#!/bin/bash ################################################################################ main_paths01="/tmp" main_paths02="/tmp" main_paths03="/tmp" main_paths04="/tmp" main_paths05="/tmp" path_pentests="/srv/containers/pentest/Pentests/Todos_os_Resultados/X_Ransom_Ext" path_to_pentest="$path_pentests/Ransomware_Detectado" path_alternative="/home/administrador" alternative_path="$path_alternative/Ransomware_Detectado" message00="Nenhum ransomware detectado!" # Configuracoes para deteccAo de massa threshold=100 # Arquivos modificados para considerar suspeito time_window=60 # Janela de tempo em minutos extension_threshold=5 # Quantidade de arquivos da mesma extensAo para alerta ################################################################################ extensoes="\\.micro$|\\.zepto$|\\.cerber$|\\.locky$|\\.cerber3$|\\.cryp1$|\\.mole$|\\.onion$|\\.axx$|\\.osiris$|\\.crypz$|\\.crypt$|\\.locked$|\\.odin$|\\.ccc$|\\.cerber2$|\\.sage$|\\.globe$|\\.exx$|\\.good$|\\.wallet$|\\.1txt$|\\.decrypt2017$|\\.encrypt$|\\.ezz$|\\.zzzzz$|\\.MERRY$|\\.enciphered$|\\.r5a$|\\.aesir$|\\.ecc$|\\.enigma$|\\.cryptowall$|\\.encrypted$|\\.loli$|\\.breaking_bad$|\\.coded$|\\.ha3$|\\.damage$|\\.wcry$|\\.lol!$|\\.cryptolocker$|\\.dharma$|\\.MRCR1$|\\.sexy$|\\.crjoker$|\\.fantom$|\\.keybtc@inbox_com$|\\.rrk$|\\.legion$|\\.kratos$|\\.LeChiffre$|\\.kraken$|\\.zcrypt$|\\.maya$|\\.enc$|\\.file0locked$|\\.crinf$|\\.serp$|\\.potato$|\\.ytbl$|\\.surprise$|\\.angelamerkel$|\\.windows10$|\\.lesli$|\\.serpent$|\\.PEGS1$|\\.dale$|\\.pdcr$|\\.zzz$|\\.xyz$|\\.1cbu1$|\\.venusf$|\\.coverton$|\\.thor$|\\.rnsmwr$|\\.evillock$|\\.R16m01d05$|\\.wflx$|\\.nuclear55$|\\.darkness$|\\.encr$|\\.rekt$|\\.kernel_time$|\\.zyklon$|\\.Dexter$|\\.locklock$|\\.cry$|\\.VforVendetta$|\\.btc$|\\.raid10$|\\.dCrypt$|\\.zorro$|\\.AngleWare$|\\.EnCiPhErEd$|\\.purge$|\\.realfs0ciety@sigaint.org.fs0ciety$|\\.shit$|\\.atlas$|\\.exotic$|\\.crypted$|\\.padcrypt$|\\.xxx$|\\.hush$|\\.vbransom$|\\.RMCM1$|\\.cryeye$|\\.unavailable$|\\.braincrypt$|\\.fucked$|\\.crypte$|\\._AiraCropEncrypted$|\\.stn$|\\.paym$|\\.spora$|\\.RARE1$|\\.alcatraz$|\\.pzdc$|\\.aaa$|\\.encrypted$|\\.ttt$|\\.odcodc$|\\.vvv$|\\.ruby$|\\.pays$|\\.comrade$|\\.enc$|\\.abc$|\\.xxx$|\\.antihacker2017$|\\.herbst$|\\.szf$|\\.rekt$|\\.bript$|\\.crptrgr$|\\.kkk$|\\.rdm$|\\.BarRax$|\\.vindows$|\\.helpmeencedfiles$|\\.hnumkhotep$|\\.CCCRRRPPP$|\\.kyra$|\\.fun$|\\.rip$|\\.73i87A$|\\.bitstak$|\\.kernel_complete$|\\.payrms$|\\.a5zfn$|\\.perl$|\\.noproblemwedecfiles$|\\.lcked$|\\.p5tkjw$|\\.paymrss$|\\.dxxd$|\\.pec$|\\.rokku$|\\.lock93$|\\.vxlock$|\\.pubg$|\\.crab$" extensoes2="\\.happyday$|\\.happydayzz$|\\.happydayzzz$|\\.hb15$|\\.helpdecrypt@ukr\.net$|\\.helpmeencedfiles$|\\.herbst$|\\.help$|\\.hnumkhotep$|\\.howcanihelpusir$|\\.hush$|\\.hydracrypt\.