy ignoreallfailures
:: 禁用自动修复
bcdedit /set {current} safeboot network
|
目的: 防止用户通过恢复模式修复系统
3.2 检测
1
2
3
4
5
6
7
|
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} |
Where-Object { $_.Properties[8].Value -match 'bcdedit' } |
Select-Object TimeCreated,
@{N='User';E={$_.Properties[1].Value}},
@{N='CommandLine';E={$_.Properties[8].Value}} |
Format-List
|
1
2
|
bcdedit /enum | Select-String "recoveryenabled|bootstatuspolicy|safeboot"
|
3.3 恢复被禁用的恢复模式
1
2
3
4
| :: 重新启用恢复模式
bcdedit /set {default} recoveryenabled Yes
bcdedit /deletevalue {default} bootstatuspolicy
bcdedit /deletevalue {current} safeboot
|
四、其他反恢复操作检测
4.1 Windows备份删除
1
2
3
| :: 删除Windows备份目录
wbadmin delete catalog -quiet
wbadmin delete systemstatebackup -keepVersions:0
|
检测同上,搜索4688中的wbadmin命令
4.2 磁盘管理操作
1
2
3
4
| :: 清除回收站
rd /s /q %SYSTEMDRIVE%\$Recycle.Bin
:: 删除系统还原点
powershell -command "Get-ComputerRestorePoint | Disable-ComputerRestore"
|
4.3 安全软件禁用
1
2
3
4
5
6
7
|
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} |
Where-Object {
$_.Properties[8].Value -match 'Set-MpPreference.*-DisableRealtimeMonitoring.*True' -or
$_.Properties[8].Value -match 'sc\s+stop\s+WinDefend' -or
$_.Properties[8].Value -match 'net\s+stop.*WinDefend'
} | Select-Object TimeCreated, @{N='Cmd';E={$_.Properties[8].Value}}
|
1
2
3
4
5
6
7
8
9
|
Get-MpComputerStatus | Select-Object RealTimeProtectionEnabled,
AntivirusEnabled, AntispywareEnabled,
BehaviorMonitorEnabled, IoavProtectionEnabled
Get-MpPreference | Select-Object -ExpandProperty ExclusionPath
Get-MpPreference | Select-Object -ExpandProperty ExclusionExtension
Get-MpPreference | Select-Object -ExpandProperty ExclusionProcess
|
1
2
3
4
5
|
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Windows Defender/Operational'; Id=5001,5007} -ErrorAction SilentlyContinue |
Select-Object TimeCreated, Id, Message | Format-List
|
4.4 防火墙规则修改
1
2
3
4
5
6
|
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} |
Where-Object {
$_.Properties[8].Value -match 'netsh.*advfirewall.*set.*state.*off' -or
$_.Properties[8].Value -match 'Set-NetFirewallProfile.*-Enabled.*False'
} | Select-Object TimeCreated, @{N='Cmd';E={$_.Properties[8].Value}}
|
五、USN Journal 大规模文件重命名检测
5.1 USN Journal概述
USN (Update Sequence Number) Journal记录NTFS卷上的所有文件变更
勒索病毒加密时会产生大量文件重命名/修改操作,在USN Journal中留下明显痕迹
路径: $Extend\$UsnJrnl:$J (需要特殊工具读取)
5.2 分析USN Journal
1
2
|
fsutil usn queryjournal C:
|
1
2
3
| :: 使用MFTECmd (Eric Zimmerman)解析USN Journal
:: 先提取$J: 使用RawCopy或FTK Imager
MFTECmd.exe -f "$J" --csv "C:\IR\" --csvf usn_journal.csv
|
在解析后的CSV中搜索:
短时间内大量 RenameNewName 操作(文件被重命名为加密后缀)
大量 DataOverwrite + Close 操作(文件内容被加密覆写)
操作集中在同一进程
1
2
3
4
5
6
|
$usn = Import-Csv "C:\IR\usn_journal.csv"
$usn | Where-Object { $_.UpdateReasons -match 'RenameNewName' } |
