º¶ > §Þ³N½×¾Â
°Ç¯Á³nÅé®×¨Ò¸ÑªR(¤G¡GTorrentLocker & CTB-Locker¤ÀªR)
¦³Ãö°Ç¯Á³nÅé¬ÛÃöªº¸Ô²Ó¤º®e¤¶²Ð½Ð¨£¤W¤@½gªº¡u°Ç¯Á³nÅ餶²Ð»P¨¾½d(¤@¡GCryptXXX & Locky¤ÀªR)¡v¡A³o½g¬O°w¹ïTorrentLocker »P CTB-Locker°µ¤ñ¸û¸Ô²Óªº»¡©ú»P¤ÀªR¡A¥]¬Asnort rules¤§¼¶¼g¡A»Pcuckoo sandboxªº¨F½c¤ÀªR¡C
¤@¡BTorrentLocker¤ÀªR
1. ¤ÀªR¼Ë¥»¡Gmd5: 15853dc6adc57ff73da904cf63de2907
2. ·P¬V³~®|
±q¤wª¾ªº®×¨Ò¤ÀªR¡ATorrentlocker·P¬V³~®|¤j¦h¬O¨Ó¦Û´c·Nªº¹q¤l¶l¥ó¡A¤U¸üªº§Î¦¡¥]§tMS¤å¥ó¥HVBA macroªº«¬ºA¤U¸ü¤U¨Ó¨Ã°õ¦æ¡A©ÎªÌ¬O¤U¸üÀ£ÁYªº¸ê®Æ§¨¡A¦Ó´c·Nªº°õ¦æÀÉ´N¦b¸ÑÀ£ÁYªº¦P®É°õ¦æ¤F¡C¤]¦³ªº¬Oª½±µ¨Ï¨ü®`ªÌÂI´c·N³sµ²¨Ó¤U¸üÀ£ÁY¸ê®Æ§¨¡A¦Ó¦¹´c·N³sµ²¬O¨Ó¦ÛCAPTCHA-enabledªº¤U¸ü¶±¡C
3. ¥[±K¹Lµ{
Torrentlocker¦b¥[±Kªº¹Lµ{¤¤¡A·|¥X²{¨â¦¸¦p¤UªººI¹Ï¡A¥t¥~¤@±i¬On¶}±Ò¦poutlookªº¶l¥óµ{¦¡¡A¦]¬°Torrentlocker°£¤F·|±N¨ü®`ªÌªºÀÉ®×¥[±K¡AÁÙ·|µs¨ú¨ü®`ªÌªº¶l¥ó¾ÌÃÒ¸ê°T¡A¥H®³¨ì§ó¦hªºemail²M³æ¡A©Î¬O¥i¥Hª½±µ§Q¥Î¨ü®`ªÌÄ~Äò¶Ç°e¶l¥ó¨Ó¶Ç¼½Torrentlocker¡C
¹Ï¤@ Torrentlocker°õ¦æµe±
¹Ï¤G Torrentlocker°õ¦æµe±Torrentlocker¹B§@¼Ò¦¡
4. Torrentlocker¹B§@¼Ò¦¡
¥H¨BÆJ¨Óºt¥ÜTorrenlocker·P¬V³~®|
(1) ·í¨ü®`ªÌ·P¬V¤FTorrentlocker¡Aµ{¦¡·|¥ý³q³ø¥LªºC&C server
(2) C&C server·|¥ý±N°Ç¯Á¶±±Hµ¹¨ü®`ªÌ
(3) Torrentlocker¦Û¤v²£¥Í¤@Ó randomªºAES 256-bitªºkey¨Ó¥[±KÀÉ®×
(4) Torrentlocker±N¥[±Kªºkey¶Ç¦^C&C server¨Ã¦s¦bC&C server
(5) Torrentlocker¶}©l¥[±KÀɮרñN¨ü®`ªÌªº¶l¥ó¸ê°T¶Ç¦^C&C
(6) Torrentlocker·|±N¥[±Kªºkey¦b¥»¾÷ºÝ§R°£
(7) ·í¥H¤W°Ê§@§¹¦¨¤§«á¡Atorrent±N·|¨q¥X°Ç¯Á¶±¡A§iª¾¨ü®`ªÌ¬ÛÃö¸ê°T
(8) ³Ì«áTorrentlocker·|±N³Q¥[±KÀɮתºÁ`¼Æ¶Ç¦^C&C server
5. °Ç¯Á¶±
Torrentlocker°õ¦æ«á·|¥X²{¥H¤Uªººô¶¡A¥H´£¨Ñ¨ü®`ªÌ¶i¤@¨Bªº«ü¥Ü¥H¨ú¦^¥Lªº¸ê®Æ¡AÁöµM¥I´Ú¶±¬O¼gCrypt0Locker¡A¦ý¨ä¹ê¥L¥u¬O·Qn»~¾É¨ü®`ªÌ¤¤ªº¤£¬OTorrentlocker¡C(©Î¬O¼¶¼g³o°¦µ{¦¡ªº¤HÃi±o¬°¦Û¤vªºµ{¦¡¨ú¦WºÙ)