$|\\.iaufkakfhsaraf$|\\.ifuckedyou$|\\.iloveworld$|\\.infected$|\\.isis$|\\.ipYgh$|\\.iwanthelpuuu$|\\.jaff$|\\.JUST$|\\.justbtcwillhelpyou$|\\.karma$|\\.kb15$|\\.kencf$|\\.keepcalm$|\\.kernel_complete$|\\.kernel_pid$|\\.kernel_time$|\\.keybtc@inbox_com$|\\.KEYH0LES$|\\.KEYZ$|\\.keemail.me$|\\.killedXXX$|\\.kirked$|\\.kimcilware$|\\.KKK$|\\.kk$|\\.korrektor$|\\.kostya$|\\.kr3$|\\.kraken$|\\.kratos$|\\.kyra$|\\.lechiffre$|\\.L0CKED$|\\.L0cked$|\\.lambda_l0cked$|\\.LeChiffre$|\\.legion$|\\.lesli$|\\.letmetrydecfiles$|\\.lock\.$|\\.lock93$|\\.locked$|\\.Locked-by-Mafia$|\\.locked-mafiaware$|\\.locklock$|\\.locky$|\\.LOL!$|\\.omg\.$|\\.only-we_can_help_you$|\\.oor$|\\.oplata@qq.com$|\\.oshit$|\\.osiris$|\\.otherinformation$|\\.oxr$|\\.p5tkjw$|\\.pablukcrypt$|\\.padcrypt$|\\.paybtcs$|\\.paym$|\\.paymrss$|\\.payms$|\\.paymst$|\\.paymts$|\\.payransom$|\\.pdcr$|\\.PEGS1$|\\.perl$|\\.pizda@qq_com$|\\.PoAr2w$|\\.porno$|\\.potato$|\\.powerfulldecrypt$|\\.powned$|\\.pr0tect$|\\.purge$|\\.pzdc$|\\.R.i.P$|\\.r16m\.$|\\.R16M01D05$|\\.r3store$|\\.R4A$|\\.R5A$|\\.r5a$|\\.RAD$|\\.RADAMANT$|\\.raid10$|\\.RARE1$|\\.razy$|\\.RDM$|\\.rdmk$|\\.realfs0ciety@sigaint.org.fs0ciety$|\\.rekt$|\\.remind$|\\.rip$|\\.RMCM1$|\\.rmd$|\\.rnsmwr$|\\.rokku$|\\.rrk$|\\.RSNSlocked$|\\.RSplited$|\\.sage$|\\.salsa222$|\\.sanction$|\\.scl$|\\.SecureCrypted$|\\.serpent$|\\.sexy$|\\.shino$|\\.shit$|\\.sifreli$|\\.Silent$|\\.sport$|\\.stn$|\\.supercrypt$|\\.surprise$|\\.szf$|\\.t5019$|\\.TheTrumpLockerf$|\\.TheTrumpLockerfp$|\\.theworldisyours$|\\.thor$|\\.toxcrypt$|\\.troyancoder@qq_com$|\\.trun$|\\.trmt$|\\.ttt$|\\.tzu$|\\.uk-dealer@sigaint.org$|\\.unavailable$|\\.unlockvt@india.com$|\\.vault$|\\.vbransom$|\\.vekanhelpu$|\\.velikasrbija$|\\.venusf$|\\.Venusp$|\\.versiegelt$|\\.VforVendetta$|\\.vindows$|\\.viki$|\\.visioncrypt$|\\.vvv$|\\.vxLock$|\\.wallet$|\\.wcry$|\\.weareyourfriends$|\\.weencedufiles$|\\.wflx$|\\.wlu$|\\.Where_my_files.txt$|\\.Whereisyourfiles$|\\.windows10$|\\.wnx$|\\.WNCRY$|\\.wncryt$|\\.wnry$|\\.wowreadfordecryp$|\\.wowwhereismyfiles$|\\.wuciwug$|\\.www$|\\.xcri$|\\.xdata$|\\.xort$|\\.xrnt$|\\.xrtn$|\\.xtbl$|\\.xxx$|\\.xyz$|\\.ya.ru$|\\.yourransom$|\\.Z81928819$|\\.zc3791$|\\.zcrypt$|\\.zendr4$|\\.zepto$|\\.zorro$|\\.zXz$|\\.zyklon$|\\.zzz$|\\.aaa$|\\.abc$|\\.AES256$|\\.chifrator@qq_com$|\\.darkness$|\\.Encrypted$|\\.encryptedped$|\\.gruzin@qq_com$|\\.gws$|\\.ha3$|\\.helpdecrypt@ukr_net$|\\.KEYHOLES$|\\.KEYZ$|\\.kkk$|\\.one-we_can_help_you$|\\.oor$|\\.oplata@qq_com$|\\.R4A$|\\.RRK$|\\.ryp$|\\.vscrypt$|\\.zzz$|\\.wncry$|\\.wncrypt$|\\.