it
Ransomware คือ Malware ที่มีหลักการทำงานอย่างไร
Ransomware คืออะไร
Ransomware เป็น Malware ที่เข้ารหัสไฟล์ในเครื่องเหยื่อแล้วเรียกค่าไถ่เพื่อแลกกับ Decryption Key เป็นภัยคุกคามที่ร้ายแรงที่สุดในปัจจุบัน สร้างความเสียหายหลายพันล้านบาทต่อปี
เนื้อหาเกี่ยวข้อง — บทความที่เกี่ยวข้อง: วยรนเจนz — คู่มือฉบับสมบูรณ์ 2026
Ransomware สมัยใหม่ใช้ Double Extortion ทั้งเข้ารหัสไฟล์และขโมยข้อมูลไปขู่เผยแพร่ ต้องป้องกันหลายชั้น Backup, Patch, MFA, EDR, Network Segmentation
เนื้อหาเกี่ยวข้อง — ทำความเข้าใจ เครื่องหมายใน python คือ
| ประเภท | วิธีการ | ตัวอย่าง |
|---|---|---|
| Crypto Ransomware | เข้ารหัสไฟล์ | WannaCry, LockBit, Conti |
| Locker Ransomware | ล็อคหน้าจอ | WinLocker, Police Ransomware |
| Double Extortion | เข้ารหัส + ขโมยข้อมูล | Maze, REvil, BlackCat |
| RaaS | Ransomware as a Service | LockBit, BlackCat, Hive |
วิธีป้องกัน Ransomware
# === Ransomware Prevention Configuration ===
# 1. Backup Strategy — 3-2-1 Rule
# 3 copies, 2 different media, 1 offsite
# Automated Backup Script (Linux)
#!/bin/bash
# backup.sh — Daily Backup Script
BACKUP_DIR="/backup/daily"
OFFSITE="s3://company-backup/daily"
DATE=$(date +%Y%m%d)
RETENTION=30
# Local Backup
echo "Starting backup: $DATE"
tar czf "$BACKUP_DIR/backup-$DATE.tar.gz" \
/home /etc /var/www /var/lib/postgresql \
--exclude='/home/*/cache' \
--exclude='*.tmp'
# Verify Backup
if tar tzf "$BACKUP_DIR/backup-$DATE.tar.gz" > /dev/null 2>&1; then
echo "Backup verified: OK"
else
echo "ERROR: Backup verification failed!"
exit 1
fi
# Offsite Copy (S3 with versioning)
aws s3 cp "$BACKUP_DIR/backup-$DATE.tar.gz" "$OFFSITE/" \
--storage-class STANDARD_IA
# Immutable Backup (Object Lock)
aws s3api put-object-retention \
--bucket company-backup \
--key "daily/backup-$DATE.tar.gz" \
--retention '{"Mode":"COMPLIANCE","RetainUntilDate":"2025-12-31"}'
# Cleanup old backups
find "$BACKUP_DIR" -name "backup-*.tar.gz" -mtime +$RETENTION -delete
echo "Backup complete: $BACKUP_DIR/backup-$DATE.tar.gz"
# 2. Firewall Rules — Block Ransomware Ports
# iptables -A INPUT -p tcp --dport 3389 -j DROP # Block RDP
# iptables -A INPUT -p tcp --dport 445 -j DROP # Block SMB
# iptables -A INPUT -p tcp --dport 135 -j DROP # Block RPC
# iptables -A OUTPUT -p tcp --dport 4444 -j DROP # Block C2 common port
# UFW (simpler)
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp # SSH only
sudo ufw allow 80/tcp # HTTP
sudo ufw allow 443/tcp # HTTPS
sudo ufw enable
# 3. SSH Hardening
# /etc/ssh/sshd_config
# PermitRootLogin no
# PasswordAuthentication no
# PubkeyAuthentication yes
# MaxAuthTries 3
# LoginGraceTime 60
# AllowUsers admin deploy
# 4. Fail2Ban Configuration
# /etc/fail2ban/jail.local
# [sshd]
# enabled = true
# port = ssh
# filter = sshd
# logpath = /var/log/auth.log
# maxretry = 3
# bantime = 3600
# findtime = 600
echo "Prevention configured:"
echo " Backup: 3-2-1 Rule with S3 Object Lock"
echo " Firewall: Block RDP, SMB, RPC"
echo " SSH: Key-only, no root"
echo " Fail2Ban: 3 retries, 1hr ban"Incident Response
# incident_response.py — Ransomware Incident Response
from dataclasses import dataclass, field
from typing import List, Dict
from datetime import datetime
from enum import Enum
class IncidentPhase(Enum):
DETECTION = "detection"
CONTAINMENT = "containment"
ERADICATION = "eradication"
RECOVERY = "recovery"
LESSONS_LEARNED = "lessons_learned"
class Severity(Enum):
CRITICAL = "critical"
HIGH = "high"
MEDIUM = "medium"
LOW = "low"
@dataclass
class IncidentAction:
description: str
responsible: str
status: str = "pending" # pending, in_progress, done
timestamp: str = ""
@dataclass
