科普勒索軟件:中毒后要不要支付贖金?
上個月,一個叫WannaCry的勒索軟件搞得全世界很多公司欲哭無淚,而現在這種勒索病毒又出新變種了。 本周二,又一波肆虐的勒索軟件攻擊令很多毫無準備的公司陷入停滯。這波攻擊的傳播方式也WannaCry大同小異,都使用了一種叫做“永恒之藍”的黑客工具,而據說這種工具還與美國國家安全局有關。 這兩次攻擊的主要區別之一是最近的這次攻擊取消了“自殺開關”,這意味著這一波攻擊或許更難抵御。 網絡安全專家早就警告過那些沒有安裝微軟Windows系統補丁的企業,下一次攻擊對他們來說只是時間問題,他們的預言也果然應驗了。 下面我們就這次勒索軟件攻擊做一個小小的科普。 究竟發生了什么? 本周二,一波勒索軟件攻擊像野火一般在全球蔓延開來。許多微軟Windows操作系統的電腦都中招了,特別是那些沒有針對SMB-1協議漏洞進行保護的計算機。很多企業的系統都被鎖死了,無法進入桌面,只會顯示勒索信息。 中了病毒的用戶無法訪問文件夾和文件,在勒索信息中,黑客要求中病毒者支付價值300美元的比特幣作為贖金。比特幣也是“網絡敲詐犯”的最愛,因為它不僅支付起來很容易,而且也很難追蹤其去向。 受影響的都有誰? 俄羅斯網絡安全公司卡巴斯基的全球研究主任科斯廷·拉尤近日在他的推特賬號上發布了一張圖表,顯示了該公司追蹤到的此次勒索病毒受害者的地理分布。從圖表上看,這一波襲擊的重災區主要是美國、意大利、德國、波蘭、烏克蘭和俄羅斯。但卡巴斯基的客戶群在很大程度上向俄語國家傾斜,因此它給出這樣的分布也是可以理解的。) 受到此輪攻擊影響的企業有:丹麥航運巨頭馬士基、俄羅斯石油公司、英國廣告公司WPP以及美國制藥巨頭默克公司等。另有報道表明,這次攻擊也對銀行、學校、政府機構、機場和其他一些組織造成了影響。 Petya病毒是什么? 初步分析表明,最近的這波網絡攻擊使用了一種基于Petya病毒的惡意軟件。Petya是去年才首次出現的一種勒索軟件程序。不過進一步的調查卻對這種說法提出了質疑。為了將它與Petya病毒區分開,包括卡巴斯基在內的一些網絡安全公司給這種最新的勒索軟件起了個新名字,叫做“NotPetya”。 網絡安全公司SentinelOne的首席安全戰略師耶利米·格羅斯曼對《財富》表示,目前尚無足夠證據揭露該惡意軟件的源頭?!按舜尾《颈l與Petya病毒有些相似特點,比如它們都感染了MBR(MBR又叫主引導記錄,是Windows系統硬盤驅動器的一個重要部分),最且對整個硬盤進行了加密。不過我們現在尚不清楚它是否是Petya病毒的變種?!?/p> 這一切是怎樣發生的? 有些公司沒有針對Windows的系統漏洞升級補丁,這是導致他們易感病毒的主要原因。我們現在還不知道該病毒的初始攻擊途徑。但它一旦進入了網絡,就可以通過Windows系統的SBM-1協議漏洞,在計算機網絡上迅速傳播。 很多受勒索軟件影響的企業運行的都是工業級系統。這些機器是很難打補丁的,因為它們上面運行著很多重要程序,企業很難允許這些重要內容下線。應用安全公司Veracode的聯合創始人、首席技術官克里斯·威斯波爾表示:“像他們這樣的企業,要想給所有機器都打上補丁是很難的,因為很多系統根本就不可能有停機檢修的時間?!?Veracode公司今年早些時候已經被CA Technologies公司收購了。 企業如何自保? 網絡安全公司Palo Alto Networks在其“威脅簡報”博客上指出,面對勒索病毒的威脅,企業是可以采取一些簡單的措施進行自保的。首先要安裝微軟的MS17-010補丁。其次,要關閉微軟Windows系統與相關漏洞有關的445端口。最后,要經常做好數據備份,必要時可以用它們來恢復系統。 中招了怎么辦,該付贖金嗎? 這也是信息安全界持續爭論的一個問題。主流的看法是,用戶不應向黑客支付贖金。首先,誰也不能保證黑客會不會解封你的文件。其次,一旦我們給網絡罪犯提供了資助,只會刺激他們以后繼續開展類似的攻擊。 盡管如此,有時中招的企業也想賭一把,希望犯罪分子能夠大發慈悲,還原他們電腦上的重要文件和信息。不過事實證明,即便受害人支付了贖金,他們的數據也無法還原。黑客們所使用的電子郵件系統的提供商Posteo近日表示,他們已經封鎖了黑客創建的賬號,這意味著黑客已經失去了與受害人聯系溝通的渠道,因此也就無法向受害人發送解碼密鑰了。另外,截止到本周二美國東部時間的下午3點,黑客的比特幣錢包已經收到了28筆轉賬,合計收入約3個比特幣,價值超過了7000美元。(財富中文網) 譯者:樸成奎 |
Meet the sequel to WannaCry, the wide-ranging ransomware attack that crippled businesses around the globe last month. On Tuesday, another widespread ransomware attack began halting unprepared businesses in their tracks. The new attack uses the same method of propagation as WannaCry: A leaked hacking tool called Eternal Blue, which has been linked to the U.S. National Security Agency. One of the major differences between the two attacks is that the most recent event does not yet appear to be susceptible to a hardcoded "kill switch." That means it may prove harder to overcome. Security experts have been warning organizations that failed to apply security patches to their Microsoft Windows-based computer systems that it was only a matter of time before another digital siege surfaced. It seems their predictions have borne true. Here's a quick FAQ to get you up to speed. What has happened? A wave of ransomware attacks spread like wildfire on Tuesday. Many Microsoft Windows-based computers—specifically, ones not protected against a vulnerability in a Microsoft messaging protocol called SMB-1—began seizing up worldwide, locking employees out of their desktops, and displaying ransom notes. Unable to access their files and folders, workers and managers were greeted by on-screen demands for payment of $300 in Bitcoin, a digital currency often used by cyber extortionists because it's easy to send and hard to track. Who has been affected? The attack struck organizations in the U.S., Italy, Germany, Poland, Ukraine and Russia. Costin Raiu, director of global research