9159com金沙网站 > 中小学 > 如何从勒索软件中免受伤害,拯救了全世界成为

原标题:如何从勒索软件中免受伤害,拯救了全世界成为

浏览次数:64 时间:2019-12-12

9159com金沙网站 1

注:本文重要是本人记录使用,保加利亚语水平有限,翻译内容有啥难题,还望各位小同伙提出,将不胜谢谢~
翻译自How to Protect Yourself from 'Ransomware'

大不列颠及苏格兰联合王国立小学哥意外“拯救世界”六日不眠阻止勒索病毒蔓延

来源【维基百科-wannacray】

摘要: 今年5月,因成功破解在国内外肆虐的勒索病毒“想哭”,United Kingdom二十二岁的Computer行家哈钦斯石破惊天,并被视为英雄。可是近些日子,他却被人暴光因涉嫌创设恶意软件试图偷取银行账户音讯,而在U.S.落网。 ...二〇一三年17月,因成功破解在全世界肆虐的敲诈病毒“想哭”(WannaCry),大不列颠及苏格兰联合王国24周岁的Computer行家哈钦斯(马库斯Hutchins)天崩地坼,并被视为硬汉。但是方今,他却被有些人爆料因涉嫌创建恶意软件试图盗取银行账户消息,而在美利坚合资国落网。据United Kingdom《卫报》等多家媒体电视发表,U.S.A.司法部在黄金年代份表明向往味,二十二岁的大不列颠及英格兰联合王国安然大家哈钦斯在列席一场骇客和音信安全行家一年一度的团聚后,于回程途中在塔尔萨被FBI逮捕。法院文件提出,在二零一四年至2016年,哈钦斯涉嫌与另一名同伴创设并散播了恶意金融软件“Kronos”。该软件会盗取顾客在银行网址登陆时接纳的客商名和密码。这一个恶意程式也被设定为可攻击United Kingdom、加拿大、德意志联邦共和国、波兰共和国、法国和任何国家的银行种类。在法院审理上,哈钦斯并不曾就此公布任何注解,他因该恶意软件而直面6项控告。对于美利哥方面包车型地铁指控,哈钦斯的生母称本人的幼子将大批量的年月投入在了对抗恶意软件上,因而“大概从十分小概”会创建恶意软件。她对这一指控以为愤慨。哈钦斯的一位朋友也对那风度翩翩抓捕情况以为吃惊。据国外网在此以前报道,勒索病毒“WannaCry”在三月上旬发生,短短数日就使得150多个国家的互联网相继沦陷,中国境内不菲高校、加油站、火车站、自助终端、保健室和当局办事终端等也都被此病毒感染。生活在叁个U.K.海边小镇的哈钦斯在此早先一差二错地报了名了三个不解域名,没悟出居然阻止了中外超过10万台计算机被“勒索病毒”感染,阻止了病毒的传遍。原本该域名是病毒我留下的“自虐按钮”,每三个感染了病毒的机械,在起步在此以前都会事前访谈一下那么些域名,假诺这么些域名依然不设有,那就无冕散布;倘诺已经被人登记了,那就告风流罗曼蒂克段落扩散。他有如此“一十分大心”阻止了一场全球性的网络攻击。

This is the 22-year-old computer wizard who put a stop to the ransomware virus that caused chaos around the world。

  • 译文如下

Wannary勒索病毒下星期二起肆虐,被一位化名MalwareTech的英国计算机奇才权且禁止。那位勇猛身份日前暴露,他是二十二虚岁的哈钦斯(MarcusHutchins卡塔尔(英语:State of Qatar),因为扶植开采红客漏洞阻止了灾害情况继续增添,救了10万Computer顾客。

 

壹位贰十四周岁的Computer大神破解了在全世界产生混乱的勒索病毒。

如何从勒索软件中免受伤害
那礼拜五,超越1四20个国家超越了二〇〇二0台计算机受到了最大的网络攻击影响。那些攻击使用了三个病毒锁定Computer数据,攻击者供给支付必定的资费才解锁Computer。
其一病毒,被取名叫WannaCry,在团队中受感染的微处理器包含了【受感染的Computer的部门饱含】大不列颠及北爱尔兰联合王国的医疗安保卫护健康系统,美利坚合众国的联邦特快专递公司和俄罗斯内政部。
大家的传说,勒索软件影响全球Computer那篇随笔,解释了更加多的关于病毒内容。
固然星期三网络攻击甘休了,那么些病毒恐怕会以另生机勃勃种分裂的秘诀重作冯妇。学习有关那么些病毒和你今后理应运用的章程来维护你的数目免受WannaCry今后版本影响,那是相当重大的。
病毒怎么样锁定计算机
WannaCry攻击的是连接纳网络中还要应用了windows操作系统的计算机。微软在11月份发布了安全补丁,尚未曾创新的操作系统会受影响。
如何堵住WannaCry
一个开荒者意外的觉察了能够拦截WannaCry传播的秘诀。他来看Computer代码并且注意到这么些病毒正在教导Computer指向叁个域名。他询问到这几个域名并且发掘还尚无被登记,由此她花费了不到11美金买下它。那么些差不离的操作启用刺客开关来阻拦WannaCry进一层扩散。
噩运的是,这些杀手开关不能够解锁已经感染到病毒的微型机。
本条开荒者选拔保持无名氏,可是使用的Facebook账号@malwaretechblog。他写了黄金时代篇博文详细分解了他意识阻止WannaCry的杀人犯开关的进度。那篇博文被命名字为《如何偶尔阻止全世界互连网攻击》。
但是我们还不安全
以此互联网攻击使用了二个安全漏洞,那还能够存在运作旧版本的WindowsComputer上。总结运转windows10,尚未曾设置更新的也是存在高危害的。
其一病毒或许会再度攻击。黑客发起新的网络攻击所要做的仅仅只是给WannaCry改造域名,然后公布更新后的病毒。
怎样维护你的多寡以往再也遭到互联网攻击
您能够爱抚你协和前程再次直面网络攻击。确认保障给您的微计算机下载最新的Windows安全补丁。微软,Windows的制小编,已经为老版本的Windows发表了防范WannaCry的安全补丁。
举个例子您供给救助,请访谈微软主页“怎么样保持你的微电脑Windows是新型版本”。
只要你不想关怀保持你的微处理器更新那么请允许Windows自动更新。
再有,确认保障保存和备份你的数量。在本地硬盘和云上依期备份你的数目。当其它多个网络攻击产生时通过这种办法你可以保证你的数额。
不用点击链接或在邮件中下载附属类小零部件,除非您作保它们不是来源于黑客的网络钓鱼邮件。固然WannaCry病毒攻击未有通过这种方法发生,在过去有此外的病毒是透过这种办法爆发的。

9159com金沙网站 2

WannaCry ransomware attack


 

From Wikipedia, the free encyclopedia

The WannaCry ransomware attack was a May 2017 worldwide cyberattack by the WannaCry[[a]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-alias-5) ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency.