Group-Object { [System.IO.Path]::GetExtension($_.Name) } |
Sort-Object Count -Descending | Select-Object Count, Name -First 20
|
5.3 识别加密时间窗口
1
2
3
4
5
6
7
|
$encryptedExt = ".lockbit"
Get-ChildItem -Path "C:\Users\" -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.Extension -eq $encryptedExt } |
Group-Object { $_.LastWriteTime.ToString("yyyy-MM-dd HH:mm") } |
Sort-Object Name | Select-Object Count, Name | Format-Table
|
六、勒索家族识别
6.1 通过加密后缀识别
1
2
3
4
5
6
|
Get-ChildItem -Path "C:\Users\" -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.Extension -and $_.Extension.Length -gt 1 } |
Group-Object Extension |
Sort-Object Count -Descending |
Select-Object Count, Name -First 30
|
常见加密后缀与家族映射(示例):
.lockbit / .{random_hex} → LockBit
.phobos / .eking / .eight → Phobos
.play → Play
.akira → Akira
.royal / .blacksuit → Royal/BlackSuit
.clop → Clop
6.2 通过勒索信识别
1
2
3
4
5
6
7
8
9
10
11
12
|
$ransomNoteNames = @(
'README.txt', 'DECRYPT*.txt', 'RECOVER*.txt', 'RESTORE*.txt',
'HOW_TO_DECRYPT*', 'HOW_TO_RECOVER*', '*_readme.txt',
'!!!READ_ME*', 'info.hta', 'info.txt',
'DECRYPT-FILES.txt', 'YOUR_FILES*',
'*.hta'
)
foreach ($pattern in $ransomNoteNames) {
Get-ChildItem -Path "C:\" -Filter $pattern -Recurse -ErrorAction SilentlyContinue -Depth 3 |
Select-Object FullName, LastWriteTime -First 5
}
|
1
2
3
4
5
6
|
$ransomNote = Get-ChildItem -Path "C:\Users\" -Filter "README*" -Recurse -ErrorAction SilentlyContinue | Select-Object -First 1
if ($ransomNote) {
Write-Host "=== Ransom Note: $($ransomNote.FullName) ===" -ForegroundColor Red
Get-Content $ransomNote.FullName
}
|
6.3 在线识别工具
ID Ransomware (https://id-ransomware.malwarehunterteam.com/)
上传勒索信或加密文件样本即可识别家族
No More Ransom (https://www.nomoreransom.org/)
提供已知家族的免费解密工具
VirusTotal: 上传勒索病毒样本获取检测结果
6.4 勒索病毒样本获取
1
2
3
4
5
6
7
8
|
Get-ChildItem -Path "C:\Users\","C:\Windows\Temp\","C:\ProgramData\" -Include "*.exe","*.dll","*.bat","*.ps1" -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.CreationTime -gt (Get-Date).AddDays(-7) } |
Select-Object FullName, CreationTime, Length,
@{N='SHA256';E={(Get-FileHash $_.FullName -Algorithm SHA256).Hash}} |
Sort-Object CreationTime -Descending |
Format-List
|
1
2
3
4
5
|
Get-ChildItem "C:\Windows\Prefetch\*.pf" |
Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-3) } |
Sort-Object LastWriteTime -Descending |
Select-Object Name, LastWriteTime -First 20
|
七、VSS恢复操作
7.1 检查VSS是否存活
1
2
3
4
5
6
7
|
vssadmin list shadows
Get-CimInstance Win32_ShadowCopy | Select-Object ID, InstallDate, VolumeName, DeviceObject
|
7.2 从VSS恢复文件
1
2
3
4
5
6
7
8
9
10
|
$shadows = Get-CimInstance Win32_ShadowCopy
foreach ($shadow in $shadows) {
$deviceObj = $shadow.DeviceObject
$linkPath = "C:\IR\Shadow_$($shadow.InstallDate.ToString('yyyyMMdd_HHmmss'))"