___xratteamLucked$|\\.__AiraCropEncrypted!$|\\._AiraCropEncrypted$|\\._read_thi_file\.$|\\.31392E30362E32303136*$" notefiles=("HELPDECRYPT.TXT" "HELP_YOUR_FILES.TXT" "HELP_TO_DECRYPT_YOUR_FILES.txt" "RECOVERY_KEY.txt" "HELP_RESTORE_FILES.txt" "HELP_RECOVER_FILES.txt" "HELP_TO_SAVE_FILES.txt" "DecryptAllFiles.txt" "DECRYPT_INSTRUCTIONS.TXT" "INSTRUCCIONES_DESCIFRADO.TXT" "How_To_Recover_Files.txt" "YOUR_FILES.HTML" "YOUR_FILES.url" "encryptor_raas_readme_liesmich.txt" "Help_Decrypt.txt" "DECRYPT_INSTRUCTION.TXT" "HOW_TO_DECRYPT_FILES.TXT" "ReadDecryptFilesHere.txt" "Coin.Locker.txt" "_secret_code.txt" "About_Files.txt" "Read.txt" "ReadMe.txt" "DECRYPT_ReadMe.TXT" "DecryptAllFiles.txt" "FILESAREGONE.TXT" "IAMREADYTOPAY.TXT" "HELLOTHERE.TXT" "READTHISNOW!!!.TXT" "SECRETIDHERE.KEY" "IHAVEYOURSECRET.KEY" "SECRET.KEY" "HELPDECYPRT_YOUR_FILES.HTML" "help_decrypt_your_files.html" "HELP_TO_SAVE_FILES.txt" "RECOVERY_FILES.txt" "RECOVERY_FILE.TXT" "RECOVERY_FILE.*\.txt" "HowtoRESTORE_FILES.txt" "HowtoRestore_FILES.txt" "howto_recover_file.txt" "restorefiles.txt" "howrecover+.*\.txt" "_how_recover.txt" "recoveryfile.*\.txt" "recoverfile.*\.txt" "recoveryfile.*\.txt" "Howto_Restore_FILES.TXT" "help_recover_instructions+.*\.txt" "_Locky_recover_instructions.txt") [ "$EUID" -ne 0 ] && { echo "Execute esse script como sudo! Saindo..." exit } [ -f "$path_to_pentest" ] && { sudo rm "$path_to_pentest"; } [ -f "$alternative_path" ] && { sudo rm "$alternative_path"; } [ -f "$path_pentests/Nenhum malware detectado na rede." ] && { sudo rm "$path_pentests/$message00"; } [ -f "$path_alternative/Nenhum malware detectado na rede." ] && { sudo rm "$path_alternative/$message00"; } sudo mkdir -p $path_pentests ################################################################################ # NOVAS FUNcoES DE DETECcAO ################################################################################ function detect_mass_encryption() { local output_file="$1" local temp_file="/tmp/extension_analysis_$$" # Procura arquivos com extensoes suspeitas nos caminhos definidos for path in "$main_paths01" "$main_paths02" "$main_paths03" "$main_paths04" "$main_paths05"; do if [ -d "$path" ]; then find "$path" -type f 2>/dev/null | \ grep -E -i "$extensoes|$extensoes2" | \ sed 's/.