¹Ï¤T Torrentlocker°Ç¯Áµe±
¹Ï¥| Torrentlocker °õ¦æµe±
6. Dropped files
¦¹°¦´c·Nµ{¦¡¼Ë¥»¡A¨ÃÁÙ¤£¬OTorrentlockerªº¥»Åé¡A·í°õ¦æ§¹¦¹AFP_case_77108.js³oÓJSÀɤ§«á¡Aµ{¦¡·|¸òC&C get¨âÓÀɮסA¤@Ó¬O0100000¡A¤@Ó´N¬OTorrentlockerªº¥»¨¡÷1.exe¡A°õ¦æ1.exe¤§«á¤~·|¶}©l¯u¥¿ªº¥[±K¡C
¹Ï¤ Drop file¥Ü·N¹Ï
7. ºô¸ô¦æ¬°¤ÀªR
(1) Tor ¤ÀªR
Torrentlocker ÅU¦W«ä¸q¡A´N¬O·|¨Ï¥Îtor network°Î¦W¦¡ªººô¸ô¡A¦Ó¦b¦¹¦¸«Ê¥]¤¤¤]¦³§ì¨ì¤TӺæüC&C ªº reverse proxy¡C
¹Ï¤» Tor network¸Ô²Ó¤º®e
¨ä¤¤¤@Ó¹ê»Ú³s¤W«á¤]¥i¥H©ú½T¬Ý¨ì209.249.157.69¬O³oÓtor networkªºexit node¡C
¹Ï¤C 209.249.157.69ªººô¶
¦ý¤]¦]¬°¬Otor network ©Ò¥H«Ê¥]¤º®e¤]³£¥þ³Q¥[±K¡A«Ê¥]¤º®e§¹¥þ¬Ý¤£¨ì¡C
¹Ï¤K »PTor C&C³s½uªº«Ê¥]¤º®e
(2) C&C¤ÀªR
¹Ï¤E C&C«Ê¥]¤º®e
§Q¥Îºô¸ô¤u¨ã¤ÀªRTorrentlockerªº«Ê¥]¨ä¹ê¬O¤ñ¸û§xÃøªº¡A¦]¬°°Ç¯Á³nÅé¾ãÅ骺ºô¸ô¦æ¬°´X¥G³£¬O¥[±Kªº¡A¦Ó³o±i¹Ï´N¬O¾ãÅé«Ê¥]°ß¤@¤ñ¸û©úÅã¥i¥H¤ÀªRªºfeature¡A´N¬O¥L·|±qlinguistlounge.org³oÓdomain GET¤@Ó1.exe ªºHTTP«Ê¥]¡C¥t¥~¤@ӺæüC&C serverªº³s½u¬Oipecho.net³oÓdomain¡C
¹Ï¤Q C&C«Ê¥]¤º®e
(3) ´c·N³s½uIP¤ÀªR
DOMAIN |
IP |
linguistlounge.org |
89.145.89.1 |
vlylafyso.blasters.biz |
52.4.237.48 |
aia.startssl.com |
184.25.56.67 |
www.download.windowsupdate.com |
13.107.4.50 |
ipecho.net |
146.255.36.1 |
oqysa.blasters.biz |
52.4.237.48 |
ohavaceg.blasters.biz |
52.4.237.48 |
ªí¤@ Torrentlocker³s½uªº´c·NIP»Pdomain
ªí¤@»¡©ú¤F¡GÀË´ú¥X³o¤äTorrentlocker³s½uªº´c·NIP»Pdomain¡C¦pªG¦b¤£¦P®É¶¡©Î¨t²Î°õ¦æTorrentlocker¡A©Òqueryªºdomain³£·|µy¦³¤£¦P¡A¦]¬°¦bì½X¤ÀªR¤¤±oª¾¡ATorrenlockert¤]¨Ï¥Î¤F¤@ºØ Domain generation Algorithm(DGA)ªººtºâªk¡ATorrentlocker·|®Ú¾Ú¨ü®`ªÌªºhard-code seeedsÁÙ¦³·í®É¨t²Îªº®É¶¡¨Ó²£¥X¯S©wªºdomain¡A¦Ó³oÓºtºâªk¤]·|¨C¨â¤Ñ²£¥X¤»Ó·sªºdomain¨Ó¨Ï¥Î¡C