cmd /c "mklink /d `"$linkPath`" `"$deviceObj\`""
Write-Host "Mounted: $linkPath → $deviceObj"
}
|
1
2
3
4
5
| :: 方法2: 使用vssadmin + wmic
vssadmin list shadows
:: 记录Shadow Copy Volume路径,类似: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
:: 创建符号链接
mklink /d C:\IR\ShadowMount \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\
|
7.3 第三方工具恢复
ShadowExplorer: GUI工具浏览和导出卷影副本中的文件
Arsenal Image Mounter: 可挂载VSS作为独立卷
Recuva / R-Studio: 尝试恢复被删除(但未覆写)的原始文件
PhotoRec / TestDisk: 基于文件签名的数据恢复(适合未加密但被删除的文件)
八、Safe Mode勒索病毒
8.1 Safe Mode攻击原理
部分勒索家族(如Snatch, AvosLocker, REvil)重启机器进入安全模式后再加密
安全模式下大多数安全软件和EDR不运行
安全模式下文件锁更少,加密更完整
攻击方式:
1
2
3
4
5
6
| :: 注册为安全模式启动的服务
bcdedit /set {current} safeboot minimal
:: 将勒索病毒注册为安全模式可用的服务
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RansomService" /ve /t REG_SZ /d "Service" /f
:: 重启
shutdown /r /f /t 0
|
8.2 检测
1
2
3
4
5
6
7
8
9
|
bcdedit /enum | Select-String "safeboot"
# 检查SafeBoot注册表(哪些服务在安全模式下运行)
# Minimal = 安全模式, Network = 带网络的安全模式
Get-ChildItem "HKLM:\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal" |
Select-Object PSChildName | Sort-Object PSChildName
Get-ChildItem "HKLM:\SYSTEM\CurrentControlSet\Control\SafeBoot\Network" |
Select-Object PSChildName | Sort-Object PSChildName
|
1
2
3
4
5
6
7
8
9
|
Get-WinEvent -FilterHashtable @{LogName='System'; Id=12} -ErrorAction SilentlyContinue |
Select-Object TimeCreated, Message -First 10
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} |
Where-Object { $_.Properties[8].Value -match 'bcdedit.*safeboot' } |
Select-Object TimeCreated, @{N='Cmd';E={$_.Properties[8].Value}}
|
九、紧急隔离操作
9.1 网络隔离
1
2
3
4
5
6
7
8
9
10
11
|
Get-NetAdapter | Disable-NetAdapter -Confirm:$false
New-NetFirewallRule -DisplayName "IR-BlockAll-Outbound" -Direction Outbound -Action Block -Enabled True
New-NetFirewallRule -DisplayName "IR-AllowAdmin" -Direction Inbound -Action Allow -RemoteAddress "10.0.0.100" -Enabled True
|
9.2 进程终止
1
2
3
4
5
6
7
8
9
|
Get-Process | Sort-Object CPU -Descending | Select-Object -First 20 Name, Id, CPU, WorkingSet64
|
9.3 快速取证保全
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
$irDir = "C:\IR\Ransomware_$(Get-Date -Format yyyyMMdd_HHmmss)"
New-Item -ItemType Directory -Path $irDir -Force | Out-Null
Get-Process | Select-Object Name, Id, Path, StartTime, CPU, WorkingSet64 |
Export-Csv "$irDir\processes.csv" -NoTypeInformation
Get-NetTCPConnection | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State, OwningProcess |
Export-Csv "$irDir\network_connections.csv" -NoTypeInformation
Get-Service | Select-Object Name, DisplayName, Status, StartType |
Export-Csv "$irDir\services.csv" -NoTypeInformation
Get-ScheduledTask | Select-Object TaskName, TaskPath, State,
@{N='Action';E={$_.Actions.Execute}} |
Export-Csv "$irDir\scheduled_tasks.csv" -NoTypeInformation