at Russian security firm Kaspersky Labs, posted a bar graph on Twitter showing the geographic distribution of victims, according to what his firm could measure. (Kaspersky's customer base skews towards Russian-speaking countries, which might explain the spread.) Some of the affected companies include Maersk (amkby, +0.41%), the Danish shipping giant, Rosneft, the Russian oil company, WPP, the British advertising agency, and Merck (mrk, -0.58%), the U.S. pharmaceutical giant. There are reports that the attack has also affected banks, hospitals, governments, airports, and other organizations. What is Petya? Initial analyses suggested that the latest wave of attacks involved malware based on Petya, a type of ransomware that first surfaced last year. Further investigations have disputed this analysis. In lieu of a better name, some cybersecurity firms, such as Kaspersky, have begun referring to the latest malware as "NotPetya." Jeremiah Grossman, chief security strategist at the cybersecurity firm SentinelOne, told Fortune there isn't enough evidence yet to uncover the malware's provenance. "This outbreak has similar characteristics as Petya, such as infecting the MBR [Master Boot Record, an important component of Microsoft computer hard drives] and encrypting the entire drive, however, it is not clear yet that this is a Petya variant," he said. How did this happen? Companies that failed to patch their systems against the Microsoft vulnerability were open to this attack. It's still not clear what the initial attack vector was. But once inside, the worm could spread across computer networks via the hole in Microsoft SMB-1. It seems that many of the organizations affected by the malware operated industrial systems. These machines can be hard to patch because they run critical processes are difficult to take offline. "Organizations like these typically have a hard time patching all of their machines because so many systems simply cannot have down time," said Chris Wysopal, cofounder and chief tech officer of Veracode, an application security firm purchased by CA Technologies earlier this year. What can businesses do to protect themselves? There are a few simple steps businesses can take, as the cybersecurity firm Palo Alto Networks (panw, -1.55%) explains on its "threat brief" blog. First, apply Microsoft patch MS17-010. Second, block connections to Microsoft Windows' port 445, the part of the operating system associated with the vulnerable protocol. And finally, maintain regular data backups, and use them to restore systems. Should you pay the ransom? This is a continual source of debate in the information security community. The general belief is, no, you should not pay the ransom. For one, there's no guarantee extortionists will return your files. Second, funding cybercriminals will encourage them to develop similar attacks in the future. Still, sometimes companies take a gamble and pay up in the hopes that the criminals will restore access to their files and information. In this case, it appears as though customers will not be able to reclaim their data even if they do pay up. Posteo, the email service chosen by the attackers, said it blocked the account they created, meaning the extortionists have lost their channel to communicate with victims and hand over decryption keys. Despite this, the attackers' Bitcoin wallet had already received 28 transactions equaling 3 Bitcoins, or more than $7,000, as of 3 P.M. ET on Tuesday. |