wannacry 勒索病毒

In a twist of irony, the global spread of WannaCry, the malware that recently attacked the NHS, was caused by spying tools leaked from the US’ National Security Agency (NSA).

具有諷刺意味的是，最近襲擊NHS的惡意軟件WannaCry在全球的傳播是由美國國家安全局(NSA)泄漏的間諜工具引起的。

Highly infectious, WannaCry (also known as WannaCryptor and WCry) spread to at least 150 countries within a few hours. According to antivirus company, Avast, it took less than 24 hours to infect more than 100,000 Windows systems, 57% of them in Russia. Besides the NHS, its other high-profile victims included Telefonica, Santander, FedEx, Vodafone and Renault.

WannaCry(也稱為WannaCryptor和WCry)具有高度傳染性，可在數小時內傳播到至少150個國家。 據反病毒公司Avast稱，感染不到100,000個Windows系統僅用了不到24小時，其中有57％在俄羅斯。 除了NHS之外，其其他受害人還包括西班牙電信，桑坦德銀行，聯邦快遞，沃達豐和雷諾。

Many organisations were forced to shut down systems and even production sites to prevent the spread of the virus, and the NHS was virtually paralysed by the attack, postponing operations and cancelling thousands of appointments at over 48 hospitals, medical centres and GP surgeries. Six hospitals were still experiencing difficulties the following day and diverting emergencies as a result.

許多組織被迫關閉系統甚至生產站點，以防止病毒傳播，而NHS實際上因襲擊而癱瘓，推遲了行動，并取消了48多家醫院，醫療中心和GP外科診所的數千個約會。 第二天，六家醫院仍然遇到困難，因此緊急情況有所改觀。

?

利用Windows SMB漏洞 (Exploiting Windows SMB Vulnerabilities)

WannaCry infects systems which operate on a vulnerable Windows Server and SMB (Server Message Block). It is spread using software the NSA had developed to spy with and which was stolen by a hacking group called the Shadow Brokers who then leaked it on the internet.

WannaCry感染可在易受攻擊的Windows Server和SMB(服務器消息塊)上運行的系統。 它是使用國家安全局開發的用于監視的軟件進行傳播的，該軟件被一個名為“影子經紀人”的黑客組織竊取，然后將其泄漏到互聯網上。

It uses the same basic methods as most other ransomware, by getting users to open an attachment in an email, e.g. a Word document, PDF, image, etc. Once opened, the malware installs itself and a ransom request is shown on the screen asking for around ￡230 in Bitcoins to restore access.

它通過使用戶打開電子郵件中的附件(例如Word文檔，PDF，圖像等)，使用與大多數其他勒索軟件相同的基本方法。打開后，惡意軟件會自行安裝，并在屏幕上顯示勒索要求，只需約230英鎊的比特幣即可恢復訪問。

Because of the success of WannaCry, it is believed that other ransomware, such as the infamous Locky, will use the same leaked technology to improve their ability to infect and spread on a larger scale.

由于WannaCry的成功，人們相信其他勒索軟件(例如臭名昭??著的Locky)將使用相同的泄漏技術來提高其感染和大規模傳播的能力。

?

感染的機理 (The Mechanics of the Infection)

The programs developed by the NSA to exploit the vulnerabilities in SMB are known as EternalBlue, EternalChampion, EternalSynergy and EternalRomance. Together, they are known as the FuzzBunch kit. ?These programs load a backdoor implant tool, called DoublePulsar, on to a compromised system, enabling attackers to load other malware.

由NSA開發的利用SMB中的漏洞的程序被稱為EternalBlue，EternalChampion，EternalSynergy和EternalRomance。 它們一起被稱為FuzzBunch套件。 這些程序將稱為DoublePulsar的后門植入工具加載到受感染的系統上，從而使攻擊者可以加載其他惡意軟件。

WannaCry’s authors have obviously used this mechanism to accelerate the spread of their strain. The infection uses EternalBlue and DoublePulsar to execute remote commands through Samba (SMB) in order to distribute ransomware to other machines on the same network.

WannaCry的作者顯然已經使用這種機制來加速其菌株的傳播。 感染使用EternalBlue和DoublePulsar通過Samba(SMB)執行遠程命令，以便將勒索軟件分發到同一網絡上的其他計算機。

?

Windows XP上的WannaCry Preying (WannaCry Preying on Windows XP)

It is no surprise that cybercriminals are finding a use for these government developed, ultra-advanced hacking tools. According to Recorded Future, a US company specialising in threat intelligence, Chinese and Russian hackers had begun studying the malware leaked by Shadow Brokers with a particular interest in exploits that targeted SMB vulnerabilities.