Get-ChildItem -Path "C:\Users\" -Include "README*","DECRYPT*","RESTORE*","HOW_TO*","info.hta" -Recurse -ErrorAction SilentlyContinue |
Select-Object -First 1 | Copy-Item -Destination $irDir
Get-ChildItem -Path "C:\Users\" -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.Length -gt 0 -and $_.Extension -notin @('.exe','.dll','.sys') } |
Sort-Object LastWriteTime -Descending | Select-Object -First 3 |
Copy-Item -Destination $irDir
Write-Host "[+] Evidence collected: $irDir" -ForegroundColor Green
|
十、Windows加固 - 勒索防护
10.1 Attack Surface Reduction (ASR) 规则
ASR是Windows Defender的高级防护功能,可阻止常见攻击行为
1
2
3
|
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Actions
|
关键ASR规则(与勒索防护相关):
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
Add-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids C1DB55AB-C21A-4637-BB3F-A12568109D35 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids E6DB77E5-3DF2-4CF1-B95A-636979351E5B -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids D1E49AAC-8F56-4280-B9BA-993A6D77406C -AttackSurfaceReductionRules_Actions Enabled
|
10.2 Controlled Folder Access (受控文件夹访问)
直接保护指定文件夹免受未授权程序修改
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
Set-MpPreference -EnableControlledFolderAccess Enabled
Get-MpPreference | Select-Object -ExpandProperty ControlledFolderAccessProtectedFolders
Add-MpPreference -ControlledFolderAccessProtectedFolders "D:\ImportantData"
Add-MpPreference -ControlledFolderAccessProtectedFolders "E:\Backups"
Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Program Files\MyApp\myapp.exe"
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Windows Defender/Operational'; Id=1123,1124} -ErrorAction SilentlyContinue |
Select-Object TimeCreated, Id, Message -First 20 | Format-List
|
10.3 其他加固措施
备份策略:
3-2-1备份原则: 3份副本、2种存储介质、1份离线/离站
确保备份不可从生产环境直接访问(防止勒索同时加密备份)
定期测试备份恢复流程
访问控制:
实施最小权限原则
禁用不必要的管理员共享(ADMIN$, C$)
限制远程桌面访问(仅允许VPN后访问)
补丁管理:
及时修补已知漏洞(尤其是RDP、VPN、Exchange等边界服务)
优先修补CISA KEV (Known Exploited Vulnerabilities)列表中的漏洞
网络分段:
分离IT/OT网络
限制工作站间的SMB通信
部署网络检测(NDR)监控异常内网流量
十一、恢复选项决策树
11.1 评估恢复可行性
1
2
3
4
5
6
7
8
9
| 是否有未被加密的备份?
├── 是 → 验证备份完整性 → 清除感染 → 从备份恢复
└── 否 → VSS卷影副本是否存在?
├── 是 → 从VSS恢复文件
└── 否 → 是否有已知解密工具?
├── 是 → 使用解密工具(No More Ransom, Emsisoft等)
└── 否 → 是否可接受数据丢失?
├── 是 → 重建系统
└── 否 → 评估谈判(最后手段, 需法律顾问介入)
|
11.2 检查已知解密工具
No More Ransom: https://www.nomoreransom.org/
Emsisoft解密工具集: https://www.emsisoft.com/en/ransomware-decryption/
Kaspersky解密工具: https://noransom.kaspersky.com/
Avast解密工具: https://www.avast.com/ransomware-decryption-tools
注意: 仅适用于已被破解的旧版勒索家族; 主流活跃家族通常没有免费解密工具
11.3 系统重建清单
确认所有被控主机已识别(横向移动排查)
确认入侵入口已修补(RDP暴露、钓鱼邮件、漏洞)
重置所有域用户密码(尤其是管理员和服务账户)
重置krbtgt密码两次(间隔12小时以上)
从可信介质重装操作系统
从离线备份恢复数据
部署EDR/XDR解决方案
启用本章所述的所有加固措施
开展员工安全意识培训
建立事后复盘报告