The attack began on Friday, 12 May 2017,[[5]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-naked-6) and within a day was reported to have infected more than 230,000 computers in over 150 countries.[[6]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-:3-7)[[7]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-cnbc1-8) Parts of the United Kingdom's National Health Service (NHS) were infected, causing it to run some services on an emergency-only basis during the attack,[[8]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-9) Spain's Telefónica, FedEx and Deutsche Bahnwere hit, along with many other countries and companies worldwide.[[9]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-cnn99countries-10)[[10]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-verge1-11)[[11]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-12) Shortly after the attack began, Marcus Hutchins, a 22-year-old web security researcher from North Devon in England then known as MalwareTech[[12]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-13) discovered an effective kill switch by registering a domain name he found in the code of the ransomware. This greatly slowed the spread of the infection, effectively halting the initial outbreak on Monday, 15 May 2017, but new versions have since been detected that lack the kill switch.[[13]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-spiegel1-14)[[14]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-15)[[15]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-16)[[16]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-17) Researchers have also found ways to recover data from infected machines under some circumstances.[[17]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-:2-18)

9159com金沙网站 39159com金沙网站 4

维基百科,自由的百科全书
WannaCry勒索软件攻击是由WannaCry勒索软件加密蠕虫在2017年5月发动的一次全世界范围的网络攻击,目标是运行着Windows操作系统的计算机,通过加密数据并要求用密码货币-比特币支付赎金。
攻击始于2017年5月12日周五,据报道一天内感染了超过150个国家的23万多台电脑。部分英国国家医疗服务系统(NHS)的电脑被感染,导致其在攻击中仅在紧急情况下运行一些服务,西班牙的电信,联邦快递和德国铁路公司,以及世界上很多其他国家和公司都受到了冲击。
攻击开始后的不久,一个来自英格兰北部德文郡的22岁网络安全研究员-Marcus Hutchins,当时被称为MalwareTech,他在勒索软件中发现了一个域名,通过注册这个域名他发现了一个有效的“kill switch”(哈钦斯发现勒索病毒使用一个未注册的网域名称散播病毒,他随即注册了该网域)。这大大的减少了感染的传播,在2017年5月15日有效的阻止了病毒初步的爆发,但是后来的新版本检测到没有“kill switch”。在某些情况下,研究人员也找到了从被感染电脑中恢复数据的方法。

translation

WannaCry propagates using EternalBlue, an exploit) of Windows' Server Message Block(SMB) protocol. Much of the attention and comment around the event was occasioned by the fact that the U.S. National Security Agency (NSA) had already discovered the vulnerability, but used it to create an exploit for its own offensive work, rather than report it to Microsoft.[[18]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-independent-19)[[19]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-telegraph-20) Microsoft eventually discovered the vulnerability, and on Tuesday, March 14, 2017, they issued security bulletin MS17-010, which detailed the flaw and announced that patches had been released for all Windows versions that were currently supported at that time, these being Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016, in addition to Windows Vista (which had recently ended support).[[20]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-Ars_Technica-21) However, many Windows users had not installed the patches when, two months later on May 12, 2017, WannaCry used the EternalBlue vulnerability to spread itself. The next day, Microsoft released emergency security patches for Windows 7 and Windows 8. Organizations were advised to patch Windows and plug the vulnerability in order to protect themselves from the cyber attack.[[21]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-22)

Those still running older, unsupported) versions of Microsoft Windows, such as Windows XPand Windows Server 2003, were initially at particular risk, but Microsoft released an emergency security patch for these platforms as well.[[22]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-unsupported-23) Almost all victims of the cyberattack were running Windows 7, prompting a security researcher to argue that its effects on Windows XP users were "insignificant" in comparison.[[23]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-microsoftreleases-24)[[17]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-:2-18)

Within four days of the initial outbreak, new infections had slowed to a trickle.[[24]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-Volz-25)

Several organizations released detailed technical writeups of the malware, including Microsoft,[[25]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-26) Cisco,[[26]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-talos-27) Malwarebytes,[[27]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-mbytes-28)Symantec and McAfee.[[28]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-mcafee-29)

The "payload" works in the same fashion as most modern ransomware: it finds and encrypts a range of data files, then displays a "ransom note" informing the user and demanding a payment in bitcoin.[[29]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-syma-30) It is considered a network worm because it also includes a "transport" mechanism to automatically spread itself. This transport code scans for vulnerable systems, then uses the EternalBlue exploit to gain access, and the DoublePulsar tool to install and execute a copy of itself.[[26]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-talos-27)

9159com金沙网站 59159com金沙网站 6

WannaCry使用“永恒之蓝”传播,一个Windows的服务器消息块(SMB)协议漏洞。事件中引起人们关注和评论的是,美国国家安全局(NSA)发现了漏洞,并利用它为自己的攻击性工作创造了漏洞,而不是像微软报告这一事实。微软最终发现了这个漏洞,并在2017年3月14号星期二发布了安全公告MS17-010,详细的说明了缺陷,并宣布已经为所有仍提供服务支持的Windows版本发布了补丁,它们是Windows 7,Windows 8.1,Windows 10、Windows Server 2008、Windows Server 2012、Windows Vista和Windows Server 2016,还有Windows Vista(最近刚刚结束服务支持)。然而,很多Windows用户没有安装补丁,两个月后的2017年5月12日,WannaCry使用了“永恒之蓝”漏洞传播自己。第二天,微软发布了Windows 7和Windows 8的紧急安全补丁。为了在网络攻击中保护自己,建议各组织给Windows 7打好补丁,并堵上漏洞。
那些仍运行较旧的,不提供服务支持的微软Windows系统,比如Windows XP和Windows Server 2003最初存在特定的风险,但是微软也为这些平台发布了一个紧急安全补丁。几乎所有网络攻击的受害者都是运行Windows 7,这促使一名安全研究员辩称,相比之下,其对Windows XP用户的影响是“无关紧要的”。
在最初爆发的4天内,新的感染已经变成涓涓细流。
一些组织发布了恶意软件的详细技术报告,包括微软,思科,赛门铁克和麦咖啡。
这个"payload"和最现代的勒索软件运行方式一样:它找到并加密一系列的文件,然后显示一个“赎金条”,通知用户并要求支付比特币。它被认为是一种网络蠕虫,因为它还包括“传输”机制来自动传播它自己。这种传播代码扫描易受攻击的系统,然后使用“永恒之蓝”漏洞获取访问权限,工具“DoublePulsar”安装并执行自己的副本。

translation

The British surfer, named as Marcus Hutchins, became an ‘accidental hero‘ after halting the global spread of the unprecedented attack。

  • 原稿如下

哈钦斯挡下勒索病毒的经超过实际际上有一点点无心插柳。

Contents

  [hide] 

  • 1Description
  • 2"Kill switch"
  • 3EternalBlue
  • 4DoublePulsar
  • 5Attribution
  • 6Cyberattack
    • 6.1Ransomware analysis
    • 6.2Defensive response
    • 6.3Advice on ransom
    • 6.4Impact
  • 7EternalRocks
  • 8Reactions
  • 9Affected organizations
  • 10See also
  • 11Notes
  • 12References
  • 13External links

这位英帝国网虫名叫Marcus Hutchins,本场病毒突袭因她不以前在世上蔓延。

How to Protect Yourself from 'Ransomware'