class RansomwareIncident:
id: str
severity: Severity
phase: IncidentPhase
affected_systems: List[str]
ransom_note: str = ""
variant: str = ""
actions: List[IncidentAction] = field(default_factory=list)
timeline: List[Dict] = field(default_factory=list)
class IncidentResponsePlan:
"""Ransomware Incident Response Plan"""
def __init__(self):
self.playbook = {
IncidentPhase.DETECTION: [
IncidentAction("ตรวจสอบ Alert จาก EDR/SIEM", "SOC Analyst"),
IncidentAction("ยืนยันว่าเป็น Ransomware จริง", "SOC Analyst"),
IncidentAction("ระบุ Variant จาก Ransom Note", "Malware Analyst"),
IncidentAction("ประเมินขอบเขตความเสียหาย", "IR Lead"),
IncidentAction("แจ้ง Management และ Legal", "IR Lead"),
],
IncidentPhase.CONTAINMENT: [
IncidentAction("Isolate เครื่องที่ติดออกจาก Network", "Network Team"),
IncidentAction("Block C2 IPs/Domains ที่ Firewall", "Network Team"),
IncidentAction("Disable compromised accounts", "Identity Team"),
IncidentAction("Preserve evidence (Memory dump, Logs)", "Forensics"),
IncidentAction("ตรวจสอบ Lateral Movement", "SOC Analyst"),
],
IncidentPhase.ERADICATION: [
IncidentAction("ลบ Malware จากทุกเครื่อง", "Endpoint Team"),
IncidentAction("Patch Vulnerability ที่ใช้เข้า", "Patch Team"),
IncidentAction("Reset passwords ทั้งหมด", "Identity Team"),
IncidentAction("ตรวจ Decryptor จาก nomoreransom.org", "IR Lead"),
IncidentAction("Scan ทุกเครื่องด้วย Updated AV", "Endpoint Team"),
],
IncidentPhase.RECOVERY: [
IncidentAction("Restore จาก Clean Backup", "Backup Team"),
IncidentAction("ตรวจสอบ Integrity ของ Restored Data", "Data Team"),
IncidentAction("ค่อยๆเปิด Services ทีละตัว", "Operations"),
IncidentAction("Monitor เข้มข้น 72 ชั่วโมง", "SOC"),
IncidentAction("ยืนยันว่าระบบกลับมาปกติ", "Operations"),
],
IncidentPhase.LESSONS_LEARNED: [
IncidentAction("จัด Post-incident Review", "IR Lead"),
IncidentAction("อัพเดท IR Plan", "IR Lead"),
IncidentAction("ปรับปรุง Detection Rules", "SOC"),
IncidentAction("จัด Security Awareness Training", "Security Team"),
IncidentAction("สรุป Report ให้ Management", "CISO"),
],
}
def execute_phase(self, phase: IncidentPhase):
"""Execute Incident Response Phase"""
actions = self.playbook.get(phase, [])
print(f"\n Phase: {phase.value.upper()}")
print(f" {'─'*45}")
for i, action in enumerate(actions, 1):
print(f" {i}. [{action.status:>11}] {action.description}")
print(f" Responsible: {action.responsible}")
def full_playbook(self):
"""แสดง Playbook ทั้งหมด"""
print(f"\n{'='*55}")
print(f"Ransomware Incident Response Playbook")
print(f"{'='*55}")
for phase in IncidentPhase:
self.execute_phase(phase)
print(f"\n IMPORTANT:")
print(f" - อย่าปิดเครื่อง (Key อาจอยู่ใน Memory)")
print(f" - อย่าจ่ายค่าไถ่ (ไม่การันตีว่าจะได้ Key)")
print(f" - เก็บ Evidence ก่อน Clean")
print(f" - ตรวจ nomoreransom.org สำหรับ Free Decryptor")
# รัน Playbook
plan = IncidentResponsePlan()
plan.full_playbook()Detection และ Monitoring
# ransomware_detection.py — Ransomware Detection Rules
import os
import hashlib
from dataclasses import dataclass
from typing import List, Set
from datetime import datetime
@dataclass
class DetectionAlert:
rule: str
severity: str
description: str
indicator: str
timestamp: str
class RansomwareDetector:
"""Ransomware Detection Engine"""
# Known Ransomware Extensions
RANSOMWARE_EXTENSIONS = {
".encrypted", ".locked", ".crypt", ".crypto",
".locky", ".cerber", ".zepto", ".odin",
".zzzzz", ".aaa", ".abc", ".xyz",
".lockbit", ".blackcat", ".conti",
".wannacry", ".wncry", ".wcry",
}
# Ransom Note Filenames
RANSOM_NOTES = {
"readme.txt", "how_to_decrypt.txt", "decrypt_instructions.html",