ÂǥѥH¤W¤ÀªR¥i¥H±o¥X¤@Ó¤pµ²½×¡ATorrent»PC&C·¾³qªºfeature¡G
HTTP/1.1 GET http://{hardcoded_IP_or_DGA}/1.exe?{parameters}
8. Snort Rules
¹Ï¤Q¤@ C&C«Ê¥]content
(1) §Q¥Î«e±¤ÀªR©Ò´£¨ì·|get 1.php³oÓfeature¨Ó¼¶¼g¡A¨Ã§Q¥Îbyte_test¨Ó´î¤Öfalse-positiveªº±¡ªp¡A¦A§Q¥Î«Ê¥]¬Ýªº¨ìªºcontent-length,connection»Pcache-control¤@¨Ö¨Ó¤ÀªR¡C
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Torrentlocker variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/1.exe"; fast_pattern:only; http_uri; content:"Accept: */*|0D 0A|Host: "; http_header; content:"Connection: Keep-Alive|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; distance:0; http_header; content:!"User-Agent: "; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:1000002; rev:1; )
(2) §Q¥Îlinquistlounge.org³oÓ¤w»{©wªº´c·Nºô°ì¡A¥un¦³DNS queryªº¸Ü´N·|²£¥Íĵ§i¡C
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain linquistlounge.org - Win.Trojan.Torrentlocker"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|linquistlounge.org|02|org|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; classtype:trojan-activity; sid:100003; rev:2; )
9 Cuckoo analysis
±NTorrentlocker©ñ¤JCuckoo SandboxùØÀY¾ã²z¥X¤U¦CªºSignatures¡G
(1) File has been identified by at least one AntiVirus on VirusTotal as malicious
(2) Performs some HTTP requests
(3) A process attempted to delay the analysis task by a long amount of time.
(4) Tries to unhook Windows functions monitored by Cuckoo
(5) Steals private information from local Internet browsers
(6) Executed a process and injected code into it, probably while unpacking
(7) Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
