{"id":2691,"date":"2016-12-06T00:43:12","date_gmt":"2016-12-06T05:43:12","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=2691"},"modified":"2019-11-15T14:54:44","modified_gmt":"2019-11-15T11:54:44","slug":"mamba-hddcryptor-ransomware","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/mamba-hddcryptor-ransomware\/2691\/","title":{"rendered":"Mamba fidye yaz\u0131l\u0131m\u0131 San Francisco belediye ula\u015f\u0131m\u0131n\u0131 vurdu"},"content":{"rendered":"<p>26 ve 27 Kas\u0131m\u2019da San Francisco\u2019da sabah evlerinden \u00e7\u0131kanlar\u0131 ilgin\u00e7 bir \u015fey bekliyordu. San Francisco Belediye Demiryollar\u0131\u2019n\u0131 garip bir \u015fekilde para \u00f6demeden kullanabiliyorlard\u0131. \u0130ki g\u00fcn boyunca hi\u00e7bir yolcu \u00fccret \u00f6demedi. \u00c7\u00fcnk\u00fc Belediye Demiryollar\u0131\u2019na fidye yaz\u0131l\u0131m\u0131 bula\u015ft\u0131\u011f\u0131 i\u00e7in sistem bilet satam\u0131yordu.<\/p>\n<p>Baz\u0131 haber <a href=\"http:\/\/www.csoonline.com\/article\/3144991\/security\/ransomware-forces-sfmta-to-give-free-rides-73-000-demanded-by-attackers.html\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">kaynaklar\u0131na g\u00f6re<\/a> bu sorun birka\u00e7 g\u00fcn \u00f6ncesinden ba\u015flam\u0131\u015ft\u0131, s\u00f6ylenene g\u00f6re \u015e\u00fckran G\u00fcn\u00fc\u2019nden hemen \u00f6nce bilet cihazlar\u0131nda \u201cYou Hacked\u201d yazd\u0131\u011f\u0131 s\u00f6yleniyor \u2013 ki bu da klasik gramer hatal\u0131 bir fidye yaz\u0131l\u0131m\u0131 bildirimi. G\u00f6r\u00fcnene g\u00f6re <a href=\"http:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">HDDCryptor<\/a>\u2018un bir versiyonu olan Mamba, San Francisco Belediye Ula\u015f\u0131m\u0131 (SFMTA)\u2019n\u0131n 2,000\u2019den fazla bilgisayar\u0131n\u0131 kullan\u0131m d\u0131\u015f\u0131 b\u0131rakt\u0131.<\/p>\n<p>Mamba (Ve HDDLocker, ki yaz\u0131m\u0131z boyunca ikisini bir olarak d\u00fc\u015f\u00fcn\u00fcn), sabir s\u00fcr\u00fcc\u00fcy\u00fc \u015fifreleyen ve Master Boot Record (MBR) \u00fczerinde de\u011fi\u015fiklikler yaparak bilgisayar\u0131n i\u015fletim sistemini y\u00fcklemesini engelleyerek, kurbana mesaj g\u00f6stermesini sa\u011flayan bir yaz\u0131l\u0131md\u0131r.<\/p>\n<p>Mamba\u2019n\u0131n geli\u015ftiricileri, bu Trojan i\u00e7in a\u00e7\u0131k kaynak kod kullanarak di\u011fer \u015feylerin yan\u0131nda g\u00fc\u00e7l\u00fc bir \u015fifreleme algoritmas\u0131na sahip olmas\u0131na sebep oldu. <strong>Yani, Mamba fidye yaz\u0131l\u0131m\u0131ndan kurtulman\u0131n fidye \u00f6demek d\u0131\u015f\u0131nda bilinen bir yolu daha var.<\/strong><\/p>\n<p>Mamba\u2019n\u0131n olu\u015fturucular\u0131 SFMTA\u2019n\u0131n kendileri ile <em>cryptom27@yandex.com<\/em> adresi arac\u0131l\u0131\u011f\u0131yla irtibata ge\u00e7melerini istedi. <a href=\"http:\/\/www.sfexaminer.com\/alleged-muni-hacker-demands-73000-ransom-computers-stations-restored\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">San Francisco Examiner<\/a>\u2018dan bir gazeteci bu mail adresini kullanarak su\u00e7lularla irtibata ge\u00e7ti. Su\u00e7lu ya da su\u00e7lular kendini \u201cAndy Saoli\u201d olarak tan\u0131tt\u0131. Andy\u2019nin dedi\u011fine g\u00f6re, bu sald\u0131r\u0131 hedeflenmi\u015f bir sald\u0131r\u0131 de\u011fildi. Sisteme bu fidye yaz\u0131l\u0131m\u0131 bula\u015fmas\u0131n\u0131n sebebi, y\u00f6neticilerden birinin zararl\u0131 yaz\u0131l\u0131m bula\u015fm\u0131\u015f torrent dosyas\u0131 indirmesi sebep oldu.<\/p>\n<p>Andy\u2019nin talebine g\u00f6re g\u00f6re SFMTA\u2019n\u0131n bilgisayarlar\u0131n\u0131 tekrar kullanabilmeleri i\u00e7in 100 bitcoin \u00f6demesi (yakla\u015f\u0131k 265 bin tl) \u00f6demeliydi. Ama g\u00f6r\u00fcnen o ki SFMTA problemle fidye \u00f6demeden ba\u015fa \u00e7\u0131kmay\u0131 ba\u015fard\u0131; sonraki Pazar g\u00fcn\u00fc bilet makineleri tekrar \u00e7al\u0131\u015f\u0131yordu.<\/p>\n<p>Kaspersky Lab\u2019\u0131n zararl\u0131 yaz\u0131l\u0131m ara\u015ft\u0131rmac\u0131lar\u0131 bu olay\u0131n arkas\u0131ndaki akt\u00f6rlerin pe\u015finde. Anla\u015f\u0131lan Mamba \u015firketleri ve organizasyonlar\u0131 tehdit etmesi i\u00e7in olu\u015fturulmu\u015f bir fidye yaz\u0131l\u0131m\u0131yd\u0131: dolay\u0131s\u0131yla SFMTA, Mamba\u2019n\u0131n ilk ba\u015far\u0131s\u0131 de\u011fil. Ayr\u0131ca b\u00f6yle b\u00fcy\u00fck bir organizasyon i\u00e7in 100 bitcoin asl\u0131nda su\u00e7lulara g\u00f6re \u00e7ok d\u00fc\u015f\u00fck bir rakam. Genellikle bundan \u00e7ok daha fazlas\u0131n\u0131 talep ediyorlar.