哈钦斯下二十三日五(十10日)在讹诈病毒爆发后,使用网名“MalwareTech”与WannaCry搏麻木不仁72小时,他为了追踪病毒根源,花了8日元买下报了名网域,意外找到病毒攻击开关后,成功阻止WannaCry蔓延。

Description


The WannaCry ransomware attack was a May 2017 worldwide cyberattack by the WannaCry[[b]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-alias2-34) ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency.[[33]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-35)

9159com金沙网站 79159com金沙网站 8

WannaCry勒索软件攻击是一次2017年5月由WannaCry勒索软件加密蠕虫发动的全球网络攻击,目标是运行微软Windows系统的电脑,通过加密数据并要求以加密货币比特币的形式支付赎金。

translation

 

He stopped the virus in just a few hours - by which point, it had brought chaos to the NHS and thousands of other victims。

Last Friday, the largest cyberattack ever affected more than 200,000 computers in more than 150 countries. The attack used a virus that locked the computers' data. The attackers demanded payment to unlock the computers.
The virus, called WannaCry, infected computers in organizations including the British healthcare system, the American company FedEx and Russia's Interior Ministry.
Our story, 'Ransomware' Affects Computers Worldwide explains more about the virus.
Although Friday's cyberattack was stopped, the virus may soon return in a different form. It is important to learn about the virus and the steps you should take now to protect your data from future versions of WannaCry.
9159com金沙网站,How the virus locked computers
WannaCry attacked computers that were connected to the Internet and used Windows operating systems. The systems affected had not yet been updated with a security patch that Microsoft released in March.
How WannaCry was blocked
A developer accidentally discovered a way to prevent WannaCry from spreading. He looked at the computer code and noticed that the virus was directing computers to a domain name. He checked on the domain name and discovered that it was available, so he bought it for less than $11. That simple move enabled a "kill switch" that prevented WannaCry from spreading further.
Unfortunately, the kill switch does not unlock computers that were already infected by the virus.
The developer has chosen to remain nameless but uses the Twitter account @malwaretechblog. He wrote a blog post that explains in detail how he happened to discover the kill switch for WannaCry. The post is called How to Accidentally Stop a Global Cyber Attacks.
But we are not safe yet
This cyberattack used a security hole that still exists for computers running older versions of Windows. Computers running Windows 10 that have not yet installed the update are also at risk.
The virus may attack again. All the hackers have to do to launch a new cyberattack is to change the domain name in WannaCry, then release the updated virus.
How to protect your data against future cyberattacks
You can protect yourself against future cyberattacks. Make sure to download the latest Windows security patch to your computer. Microsoft, the maker of Windows, has now released security patches for older versions of Windows that give protection against WannaCry.
For help, visit Microsoft's page called "How to Keep Your Windows Computer Up-to-date."
Permit automatic Windows updates if you do not want to worry about keeping your computer updated.
Also, make sure that you save, or back up, your data. Do regular backups of your data, both locally with an external drive and in the Cloud. That way you can protect your data when another cyberattack occurs.
Be sure not to click on links or download attachments in emails unless you are sure that they are not "phishing" emails from hackers. Although the WannaCry virus attack did not happen this way, others have happened this way in the past.

哈钦斯表露,过去3天她忙着监督勒索病毒灾害情形发展,只睡了5钟头,而她地方揭露华,Twitter账号猛增2万个观者,电邮信箱里收到数千封邮件。

"Kill switch"


 The software contained a URL that, when discovered by a security researcher, Marcus Hutchins, and the corresponding domainregistered to track activity from infected machines, was found to act as a "kill switch如何从勒索软件中免受伤害,拯救了全世界成为全球英雄。" that shut down the software before it executed its payload, stopping the spread of the ransomware. The researcher speculated that this had been included in the software as a mechanism to prevent it being run on quarantined machines used by anti-virus researchers; he observed that some sandbox)environments will respond to all queries with traffic in order to trick the software into thinking that it is still connected to the internet, so the software attempts to contact an address which did not exist, to detect whether it was running in a sandbox, and do nothing if so.[[34]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-MalwareTech-36) He also noted that it was not an unprecedented technique, having been observed in the Necurs trojan.[[34]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-MalwareTech-36)

On 19 May, it was reported that hackers were trying to use a Mirai) botnet variant to effect a distributed attack on WannaCry's kill-switch domain with the intention of knocking it offline.[[35]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-37) On 22 May, @MalwareTechBlog protected the domain by switching to a cached version of the site, capable of dealing with much higher traffic loads than the live site.[[36]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-38)

9159com金沙网站 99159com金沙网站 10

一个安全研究员Marcus Hutchins发现该软件包含一个URL,及相应的域名注册来追踪受感染机器的活动,发现它作为一个“kill switch”,在它执行载荷前关闭软件从而阻止勒索软件的传播。研究人员推测,软件中的这个开关被作为一种防止其在反病毒研究员的隔离机上运行的机制,他观察到一些沙箱环境为了欺骗软件让它认为依然是联网状态,会响应所有的流量查询,所以软件会试图联系一个并不存在的地址,检测它是否运行在沙箱中,如果是的话什么都不做。他还指出,这种技术并非前所未有,已经在Necurs木马上观察到过。
5月19日,据报道,黑客打算使用僵尸网络变种Mirai对WannaCry的死亡开关域发起一个分布式攻击,目的是使其脱机。在5月22日,@MalwareTechBlog通过把网站切换到缓存版本来保护域,有了处理比实时站点更高流量载荷的能力。

translation

 

他在几个时辰内就停下了病毒——到拾贰分时候,这种病毒已经在United Kingdom国度治疗服务连串形成了天崩地裂,给众多的被害者带来了麻烦。

哈钦斯:小编只是做正确的事

EternalBlue


Main article: EternalBlue

The network infection vector, EternalBlue, was released by the hacker group called The Shadow Brokers on 14 April 2017, along with other tools apparently leaked from Equation Group, which is widely believed to be part of the United States National Security Agency.[[37]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-39)[[38]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-40)

EternalBlue exploits a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol.[[39]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-scademy-41) This Windows vulnerability) was not a zero-day) flaw, but one for which Microsoft had released a "critical" advisory, along with a security patch#Security_patches) to fix the vulnerability two months before, on 14 March 2017.[[40]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-microsoft.com-42) The patch was to the Server Message Block (SMB) protocol used by Windows,[[41]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-exploit-43)[[42]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-hei-44) and fixed several versions of the Microsoft Windows operating system, including Windows Vista, Windows 7, Windows 8.1, and Windows 10, as well as server and embedded versions such as Windows Server 2008 onwards and Windows Embedded POSReady 2009 respectively, but not the older unsupported Windows XP, Windows Server 2003, and Windows 8(unsupported because Windows 8.1 is classified as a mandatory service pack upgrade).[[40]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-microsoft.com-42) The day after the WannaCry outbreak Microsoft released updates for these too.[[23]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-microsoftreleases-24)[[22]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-unsupported-23)