(8) nstalls itself for autorun at Windows startup
¤G¡B CTB-Locker¤ÀªR
1. ¤ÀªR¼Ë¥»
Md5¡Gf87208a911d9d1a3793914a649dac97e
2. ·P¬V³~®|»¡©ú¦p¤U¡G
¹Ï¤Q¤G
3. ¥[±K¹Lµ{
§Q¥ÎpdfªþÀɦW¥H¤ÎadobeªºÀɮ׹ϥÜÄF¨ú¨Ï¥ÎªÌÂI¿ï¨Ã°õ¦æ¡C
¹Ï¤Q¤T system exploerµe±
§Q¥Îsystem explorer¤]¥i¥H©úÅã¬Ý¥X¡A°£¤F쥻ªº¥Dµ{¦¡¦b°õ¦æ¡A©³¤UÁÙ¦³¨âÓmerge-0.exe°Æµ{¦¡¦b°õ¦æ¡C
¹Ï¤Q¥| CTB-Locker°Ç¯Áµe±
©Ò¦³ªº¥[±KÀɮתº¦WºÙ³£·|³Q«·s©R¦W¡A¦WºÙªº¶}ÀY¬O쥻ªºÀɦW¡A¦ÓªþÀɦW³£·|Åܦ¨ywiizme¡A¤£¹L¦b§Úªº¨F½cÀô¹Ò¤¤¡Aµo²{¤å¦rÀÉ»P¹Ï¤ùÀÉ·|³Q¥[±K¡A¦Óµ¼ÖÀÉ»P¼v¤ùÀɤ£¬O³o°¦°Ç¯Áªº¹ï¶H¡C
¹Ï¤Q¤ «H½c¤º®e³Q¥[±K
¹Ï¤Q¤» ºô¶cookies³Q¥[±K
4. °Ç¯Áµe±
¹Ï¤Q¤C CTB-Locker °Ç¯Áµe±
¹Ï¤Q¤K CTB-Locker °Ç¯Áµe±
¹Ï¤Q¤E CTB-Locker °Ç¯Áµe±
5. ¥I´Ú¶±»P¤ÀªR
¨Ì·Ó¥Lªº«ü¥Ü¥h¤U¸üTor Browser¡A¦A¥I´Ú«e¡A¥L¤]·|¥ýÅý§A¿ï¾Ün¸Ñ±K¤T¶µÀɮק@«OÃÒ¡A³o¤]ªí¥ÜC&C´¤¦³©Ò¦³¥[±KªºÀɮתº¼Æ¶q¥H¤Î¸ô®|¡C
¹Ï¤G¤Q ³s¤WTor networkªº¶±
¹Ï¤G¤Q¤@ Àɮ׸ô®|µe±
¥Ñ³o±iªí¥i¥H©úÅ㪾¹D¡AC&C server´¤¦³©Ò¦³¥[±KªºÀÉ®×¥H¤Î¸ô®|¡C
¹Ï¤G¤Q¤G ¥I´Ú¶±Åý¨ü®`ªÌ®³¨ì¤@Óprivate key
¹Ï¤G¤Q¤T ¥I´Ú¶±
¹Lµ{¤¤¡An§Ú̦bTor Browser¿é¤J¨ü®`ªÌ¿W¦³ªºkey¡C
¹Ï¤G¤Q¥| ¹Ï¤G¤Q¤T ¥I´Ú¶±Åý¨ü®`ªÌ¥i¥H´ú¸Õ¸Ñ±KªºÀÉ®×
6. ºô¸ô¦æ¬°¤ÀªR
(1) C&C¤ÀªR
¹Ï¤G¤Q¤ C&C³s½u
¹Ï¤G¤Q¤» C&C«Ê¥]content
¥Ñºô¸ô«Ê¥]¤ÀªR¡A±q¤»¸U¦hµ§«Ê¥]¸ê®Æ·í¤¤¡A¥u¦³³oµ§¬O©ú½X¥B¥i¥H¸Ô²Ó¬Ý¥Xºô¸ô¦æ¬°ªº«Ê¥]¡C¦ý¦b¤ÀªR¹Lµ{·í¤¤¡A¦b³oµ§«Ê¥]¥X²{¤§«e¡A¥[±K¦æ¬°´N¤w¸g¶}©l¤F¡A©Ò¥HÁöµM82.94.251.220¸g¤ÀªR§P©w¬OC&C server¡A¦ý¹ê»Ú¶i¦æ¥[±Kªº°õ¦æµ{¦¡¨Ã¤£¬O¥Ñ¦¹¤U¸ü¡A©Ò¥H³oÓC&C getªºÀɮסA¥u¯à·í§@¬O¤@Ópattern¡C
¥t¥~±q¤»¸U¦hµ§«Ê¥]·í¤¤¡A¾ã²z¥X©Ò¦³¥i¯àªºC&C³s½u¡C
IP |
PORT |
Location |
91.121.84.137 |
4051 |
France |
86.59.21.38 |
443 |
Australia |
89.16.176.158 |
9001 |
United Kingdom |
188.138.17.37 |
9001 |
Germany |
62.210.92.11 |
9101 |