*\.//' | \ tr '[:upper:]' '[:lower:]' >> "$temp_file" fi done # Analisa quantidade por extensAo if [ -f "$temp_file" ]; then cat "$temp_file" | sort | uniq -c | \ awk -v threshold="$extension_threshold" '$1 > threshold {print "ALERTA MASSA: " $1 " arquivos com extensAo ." $2}' | \ sudo tee -a "$output_file" rm -f "$temp_file" fi } function detect_mass_changes() { local output_file="$1" for path in "$main_paths01" "$main_paths02" "$main_paths03" "$main_paths04" "$main_paths05"; do if [ -d "$path" ]; then local count count=$(find "$path" -type f -mmin -"$time_window" 2>/dev/null | wc -l) if [ "$count" -gt "$threshold" ]; then echo "ALERTA MASSA: $count arquivos modificados em $path nas Ășltimas $time_window min" | \ sudo tee -a "$output_file" # Lista os tipos de arquivo mais modificados find "$path" -type f -mmin -"$time_window" 2>/dev/null | \ sed 's/.*\.//' | sort | uniq -c | sort -nr | head -5 | \ awk '{print " ExtensAo ." $2 ": " $1 " arquivos"}' | \ sudo tee -a "$output_file" fi fi done } ################################################################################ # FUNcAO PRINCIPAL MODIFICADA ################################################################################ function ransom { local log_file="$1" local output_file="$2" # DeteccAo original por extensoes nos logs cat "$log_file" | grep -E -i "$extensoes" | sudo tee -a "$output_file" cat "$log_file" | grep -E -i "$extensoes2" | sudo tee -a "$output_file" # NOVAS DETECcoES echo "=== ANALISE DE DETECcAO DE MASSA ===" | sudo tee -a "$output_file" # DeteccAo por quantidade de extensoes repetidas detect_mass_encryption "$output_file" # DeteccAo por alteracoes recentes em massa detect_mass_changes "$output_file" echo "=== BUSCA POR ARQUIVOS DE RESGATE ===" | sudo tee -a "$output_file" # Busca por notefiles (arquivos de resgate) for i in "${notefiles[@]}"; do find "$main_paths01" "$main_paths02" "$main_paths03" "$main_paths04" "$main_paths05" -type f -name "$i" 2>/dev/null | sudo tee -a "$output_file" done echo "=== FIM DA ANALISE ===" | sudo tee -a "$output_file" } function start { sudo find /srv/containers/*/log -name "syslog" | tee /tmp/listfiles cat /tmp/listfiles | while read -r LINE; do if [ -d /srv/containers/pentest ]; then ransom "$LINE" "$path_to_pentest" [ -s "$path_to_pentest" ] || { sudo mv "$path_to_pentest" "$path_pentests/$message00" ; } else ransom "$LINE" "$alternative_path" [ -s "$alternative_path" ] || { sudo mv "$alternative_path" "$path_alternative/$message00" ; } fi done } start exit 1