9159com金沙网站 119159com金沙网站 12

网络病毒载体EternalBlue在2017年4月14号被一个叫影子经纪人的黑客组织发布,还有连同其它的一些工具,明显是从方程式组织泄露的,该组织被广泛认为是美国国家安全局的一部分。
EternalBlue利用了微软实现服务器消息块(SMB)协议的漏洞。这个Windows漏洞并不是一个0day漏洞,而是2017年3月14号微软已经发布的一个"危险"的公告,以及2个月前的一个安全补丁。这个补丁是Windows使用的服务器消息块(smb)协议,和固定的微软Windows操作系统多个版本,包括Windows Vista, Windows 7, Windows 8.1,和Windows 10,以及服务器和嵌入式版本,比如分别是Windows Server 2008起和Windows Embedded POSReady 2009,但不包括旧的不受支持的Windows XP,Windows Server 2003和 Windows 8(不受支持是因为Windows 8.1被归为强制服务包升级)。WannaCry爆发后的第二天,微软也为这些发布了升级包。

translation

 

It is thought he did this from a small bedroom at his parents‘ home, packed with video games and takeaway pizza boxes。

哈钦斯如今在美利坚联邦合众国网络保卫安全集团Kryptos LogicUnited Kingdom支行专门的学业,他周风流罗曼蒂克首度选用美国联合通信社访谈时表示,大多Computer行家在小礼拜尽力对付Computer勒索软件,“小编相对不是强悍,小编只是做科学的事,做一些事阻止活死人网络的人。”

DoublePulsar


Main article: DoublePulsar

DoublePulsar is a backdoor) tool, also released by The Shadow Brokers on 14 April 2017, Starting from 21 April 2017, security researchers reported that computers with the DoublePulsar backdoor installed were in the tens of thousands.[[43]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-45) By 25 April, reports estimated the number of infected computers to be up to several hundred thousands, with numbers increasing exponentially every day.[[44]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-46)[[45]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-47) The WannaCry code can take advantage of any existing DoublePulsar infection, or installs it itself.[[26]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-talos-27)[[46]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-48)[[47]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-49)

9159com金沙网站 139159com金沙网站 14

DoublePulsar是一个后门工具,也是由影子经纪人在2017年4月14号发布,从2017年4月21号开始,安全研究人员报告说,有成千上万
的电脑被安装了DoublePulsar后门。4月25号,报告估计被感染的电脑多达数十万台,每天以指数级增长。WannaCry代码可以利用任何存在DoublePulsar感染的或者安装了他自己的电脑。

translation

 

据称他是在父母家眷于她的那间小小的卧房里完毕本身的奋勇业绩的,主卧里随地是网络电子游艺光碟,还会有披萨外卖的包裹盒。

哈钦斯阻止满世界10万多台Computer免遭勒索病毒感染后,职业特邀如白雪般飞来,但她说想继续待在Kryptos Logic,暂时髦未转职计划。

Attribution


Linguistic analysis of the ransom notes indicated the authors were likely fluent in Chinese and proficient in English, as the versions of the notes in those languages were probably human-written while the rest seemed to be machine-translated.[[48]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-register-language-50)[[49]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-51)

Cybersecurity companies Kaspersky Lab and Symantec have both said the code has some similarities with that previously used by the Lazarus Group[[50]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-attrib-1-52) (believed to have carried out the cyberattack on Sony Pictures in 2014 and a Bangladesh bank heist in 2016—and linked to North Korea).[[50]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-attrib-1-52) This could also be either simple re-use of code by another group[[51]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-53) or an attempt to shift blame—as in a cyber false flag operation;[[50]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-attrib-1-52) but a leaked internal NSA memo is alleged to have also linked the creation of the worm to North Korea.[[52]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-washpo-nsa-dprk-54) The President of Microsoft said he believed North Korea was the originator of the WannaCry attack,[[53]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-55) and the UK's National Cyber Security Centre reached the same conclusion.[[54]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-56)

North Korea itself denies being responsible for the cyberattack.[[55]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-57)[[56]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-58)

9159com金沙网站 159159com金沙网站 16

对赎金条的语言分析表明,坐着很可能会说流利的中文并精通英语,因为那些语言版本的赎金条很有可能是人写的,而其余的则是机器翻译的。
网络安全公司卡巴斯基实验室和赛门铁克都表示,这些代码和萨鲁集团之前使用的有相似之处(该组织被认为在2014年对索尼影业实施了网络攻击,在2016年对孟加拉国银行进行了抢劫,并且与北朝鲜有关),这也可能是另一个组织简单的重复使用代码,或者试图推卸责任,就像一场网络虚旗攻击的操作。但是一份美国国家安全局内部备忘录的泄露,据称也将蠕虫的创建和北朝鲜联系在了一起。微软总裁说,他相信北朝鲜是WannaCry攻击的源头,英国国家网络安全中心也得到了相同的结论。
被朝鲜自己否认对网络攻击负责。

translation

 

One of Marcus‘s friends said that the surfer - who had been tweeting anonymously by the name MalwareTech - was just “doing his job” when he put a halt to the spread of the virus。

地点暴光恐被黑客报复

Cyberattack


 On 12 May 2017, WannaCry began affecting computers worldwide,[[58]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-60) with evidence pointing to an initial infection in Asia at 7:44am UTC.[[5]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-naked-6)[[59]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-61) The initial infection was likely through an exposed vulnerable) SMB port,[[60]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-62) rather than email phishing as initially assumed.[[5]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-naked-6)

When executed, the malware first checks the "kill switch" domain name;[[c]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-63) if it is not found, then the ransomware encrypts the computer's data,[[61]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-:1-64)[[29]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-syma-30)[[62]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-65) then attempts to exploit the SMB vulnerability to spread out to random computers on the Internet,[[27]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-mbytes-28) and "laterally" to computers on the same network.[[28]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-mcafee-29) As with other modern ransomware, the payload) displays a message informing the user that files have been encrypted, and demands a payment of around $300 in bitcoin within three days, or $600 within seven days.[[29]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-syma-30)[[63]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-66) Three hardcoded bitcoin addresses, or "wallets", are used to receive the payments of victims. As with all such wallets, their transactions and balances are publicly accessible even though the cryptocurrency wallet owners remain unknown.[[64]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-67) As of 14 June 2017, at 00:18 ET, a total of 327 payments totaling $130,634.77 (51.62396539 XBT) had been transferred.[[65]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-68)

Organizations that had not installed Microsoft's security update were affected by the attack.[[41]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-exploit-43) Those still running the older Windows XP[[66]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-vicexp-69) were at particularly high risk because no security patches had been released since April 2014 (with the exception of one emergency patch released in May 2014).[[23]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-microsoftreleases-24) However, on the day after the outbreak, an emergency, out-of-band security update was released for XP and Windows Server 2003.[[22]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-unsupported-23) A Kaspersky Labs study reported that less than 0.1 percent of the affected computers were running Windows XP, and that 98 percent of the affected computers were running Windows 7.[[17]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-:2-18) In a controlled testing environment, the cybersecurity firm Kryptos Logic found that they were unable to infect a Windows XP system with WannaCry using just the exploits, as the payload failed to load, or caused the operating system to crash rather than actually execute and encrypt files. However, when executed manually, WannaCry could still operate on Windows XP.[[67]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-verge-xpimpact-70)[[68]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-kl-twoweekslater-71)