<\/p>\n<p>K\u0131saca Mamba \u00e7ok tats\u0131z bir tehdit. Peki siz kendinizi ve \u015firketinizi buna ve benzerlerine kar\u015f\u0131 korumak i\u00e7in ne yapmal\u0131s\u0131n\u0131z?<\/p>\n<p>https:\/\/twitter.com\/KasperskyTR\/status\/804000117183365120<\/p>\n<p>1. SFMTA sistemi h\u0131zl\u0131ca toparlayabildi, \u00e7\u00fcnk\u00fc g\u00fcncel yedekleri vard\u0131. \u0130yi ki yedekleri a\u011f \u00fczerinde de\u011fildi, \u00e7\u00fcnk\u00fc yedekleri de \u015fifrelenirdi.<\/p>\n<p>Buradan almam\u0131z gereken ders: SFMTA gibi olun ve d\u00fczenli \u015fekilde verilerinizi yedekleyin. Yedeklerinizi m\u00fcmk\u00fcnse hem bulut sisteminde hem de harici disklerde saklay\u0131n, bilgisayar\u0131n\u0131zda ya da ayn\u0131 a\u011f \u00fczerinde saklaman\u0131z \u00f6nerilmez.<\/p>\n<p>2. SFMTA\u2019dan da zeki davran\u0131n. Mamba ve di\u011fer zararl\u0131 yaz\u0131l\u0131mlar\u0131n bula\u015fmas\u0131ndan ka\u00e7\u0131n\u0131n. G\u00fcvenilir bir g\u00fcvenlik \u00e7\u00f6z\u00fcm\u00fc kullan\u0131n. <a href=\"http:\/\/kas.pr\/kdkisatr\" target=\"_blank\" rel=\"noopener noreferrer\">Kaspersky Internet Security<\/a> Mamba\u2019y\u0131 (ve kendisi gibi olan HDDCryptor dahil bir \u00e7o\u011funu) HEUR:Trojan.Win32.Generic ad\u0131yla tan\u0131r ve bilgisayar\u0131n\u0131zdan hi\u00e7bir \u015feyinizi \u015fifrelemesine izin vermez.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>26 ve 27 Kas\u0131m&#8217;da San Francisco&#8217;da sabah evlerinden \u00e7\u0131kanlar\u0131 ilgin\u00e7 bir \u015fey bekliyordu.<\/p>\n","protected":false},"author":696,"featured_media":2692,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1287,1351],"tags":[591,1084,1085,447,1086,537],"class_list":{"0":"post-2691","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-fidye-yazilimi","10":"tag-hddcryptor","11":"tag-mamba","12":"tag-ransomware","13":"tag-san-francisco","14":"tag-tehditler"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/mamba-hddcryptor-ransomware\/2691\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/mamba-hddcryptor-ransomware\/10519\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/mamba-hddcryptor-ransomware\/8034\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/mamba-hddcryptor-ransomware\/8050\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/mamba-hddcryptor-ransomware\/9620\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/mamba-hddcryptor-ransomware\/9424\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/mamba-hddcryptor-ransomware\/13663\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/mamba-hddcryptor-ransomware\/13539\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/mamba-hddcryptor-ransomware\/6375\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/mamba-hddcryptor-ransomware\/6770\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/mamba-hddcryptor-ransomware\/5778\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/mamba-hddcryptor-ransomware\/9302\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/mamba-hddcryptor-ransomware\/13344\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/mamba-hddcryptor-ransomware\/13663\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/mamba-hddcryptor-ransomware\/13539\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/mamba-hddcryptor-ransomware\/13539\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/fidye-yazilimi\/","name":"Fidye Yaz\u0131l\u0131m\u0131"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/2691","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/696"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=2691"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/2691\/revisions"}],"predecessor-version":[{"id":7107,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/2691\/revisions\/7107"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/2692"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=2691"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=2691"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=2691"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}