"restore_files.txt", "read_me.txt", "help_decrypt.txt",
"recovery_key.txt", "!readme!.txt",
}
# Suspicious Process Names
SUSPICIOUS_PROCESSES = {
"vssadmin.exe", # Delete Shadow Copies
"wmic.exe", # Shadow Copy deletion
"bcdedit.exe", # Disable recovery
"wbadmin.exe", # Delete backup catalog
"cipher.exe", # Encrypt/wipe free space
}
def __init__(self):
self.alerts: List[DetectionAlert] = []
def check_file_extensions(self, directory):
"""ตรวจสอบ File Extensions ที่ผิดปกติ"""
suspicious = 0
for root, dirs, files in os.walk(directory):
for f in files:
ext = os.path.splitext(f)[1].lower()
if ext in self.RANSOMWARE_EXTENSIONS:
suspicious += 1
self.alerts.append(DetectionAlert(
"ransomware_extension",
"critical",
f"Ransomware extension detected: {ext}",
os.path.join(root, f),
datetime.now().isoformat(),
))
return suspicious
def check_ransom_notes(self, directory):
"""ตรวจสอบ Ransom Notes"""
found = 0
for root, dirs, files in os.walk(directory):
for f in files:
if f.lower() in self.RANSOM_NOTES:
found += 1
self.alerts.append(DetectionAlert(
"ransom_note",
"critical",
f"Ransom note found: {f}",
os.path.join(root, f),
datetime.now().isoformat(),
))
return found
def check_entropy(self, filepath, threshold=7.5):
"""ตรวจสอบ File Entropy (ไฟล์เข้ารหัสมี Entropy สูง)"""
try:
with open(filepath, "rb") as f:
data = f.read(1024 * 1024) # Read 1MB
if not data:
return 0
byte_counts = [0] * 256
for byte in data:
byte_counts[byte] += 1
entropy = 0
for count in byte_counts:
if count > 0:
prob = count / len(data)
entropy -= prob * (prob and __import__('math').log2(prob))
if entropy > threshold:
self.alerts.append(DetectionAlert(
"high_entropy",
"high",
f"High entropy file ({entropy:.2f}): possible encryption",
filepath,
datetime.now().isoformat(),
))
return entropy
except Exception:
return 0
def report(self):
"""Detection Report"""
print(f"\n{'='*55}")
print(f"Ransomware Detection Report")
print(f"{'='*55}")
print(f" Total Alerts: {len(self.alerts)}")
critical = [a for a in self.alerts if a.severity == "critical"]
high = [a for a in self.alerts if a.severity == "high"]
if critical:
print(f"\n CRITICAL ({len(critical)}):")
for a in critical[:5]:
print(f" [{a.rule}] {a.description}")
if high:
print(f"\n HIGH ({len(high)}):")
for a in high[:5]:
print(f" [{a.rule}] {a.description}")
if not self.alerts:
print(f"\n No ransomware indicators detected")
# detector = RansomwareDetector()
# detector.check_file_extensions("/home")
# detector.check_ransom_notes("/home")
# detector.report()
print("Ransomware Detection Rules:")
print(f" Extensions: {len(RansomwareDetector.RANSOMWARE_EXTENSIONS)} patterns")
print(f" Ransom Notes: {len(RansomwareDetector.RANSOM_NOTES)} patterns")
print(f" Processes: {len(RansomwareDetector.SUSPICIOUS_PROCESSES)} patterns")
print(f" Entropy Threshold: 7.5")วิธีป้องกัน
- Backup 3-2-1: เก็บ 3 copies, 2 media types, 1 offsite ใช้ Immutable Backup
- Patch Management: อัพเดท OS และ Software สม่ำเสมอ โดยเฉพาะ Critical Patches
- MFA ทุก Account: เปิด Multi-Factor Authentication ทุก Account โดยเฉพาะ Admin
- EDR/XDR: ใช้ Endpoint Detection and Response ตรวจจับ Ransomware แบบ Real-time
- Network Segmentation: แยก Network เป็น Segments ลดการแพร่กระจาย
- Security Awareness: ฝึกพนักงานไม่คลิก Phishing Email ไม่เปิดไฟล์แนบที่ไม่รู้จัก
Ransomware คืออะไร
Malware เข้ารหัสไฟล์เรียกค่าไถ่แลก Decryption Key แพร่ผ่าน Phishing Exploit RDP WannaCry LockBit Conti BlackCat เรียกจ่าย Bitcoin Cryptocurrency
แนะนำเพิ่มเติม — XM Signal
เนื้อหาเกี่ยวข้อง — บทความที่เกี่ยวข้อง: Datadog APM Container Orchestration