9159com金沙网站 179159com金沙网站 18

在2017年5月12日,WannaCry开始影响全世界的电脑,有证据表明,最初的的感染是在亚洲UTK时间上午7:44。最初的感染似乎是通过暴露的有漏洞的SMB端口,而非开始设想的邮件钓鱼。
在执行时,恶意软件首先会检测“死亡开关”域名(原理查看“KILL SWITCH”部分),如果没找到,勒索软件就会加密电脑的数据,然后试图利用SMB漏洞传播到网络上任意的电脑以及横向传播到同一网络的电脑。和其他现代勒索软件一样,载荷会显示一条信息提示用户文件已被加密,需要在三天内支付大约300美元的比特币,或者一周内支付600美元的比特币。有三个硬编码比特币地址或者钱包接受受害者支付的付款。像所有此类钱包一样,他们的交易和余额是公开可访问的,尽管加密货币钱包的主人仍然不知道是谁。从2017年6月14号00:18起,总共有327笔支付共计130634.77美元((51.62396539 XBT)被转移。
那些没有安装微软安全补丁的组织受到了攻击的影响。那些仍然运行旧系统Windows XP的风险会特别高因为从2014年4月起就不再发布安全补丁(除了2014年5月发布的一个紧急补丁)。然而,在爆发后的第二天,针对XP和Windows Server 2003发布了一个紧急的带外数据安全更新。卡巴斯基实验室的一项研究报告说,受影响的电脑雨哦不到0.1%是运行Windows XP,98%是运行的Windows 7。在一个受控的测试环境中,网络安全公司Kryptos Logic发现,WannaCry仅使用漏洞无法感染Windows XP系统,因为在和加载失败,或者引发操作系统奔溃而不是执行并加密文件。然而,手动执行(猜测手动加载载荷?),WannaCry仍能在Windows XP上操作。

translation

 

Marcus平素以MalwareTech的网名混迹在推特(Twitter卡塔尔国网络。Marcus的叁个朋友说:他把终止病毒扩散的奋勇壮举当成了温馨的“依样葫芦”。

首席实践官为了表彰哈钦斯力阻一场大魔难,无需付费迎接他到米兰参观,但哈钦斯怀想黑客报复,行事十分低调,“他们大概没多长期就摸清自身的身份,假诺她们知晓自家住哪儿,或许什么事都干得出来”。

Ransomware analysis


 The process of virus execution can be divided into three steps: the main program file uses the vulnerability to spread itself, and run "WannaCry" ransom program; "WannaCry" ransom program will encrypt the file; the ransom interface (@ WanaDecryptor @ .exe) displays the ransom information and decrypts the samples.[[69]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-72)

Main program (mssecsvc.exe) file analysis: The sample main program is the main spread program of this event that is responsible for spreading itself and releasing the "WannaCry" ransom program, and then "WannaCry" encrypts user files and execute malicious behavior.

“WannaCry” ransom program (tasksche.exe) analysis: The sample itself has an encrypted original RSA public key, and the attacker retains the decrypted RSA private key. Before encrypting the files, the CryptoAPI that calls Windows generates a new pair of RSA key, known as the sub-public key and sub-private key. And then, the sample encrypts the sub-private key with the original RSA public key and saves it as "00000000.eky" and the sub-public key is saved as "00000000.pky".

The sample generates an AES key for encrypting the file, the contents of the encrypted file are M2, and the AES key is encrypted with the sub-public key "00000000.pky". The contents of the encrypted file are M1. Then merge M1 and M2 and add file header "WANACRY!" to save the encrypted file.

When decrypting a file, the attacker decrypts the sub-private key "00000000.eky" and saves the file as "00000000.dky" for decrypting the file after receiving the decrypted file. The sample itself also has another pair of primary RSA public keys and private keys, which are used to decrypt the display files.

Each encrypted file uses a different AES key. If you want to decrypt the file, you need to acquire the RSA sub-private key, decrypt the AES key of the file header, and then use the AES key to decrypt files. If there is no RSA sub-private key, the AES key cannot be decrypted and the file cannot be decrypted.

Ransomware interface, decryption program (@WanaDecryptor@.exe) analysis: "@ WanaDecryptor @ .exe" is the ransomware interface program that displayed after sample has encrypted user data, which is responsible for displaying the Bitcoin wallet address and presenting part of the decrypted files. If wanting to decrypt all the files, you need to pay the "ransom". For darknet (Tor), the majority of infected users show the three default Bitcoin wallet address, which makes a lot of people think that the attacker cannot distinguish who paid the money and cannot decrypt the file for specified users.

9159com金沙网站 199159com金沙网站 20

病毒执行可以划分为三步:主程序文件使用漏洞传播自己,并运行"WannaCry"勒索程序;"WannaCry"勒索程序将会加密文件;勒索接口 (@ WanaDecryptor @ .exe)显示勒索信息并解密样本。
主程序文件(mssecsvc.exe)解析:样本主程序是事件中的主要传播程序,负责传播自己和释放"WannaCry"赎金程序,然后 "WannaCry"加密用户文件并执行恶意行为。
“WannaCry”赎金程序(tasksche.exe)分析:样本本身有一个加密的原始RSA公钥,攻击者保留了解密的RSA私钥。在加密文件之前,加密API调用Windows生成一对新的RSA密钥,称为子公钥和子密钥。然后样本用原RSA公钥加密子私钥并以"00000000.eky"格式保存,子公钥以"00000000.pky"格式保存。
样本生成一个AES密钥用于加密文件,加密文件的内容是M2,AES密钥被子公钥"00000000.pky"加密。加密的内容是M1。然后合并M1和M2,添加文件头"WANACRY!"然后保存到加密文件。
当解密一个文件时,攻击者解密子私钥"00000000.eky",然后把文件保存为"00000000.dky",用于在接收到解密文件后对文件进行解密,样本本身还有另一对主要的RSA公钥和私钥,用于解密显示文件。
每一个加密文件使用不同的AES密钥,如果你要解密文件,你需要请求RSA子私钥,解密文件头的AES密钥,然后使用AES密钥解密文件。如果没有RSA子私钥,就不能解密AES密钥,也不能解密文件。
勒索软件接口,解密程序(@WanaDecryptor@.exe)分析:"@ WanaDecryptor @ .exe"是一个样本加密用户数据后显示的赎金软件接口程序,负责显示比特币钱包地址和展示部分解密文件。如果想要解密所有的文件,你需要支付赎金。
对于暗网(Tor),大部分受感染的用户显示了三个比特币钱包地址,这使得很多人认为攻击者不能分辨谁支付了钱,也不能解密指定用户的文件。

translation

 

Marcus realised that by registering a website domain name the virus code could be stopped。

哈钦斯又警告,WannaCry恐怕含有“后门程序”,就算中招Computer已经修复,依然有超大希望被黑客轻便注入变种病毒。

Defensive response


 Several hours after the initial release of the ransomware on 12 May 2017, while trying to establish the size of the attack, a researcher known by the name MalwareTech[[70]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-73)[[34]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-MalwareTech-36) accidentally discovered what amounted to a "kill switch" hardcoded in the malware.[[71]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-74)[[72]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-75)[[73]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-76)Registering a domain name for a DNS sinkhole stopped the attack spreading as a worm, because the ransomware only encrypted the computer's files if it was unable to connect to that domain, which all computers infected with WannaCry before the website's registration had been unable to do. While this did not help already infected systems, it severely slowed the spread of the initial infection and gave time for defensive measures to be deployed worldwide, particularly in North America and Asia, which had not been attacked to the same extent as elsewhere.[[74]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-77)[[75]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-78)[[76]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-79)[[77]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-80)