France |
95.211.216.9 |
9001 |
Netherlands |
195.154.171.24 |
9001 |
France |
¦Ó³o¨Ç»PC&C³s½uªº«Ê¥]¤º®e¡A¦b¬ÝASCII¨S¦³¤°»ò¯S¼x¥i¥H·í§@pattern¡A¤£¹³¤W±¦³©úÅãGETªºhttp traffic¡A¦ý¦pªG¥J²Ó¥Î¤Q¤»¦ì¤¸¼Ò¦¡¬Ýªº¸Ü¡A³o´XÓC&C³s½u«Ê¥]³£¦³¨Ç¦@¦Pªº¯S¼x¡A´N¬O§Ú¦b«Ê¥]¤º®e³£¦³µo²{¤@¼Ëªº¦r¦ê¤º®e¡A´N¬O¤U¹Ï§Ú¥ÎÂŦâ°é°_ªº³¡¤À¡C
¹Ï¤G¤Q¤C C&C «Ê¥]¤º®e¬Û¦P³¡¤À¹ï·Ó¹Ï
¹Ï¤G¤Q¤K C&C«Ê¥]¯S¼x
7. Snort rules
§Q¥Î«e±¤ÀªR©Ò´£¨ì»PC&C server³s½u¤Q¤»¦ì¤¸¦r¦êªº¦@¦P¯S¼x¨Ó§P©w¡C
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-OTHER Win.Ransomware.CTB-Locker download attempt"; flow:established,to_client; file_data; content:"|C0 2F C0 0A C0 09 C0 13 C0 14 C0 12 C0 07 C0 11 00 33 00 32 00 45 00 39 00 38 00 88 00 16 00 2f 00 41 00 35 00 84 00 0A 00 05 00 4 00 FF 01 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:1000006; rev:1;)
8. Cuckoo Sandbox Analysis
¨Ï¥ÎCuckoo¤ÀªR¡A¨Ã¥¼°»´úªº¥ô¦óªºC&C³s½u¡A¦]¬°CTB-Locker¦³Anti-virtual environmentªº¯S©Ê¡A©Ò¥H¦pªG¨Ï¥ÎCuckooªº¨F½cÀô¹Ò¡ACTB-Locker¬O¤£·|¦³¥ô¦óªºC&C³s½u»P¥[±K¦æ¬°¡C
¹Ï¤G¤Q¤E cuckoo sandboxµe±
Á`µ²
ºî¦X¥H¤W¤ÀªR¥H¤Î¤W¤@½g¡u°Ç¯Á³nÅ餶²Ð»P¨¾½d(¤@¡GCryptXXX & Locky ¤ÀªR)¡vªº¤ÀªR¹Lµ{¡A¥i¥Hµo²{°£¤F¦b¹h¹D¤W¨Ï¥ÎIPSªº§Þ³N(¼¶¼gsnort rules)¨Ó¨¾½d©Î¬O¥ø·~¨Ï¥Î¤@¨Ç¶³ºÝ¨¾Å@ªº²£«~¡A¦pªGºÝÂI¨S¦³¤Î®Éªº¨¾¬r³nÅé©Î°µ¤Î®Éªº§ó·s¡A°Ç¯Á¯f¬rÁÙ¬O¥i¥H«Ü®e©öªº·P¬V¹q¸£¡Cªp¥BSnort Rulesªº²£¥X¤]¤£¬O«D±`¤Î®É¡A¥i¯àµ¥½T©w¥i¥Hworkªºrule¨Ã©ñ¤WIPS®É¡A¤w¸gÂ÷sample¥X²{10¤Ñ¥H«á¤F¡C
¦]¬°²{¦bªº°Ç¯Á³nÅé¡A«Ü¦h³£¬O°w¹ï§@·~¨t²Î©Î¬OÀ³¥Îµ{¦¡º|¬}¨Ó§ðÀ»(¦p´c·N¼s§i¡Bºô¶±¾°¨)¡A¤@Ózero-dayº|¬}³QÀb«Èµo²{¡A¥§¡¥|¤Ñ´N¥i¥H³QÀb«È®³¨Ó§Q¥Î°µ¦¨°Ç¯Á³nÅ骺·P¬V¤u¨ã(Exploit Kit)¡A©Ò¥H¤@©wn«ùÄòªº§ó·s§@·~¨t²Î¥H¤ÎÀ³¥Îµ{¦¡¡A¦³¦bºûÅ@¤½¥q©Î¾Ç®Õ³]³ÆªºIT¤Hû¡A«Øij¥i¥H©w´Á¬ÝHitcon²Õ´©ÒºûÅ@ªºzero-dayº|¬}³q³ø¥¥x¡Aºô§}³sµ²¡Ghttps://zeroday.hitcon.org/¡C