On 16 May 2017, researchers from University College London and Boston University reported that their PayBreak system could defeat WannaCry and several other families of ransomware.[[78]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-81)[[79]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-82)

Within four days of the initial outbreak, new infections had slowed to a trickle.[[24]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-Volz-25)

It was discovered that Windows encryption APIs used by WannaCry may not completely clear the prime numbers used to generate the payload's private keys from the memory, making it possible to potentially retrieve the required key if they had not yet been overwritten or cleared from resident memory. This behaviour was used by a French researcher to develop a tool known as WannaKey, which automates this process on Windows XP systems.[[80]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-zdnet-xpwannakey-83)[[81]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-ars-wannakey-84)[[82]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-85) This approach was iterated upon by a second tool known as Wanakiwi, which was tested to work on Windows 7 and Server 2008 R2 as well.[[83]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-ars-wanakiwi-86)

The scale of the attack and subsequent exposure of vulnerabilities prompted Micosoft to release new security updates for older versions of Windows that are no longer supported, including for Windows XP, Windows Server 2003, Windows XP Embedded and Windows 7 Embedded.[[84]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-87) In a statement regarding the matter, the head of Microsoft’s Cyber Defense Operations Center, Adrienne Hall, said that “Due to the elevated risk for destructive cyber-attacks at this time, we made the decision to take this action because applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt [alternative name to WannaCry]”.[[85]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-88)

9159com金沙网站 219159com金沙网站 22

2017年5月12号勒索软件最初发布的几小时后,当试图建立攻击规模时,一个叫MalwareTech 的研究员意外的发现了硬编码在恶意软件中的“锁死开关”。为 DNS sinkhole注册了一个域名从而阻止了以蠕虫形式传播的攻击,因为勒索软件只加密那些无法连接那个域名的电脑上的文件,所有在网站注册之前感染了WannaCry的电脑,无法阻止文件被加密。这对已被感染的系统没有帮助,但是这极大的延缓了感染初期的传播,并为全球部署防御措施提供了时间,尤其是北美和亚洲,这些地方没有受到像其他地方那种程度的攻击。
在2017年5月16日,伦敦大学和波士顿大学的研究员报告他们的PayBreak系统可以战胜WannaCry和一些其他类似的勒索软件。
在病毒爆发的初期,感染被减缓到了像涓涓细流。
我们发现WannaCry使用的Windows加密API可能没有完全清除内存中用于生成载荷的私钥的素数,这使得如果所需密钥还没有被从常驻存储器中重写或者删除,就有潜在回复的可能。一名法国研究员使用这种行为开发了一个叫WannaKey的工具,可以在Windows XP系统上自动化这个过程。使用这种方法第二次迭代更新的工具是Wanakiwi,在Windows 7和Server 2008 R2上测试使用。
攻击的规模和随后爆出的漏洞,促使微软为不再提供支持的老版本Windows发布了新的安全补丁,包括Windows XP, Windows Server 2003, Windows XP Embedded和Windows 7 Embedded。关于此事的一份声明中,微软网络防御作战中心的老大Adrienne Hall说,“由于这次破坏性网络攻击的风险增加,我们决定采取这一行动,因为应用这些更新可以提供更多的保护,免受类似WannaCrypt特征的潜在攻击[改名为WannaCry]”

translation

 

Marcus发掘,只要注册二个特定网址的域名就会制止病毒程序的运行。

眼前,哈钦斯正和英帝国国度互连网安全基本(National Cyber Security Centre卡塔尔合营,要阻止恐怕发生的第二波攻击。

Advice on ransom


 Experts advised against paying the ransom due to no reports of people getting their data back after payment and as high revenues would encourage more of such campaigns.[[86]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-NS-89)[[87]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-BBC-90)[[88]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-91)

9159com金沙网站 239159com金沙网站 24

专家建议不要支付赎金,因为没有报告说人们在支付赎金后取回他们的数据,而且高收入会鼓励更多类似的活动发生。

translation

 

Computer experts have warned the block on the virus may only be temporary and the hackers could easily start up a new one capable of infecting millions more computers within days。

十捌虚岁时被校方处治改换毕生

Impact


 The ransomware campaign was unprecedented in scale according to Europol,[[6]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-:3-7) which estimates that around 200,000 computers were infected across 150 countries. According to Kaspersky Lab, the four most affected countries were Russia, Ukraine, India and Taiwan.[[89]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-Jones-92)

The attack affected many National Health Service hospitals in England and Scotland,[[90]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-93) and up to 70,000 devices – including computers, MRI scanners, blood-storage refrigerators and theatre equipment – may have been affected.[[91]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-14MaySunTim-94) On 12 May, some NHS services had to turn away non-critical emergencies, and some ambulances were diverted.[[92]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-BBC_news-95)[[93]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-96) In 2016, thousands of computers in 42 separate NHS trusts in England were reported to be still running Windows XP.[[66]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-vicexp-69) NHS hospitals in Wales and Northern Ireland were unaffected by the attack.[[94]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-guardian-nhs-97)[[92]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-BBC_news-95)

Nissan Motor Manufacturing UK in Tyne and Wear, England, halted production after the ransomware infected some of their systems. Renault also stopped production at several sites in an attempt to stop the spread of the ransomware.[[95]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-98)[[96]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-99)

The attack's impact is said to be relatively low compared to other potential attacks of the same type and could have been much worse had a security expert, who was independently researching the malware, not discovered that a kill-switch had been built in by its creators[[97]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-chica1-100)[[98]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-guard1-101) or if it had been specifically targeted on highly critical infrastructure, like nuclear power plants, dams or railway systems.[[99]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-102)[[100]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-103)

According to Cyber risk modeling firm Cyence, economic losses from the cyber attack could reach up to $4 billion, with other groups estimating the losses to be in the hundreds of millions.[[101]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-104)

9159com金沙网站 259159com金沙网站 26

勒索软件活动在欧洲规模空前,估计有150个国家大约20万台电脑被感染。据卡巴斯基实验室称,受影响最严重的四个国家是俄罗斯、乌克兰、印度和台湾。
这次攻击影响了英国和苏格兰很多国家卫生服务医院,超过7万台设备可能受影响-包括电脑、核磁共振仪、储血冰箱和影院设备。在5月12号,一些国民保健服务机构不得不拒绝非关键的紧急事件,一些救护车已被转移。在2016年,据报道英国42个单独的NHS信托公司的数千台电脑仍然运行着Windows XP。威尔士和北爱尔兰的NHS医院没有受到攻击的影响。
英国泰恩威尔的日产汽车制造公司,在勒索软件感染了他们一些系统后,停止了生产。雷诺也停止了几个地点的生产,试图阻止勒索软件的传播。
据说与其他类型的潜在攻击相比,攻击的影响相对较低,情况可能会更糟,如果独立研究恶意软件的安全专家没有发现被创作者编译在内的锁死开关,或者如果它是专门针对非常关键的技术设施,比如核电站,大坝或者铁路系统。
根据网络风险建模公司Cyence的数据,网络攻击中的经济损失超过40亿,其他组织的的损失估计数以亿计。

translation

 