¦b³o¥¥x¥i¥H³q³øº|¬}¡A©Î¬O¥i¥Hª¾¹D¦³þ¨Ç¾Ç®Õ¥ø·~¦³º|¬}¦s¦b¡A¤j®a¤@°_ºûÅ@¥xÆWªº¸ê¦wÀô¹Ò¡C
¥t¥~¡A¦]¬°ºô¸ô³¨³½¶l¥óªº®×¥óÁÙ¬O¼h¥X¤£½a¡A¦pªG¤½¥q¾Ç®Õªº¥ø·~ªº¶l¥ó¹h¹D¨S¦³ªý¾×¨ì´c·Nµ{¦¡ªº¥\¯à¡AÓ¤HºÝÂI¤]¨S¦³¦p¨¾¬r³nÅ骺µ{¦¡°µºÝÂI¨¾Å@ªº¸Ü¡A¦pªG¯uªº»~ÂI¤F´c·N¶l¥ó¡A´N¯uªº·|¾D¨ì·P¬V¡A©Ò¥H¦pªG¥i¥H¡AÁÙ¬O«D±`«Øij¦bµêÀÀÀô¹Ò¤¤¶}±Ò¶l¥ó¡A¤W¤@½g¤¶²Ð·í¤¤¦³´£¨ì¤@Ó¡¨sandboxie¡¨ªº³nÅé¡A´N¬O¤@Ó«D±`¤è«K¨Ï¥ÎªºªºµêÀÀÀô¹Ò¡C
§Ú³o½g¤ÀªR·í¤¤¦³´£¨ì«D±`¦hªºC&C¡A©Ò¥H¦pªG¦³¦bºÞ¤½¥q¾Ç®Õ¨¾¤õÀðªºIT¤uµ{®v¡A¥i¥H°Ñ¦Ò¥H¤Uºô¯¸¡A¤W±¦³¾ã²z«Ü¦h¤wª¾ªº°Ç¯Á³nÅ骺C&C¡Bdistributing site¡Bpayment site¡A¥i¥H±N¤W±©Ò´£¨ÑªºIP»PDomain·f°tportª½±µ¥[¤J¨ì¨¾¤õÀ𪺶¦W³æ¡A´N¥i¥H¤j°§C¤½¥q¾Ç®Õ·P¬Vªº·ÀI¡C
1. Ransomware Tracker¡@https://ransomwaretracker.abuse.ch/tracker/
2. h3x.eu¡@http://track.h3x.eu/about/400
¹Ï¤T¤Q Ransomware Trackerµe±Ransomware Tracker
°Ñ¦Ò¸ê®Æ
[1] ÁͶլì§Þ°Ç¯Á³nÅé¥Õ¥Ö®Ñ
http://www.createheart.com.tw/file/pdf/2016-Ransomware-WP_0608.pdf
[2] °Ç¯Á¯f¬r³ê¿ô¦M¾÷·P ¥ø·~«·s¥¿µøºÝÂI¦w¥þ
http://www.netadmin.com.tw/article_content.aspx?sn=1607010018&ns=1607040002
[3] ¸ê¦w©P³ø²Ä29´Á¡G°Ç¯Á³nÅé¾î¦æ¤§©Ç²{¶H¡A³sª÷¿Ä·~¤]²_³´
http://www.ithome.com.tw/news/106755
[4] «ä¬ì¡G°Ç¯Á³nÅéÂà¦V§ðÀ»¤j«¬¥ø·~¥Î¤á
http://www.ithome.com.tw/news/107448
[5] 2015¦~ªºº|¬}§ðÀ»¥]¡]Exploit Kit¡^¡G¥R¥¸µÛFlashº|¬}¡B²_³´ºô¯¸©M´c·N¼s§i
http://blog.trendmicro.com.tw/?p=17109
[6] The Anti-Ransomware Protection Plan You Need to Follow Today
https://heimdalsecurity.com/blog/anti-ransomware-protection-plan/
[7] Ransomware Tracker
https://ransomwaretracker.abuse.ch/tracker/
[8] h3x.eu
http://track.h3x.eu/about/400