计算机行家告诫称,对病毒的阻挠或许只是有时的,黑客能够轻易的创制一个新的域名,相当慢就能够接二连三感染千百万的Computer。

据大不列颠及英格兰联合王国《每一天邮报》在这里早先吐露,哈钦斯是冲浪爱好者,他对新闻报道工作者坦言自身不太向往阅读,在先生眼中是个坏学子,十一周岁这年她遭校方思疑攻击高校互连网连串,校方所作出的判罚,退换了她的百多年。

EternalRocks


 Via a honeypot) mechanism, Security researcher Miroslav Stampar detected a new malware named "EternalRocks" that uses seven leaked NSA hacking tools and leaves Windows machines vulnerable for future attacks that may occur at any time. When installed, the worm names itself WannaCry in attempt to evade security experts.[[102]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-105)[[103]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-cnet1-106)[[104]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-107)[[105]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-108)

9159com金沙网站 279159com金沙网站 28

通过蜜罐机制,安全研究员Miroslav Stampar发现了一个新的恶意软件"EternalRocks",使用了7个被泄露的NSA黑客工具,使Windows机器容易受到未来随时可能发生的攻击。安装时,蠕虫名字本身WannaCry试图躲避安全专家。

translation

 

哈钦斯回想说:“那次学园系统被红客攻击,系统猝然截至运营。那时候自身正在上网,作者都看见学园系统关闭了,大器晚成份校方文件指本人立时和对象在这个学院系统内闲聊,所以小编被疑心进行了网络攻击,但自小编有史以来未曾做过。”

Reactions


 A number of experts highlighted the NSA's non-disclosure of the underlying vulnerability, and their loss of control over the EternalBlue attack tool that exploited it. Edward Snowden said that if the NSA had "privately disclosed the flaw used to attack hospitals when they found it, not when they lost it, the attack may not have happened".[[106]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-109) British cybersecurity expert Graham Cluley also sees "some culpability on the part of the U.S. intelligence services". According to him and others "they could have done something ages ago to get this problem fixed, and they didn't do it". He also said that despite obvious uses for such tools to spy on people of interest, they have a duty to protect their countries' citizens.[[107]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-110) Others have also commented that this attack shows that the practice of intelligence agencies to stockpile exploits for offensive purposes rather than disclosing them for defensive purposes may be problematic.[[98]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-guard1-101)Microsoft president and chief legal officer Brad Smith wrote, "Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles) stolen."[[108]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-111)[[109]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-112)[[110]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-113) Russian President Vladimir Putin placed the responsibility of the attack on U.S. intelligence services, for having created EternalBlue.[[111]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-vidal-114)
On 17 May, United States bipartisan lawmakers introduced the PATCH Act[[112]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-115) that aims to have exploits reviewed by an independent board to "balance the need to disclose vulnerabilities with other national security interests while increasing transparency and accountability to maintain public trust in the process".[[113]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-116)

The United States Congress will also hold a hearing on the attack on June 15.[[114]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-thehill.com-117) Two subpanels of the House Science Committee will hear the testimonies from various individuals working in the government and non-governmental sector about how the US can improve its protection mechanisms for its systems against similar attacks in the future.[[114]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-thehill.com-117)

A cybersecurity researcher, working in loose collaboration with UK's National Cyber Security Centre),[[115]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-118)[[116]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-sky1-119) researched the malware and discovered a "kill switch".[[34]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-MalwareTech-36) Later globally dispersed security researchers collaborated online to develop open sourcetools[[117]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-wanakiwi-120)[[118]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-121) that allow for decryption without payment under some circumstances.[[119]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-reuters1-122) Snowden states that when "[NSA]-enabled ransomware eats the Internet, help comes from researchers, not spy agencies" and asks why this is the case.[[120]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-123)[[121]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-124)[[116]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-sky1-119)

Other experts also used the publicity around the attack as a chance to reiterate the value and importance of having good, regular and secure backups, good cybersecurity including isolating critical systems, using appropriate software, and having the latest security patches installed.[[122]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-125) Adam Segal, director of the digital and cyberspace policy program at the Council on Foreign Relations, stated that "the patching and updating systems are broken, basically, in the private sector and in government agencies".[[98]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-guard1-101) In addition, Segal said that governments' apparent inability to secure vulnerabilities "opens a lot of questions about backdoors and access to encryption that the government argues it needs from the private sector for security".[[98]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-guard1-101) Arne Schönbohm, President of Germany's Federal Office for Information Security (BSI), stated that "the current attacks show how vulnerable our digital society is. It's a wake-up call for companies to finally take IT security [seriously]".[[42]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-hei-44)

The effects of the attack also had political implications; in the United Kingdom, the impact on the National Health Service quickly became political, with claims that the effects were exacerbated by Government underfunding of the NHS; in particular, the NHS ceased its paid Custom Support arrangement to continue receiving support for unsupported Microsoft software used within the organization, including Windows XP.[[123]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-126) Home Secretary Amber Rudd refused to say whether patient data had been backed up, and Shadow Health Secretary Jon Ashworth accused Health Secretary Jeremy Hunt of refusing to act on a critical note from Microsoft, the National Cyber Security Centre) (NCSC) and the National Crime Agency that had been received two months previously.[[124]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-127) Others argued that hardware and software vendors often fail to account for future security flaws, selling systems that − due to their technical design and market incentives − eventually won't be able to properly receive and apply patches.[[125]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-128) The NHS denied that it was still using XP, claiming only 4.7% of devices within the organization ran Windows XP.[[126]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-nhs-noxp-129)[[67]](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#cite_note-verge-xpimpact-70)

9159com金沙网站 299159com金沙网站 30

一些专家强调美国国家安全局不披露潜在的漏洞,以及他们对利用漏洞的EternalBlue攻击工具失去控制。爱德华斯诺德说如果美国国家安全局“在他们发现这个用于攻击医院的漏洞时就私下披露出来,而不是等到它丢失,攻击可能就不会发生”。英国网络安全专家Graham Cluley也说“就美国情报部门而言,他们是有罪责的”。通过他和其他人的说法“他们很久以前就可以做一些事情来解决这个问题,但是他们没做”。他还说,尽管这些工具明显用于监视感兴趣的人,但是他们有责任保护他们国家的公民。也有人评论说这次攻击表明,情报部门是以攻击性的目的存储漏洞,而不是以防御性的目的披露他们,这可能是有问题的。微软总裁兼首席法律官Brad Smith写到“政府手中的漏洞一而再的泄露到公共领域并引发广泛的损害。如果用常规武器来说,这就等同于美国军队的战斧导弹被窃”。俄罗斯总统弗拉基米尔·普京把责任归咎于制造永恒之蓝的美国情报部门。在5月17日,美国两党国会议员介绍了“补丁法案”,目的在于让独立董事会审查漏洞,“在增加透明度和责任性以保持公众信任的过程中,平衡揭露漏洞的需求和其他国家安全利益”。
美国国会在6月15号也将举行听证会。众议院科学委员会的两个小组将会听取在政府和民间各部门不同工作人员的证词,关于美国如何提高系统的保护机构以应对将来类似的攻击。
一个网络安全研究员,在于应该国家网络安全中心的松散合作中,研究恶意软件并发现了一个“锁死开关”。之后全球分散的安全研究员在线合作开发了开源的安全工具,能够在某些环境下,无需支付也能解密文件。斯诺登说“当NSA支持勒索软件蚕食互联网时,帮助是来自研究人员,而非间谍机构门”,并发问为什么会这样。
其他专家也利用这一次攻击的宣传作为一个机会,重申有一个良好的,定期的和安全的备份的价值和重要性,良好的网络安全包括隔离关键系统,使用合适的软件,安装最新的安全补丁。亚当西格尔是外交关系委员会数字和网络空间政策项目的负责人,说“在私营部门和政府机构中,补丁和更新系统基本上都被破坏了。”另外,西格尔说政府明显无法保护漏洞“带来很多关于后门和访问加密的问题,政府认为这应该由私营部门保证”。Arne Schönbohm,德国联邦信息安全办公室的主席说“目前的攻击展现出我们的数字社会是多么的脆弱。这敲响了警钟,让企业最终严肃对待IT安全”。
攻击的影响也有政治的影响,在英国,对国家健康服务的影响迅速成为政治性的,声称政府对NHS提供的资金不足使影响恶化,特别是,NHS停止付费的自定义支持安排,以继续获得支持在组织内部使用不受支持的微软软件,包括Windows XP。内政大臣Amber Rudd拒绝透露患者数据是否已经备份,影子卫生部长Jon Ashworth指责卫生部长Jeremy Hunt拒绝按照微软的关键注意事项行动,国家网络安全中心和国家犯罪署两个月以前就收到了通知。有些人认为硬件和软件供应商也没有考虑到未来的安全缺陷,销售系统,由于他们的技术设计和市场激励机制,最终未能正常接收并应用补丁。NHS否认他们仍然使用XP系统,声称组织内部只有4.7%的设备使用Windows XP。

translation

 

校方一口咬住不放是哈钦斯所为,为查办他,校方禁绝哈钦斯在考查(GCSE)Computer科目时期动用微型机,安顿她以纸和笔作答试卷,最终他的计算机科战绩不如格。他高级中学毕业后因成绩倒霉未有读高校,靠自学成为新闻互联网维护行家,并初叶写作网志,他写的篇章受到United States网络保卫安全集团Kryptos Logic赏识,之后在该公司办事至今。

Affected organizations


 The following is an alphabetical list of organisations confirmed to have been affected:

9159com金沙网站 319159com金沙网站 32

以下是已经被证实受影响的组织列表,按字母顺序排列:

translation

 


 

整理:

The software contained a URL that, when discovered by a security researcher, Marcus Hutchins, and the corresponding domain registered to track activity from infected machines, was found to act as a "kill switch" that shut down the software before it executed its payload, stopping the spread of the ransomware?

1. encyclopedia,百科全书

2. cryptoworm,加密蠕虫。构词成分的crypto-(或crypt-)源于Bulgaria语中的kryptos(加密的),加上表示“蠕虫病毒”的worm。Republic of Croatia语中近期还现出了多少个与其词义周围的,它是,可直译作“”。但就实在接纳功效来讲,那七个词远远不如)

  1. cryptotrojan,加密木马。由crypto-和代表木马病毒的Trojan horse拼合而成。

  2. cryptovirus,加密病毒

  3. cryptocurrency,加密货币。crypto-和currency货币组成


  1. propagate,繁衍,传播

  2. occasion,场合,时机;引起

  3. bulletin,公告

  4. plug,塞子,塞住

  5. comparison,比较

  6. trickle,滴,涓流

  7. fashion,方式,时尚

  8. a range of ,一系列,一套

  9. mechanism ,机制


  1. speculate,推测

  2. quarantine,隔离,隔离期

  3. queries with traffic,流量查询

  4. trick ,欺骗

  5. unprecedented,空前的,前古未有的

  6. botnet variant,丧尸互联网变种

  7. knocking  it offline,将其脱机

  8. live site ??实时互联网?


 23. infection,影响,感染

  1. vector,矢量,带菌者

  2. apparently ,看似,就如,显明,视情景而定

  3. implementation,成就,实施

  4. advisory,劝告的,公告

  5. embedded,植入的,把。。。嵌入

  6. onwards,向前

  7. respectively,各自的

  8. classified,分类的

  9. mandatory,强制的


  1. tens of thousands,不可胜道,数不完。several hundred thousands,数十万

  2. exponentially,以指数的章程

  3.  take advantage of,利用,欺骗


  1. fluent in,流利。proficient,精通,熟练

  2. carried out,实施

  3. heist,抢劫

  4. shift blame,推卸义务

  5. false flag,虚旗攻击

  6. alleged,声称,断言


  1. lateral,侧面的,横向的

  2. hardcoded ,硬编码,写死在代码中正确修正

  3.  transactions,交易,事务,chuli

  4.  balances,余额,平衡

  5. out-of-band,带外数据,传输层合同使用带外数据发送一些首要数据


47.darknet,暗网


48.amounted to,总括,等于,此处不会翻译

  1. deploye,部署

  2. extent,程度,扣押

  3. elsewhere,别处

  4. defeat ,v.击败,战胜 ; n. 战胜,失败

  5. prime number,质数,素数,prime,最好的,最初的,首要的,精华

  6. potentially,潜在的

  7. retrieve,取回,恢复

  8. iterated upon by,迭代的?

  9. subsequent ,随后的

  10. Embedded ,植入的

  11. In a statement regarding the matter,在关于这事的风流倜傥份申明中


  1. revenue,收入,税收

  1. refrigerator,冰箱

  2. ambulance,救护车

  3. divert,转移,娱乐

  4. separate,分离

  5. halt,暂停

  6. relatively ,相对的

  7. critical,关键的,批评的,重要的

  8. infrastructure,根底设备


  1. honeypot ,蜜罐

  1. culpability ,有罪,苛责

  2. ages ago ,老早,从前

  3. stockpile ,存储

  4. problematic,成难题的,有疑难的

  5. Repeatedly,再三的,反复的

  6. scenario ,方案,传说剧情轮廓

  7. conventional weapons,守旧的器材

  8. 汤姆ahawk missiles,战斧导弹

  9. bipartisan lawmakers ,两党国会议员

  10. independent board,独立董事会

  11. balance A with B

  12. transparency and accountability,透明性和权利制,有职务

  13. disperse,分散,传播

  14. reiterate ,重申,反复的

  15. regular ,有规律的;正规军,大将;定时的

  16. secure ,保护;安全的。security,安全,保证;安全的

  17. wake-up call for,唤醒,枪响警钟

  18.  account for ,说明,导致

  19.  market incentives,商场鼓励制

本文由9159com金沙网站发布于中小学,转载请注明出处:如何从勒索软件中免受伤害,拯救了全世界成为

关键词:

上一篇:9159com金沙网站:拜访你是或不是也患上了

下一篇:没有了