毫無疑問，網絡罪犯正在使用這些政府開發的超高級黑客工具。 根據一家專注于威脅情報的美國公司Recorded Future的說法，中國和俄羅斯的黑客已經開始研究Shadow Brokers泄漏的惡意軟件，尤其關注針對SMB漏洞的漏洞利用。

“We’re talking about very sophisticated techniques and tools that are generally beyond the reach of the underground community”, said Levi Gundert, Vice President of Intelligence and Strategy at Recorded Future

“我們談論的是非常復雜的技術和工具，這些通常是地下社區無法企及的。” Recorded Future情報與戰略副總裁Levi Gundert說

Microsoft had already patched the vulnerabilities exploited by these tools in March 2017. However, according to Recorded Future, Chinese hackers were not totally convinced of the solidity of these patches. Attack still remains a possibility against non-patched systems and against OS versions that are no longer supported by Microsoft. This is a problem for the NHS, where 5% of their machines still use Windows XP. They are not the only ones at risk, however: many media industry organisations and a multitude of others all rely on applications which need this legacy OS to run. The problem is that XP is so old that it no longer supported by Microsoft and so doesn’t get patches or updates.

微軟已經在2017年3月修補了這些工具利用的漏洞。但是，根據Recorded Future的說法，中國黑客并不完全相信這些修補程序的可靠性。 對于未打補丁的系統和Mi??crosoft不再支持的OS版本，仍然有可能遭到攻擊。 對于NHS來說，這是一個問題，因為他們的5％的計算機仍使用Windows XP。 但是，它們并不是唯一面臨風險的組織：許多媒體行業組織以及許多其他組織都依賴于需要此舊版OS才能運行的應用程序。 問題是XP太舊了，以至于Microsoft不再支持它，因此它沒有補丁或更新。

?

WannaCry停了下來……碰運氣 (WannaCry stopped … by a stroke of luck)

In response to the WannaCry emergency, Microsoft took the unusual step of releasing patches for SMB flaws on Windows XP (including embedded version of SP3), Windows Server 2003 and Windows 8. In this attack, Windows 10 has remained unscathed, however, Microsoft expects that the threat will evolve and eventually bypass Windows 10’s first line of defence. It, therefore, recommends disabling SMB on the network, if possible.

為了應對WannaCry緊急情況，Microsoft采取了非同尋常的步驟，針對Windows XP(包括SP3的嵌入式版本)，Windows Server 2003和Windows 8上的SMB缺陷發布了補丁程序。在此攻擊中，Windows 10仍然完好無損，但是，微軟希望威脅將演變并最終繞過Windows 10的第一道防線。 因此，建議盡可能禁用網絡上的SMB。

Thanks to a stroke of luck, WannaCry is in temporary decline. A security researcher, known only as MalwareTech, accidentally stopped the malware spreading by registering a domain appearing in its code. This blocked the execution of WannaCry and stopped its broadcast. According to MalwareTech, the domain he registered was a security feature devised WannaCry’s developers to prevent it being analysed by security systems.

多虧了運氣，WannaCry暫時處于下降狀態。 安全研究人員(僅稱為MalwareTech)通過注冊出現在其代碼中的域，意外阻止了惡意軟件的傳播。 這阻止了WannaCry的執行，并停止了其廣播。 根據MalwareTech的說法，他注冊的域是WannaCry的開發人員設計的安全功能，以防止安全系統對其進行分析。

Unfortunately, malware developers can easily modify WannaCry to get around this pitfall. In fact, within 24 hours of the first attack ending, Costin Raiu, Director of research and analysis team at Kaspersky Lab, identified the release of new versions no longer hampered by MalwareTech operations. The WannaCry threat is, therefore, back out in cyberspace and looking for its next set of victims.

不幸的是，惡意軟件開發人員可以輕松地修改WannaCry來解決這個陷阱。 實際上，在第一次攻擊結束后的24小時內，卡巴斯基實驗室研究與分析團隊主管Costin Raiu確定了不再受惡意軟件技術運營阻礙的新版本的發布。 因此，WannaCry威脅正在網絡空間中撤退，并尋找其下一組受害者。

?

在eUKhost上全部清除 (All Clear at eUKhost)

At eUKhost, we found no evidence of infection on any of our Windows servers. However, we remain fully vigilant and have taken the preemptive step of patching all managed servers that are potentially vulnerable, in order to protect them from this exploit.

在eUKhost，我們沒有發現任何Windows服務器感染病毒的跡象。 但是，我們仍保持高度警惕，并已采取先發步驟修補所有可能易受攻擊的受管服務器，以防止它們受到此攻擊。

If you manage your own servers and use Windows OS, we strongly recommend that you check and make sure you have the latest Windows patches installed.

如果您管理自己的服務器并使用Windows操作系統，強烈建議您檢查并確保已安裝最新的Windows修補程序。

We urge all of you the check your desktop / laptop operating system to make sure that they are also patched and fully up to date.

我們敦促大家檢查臺式機/筆記本電腦的操作系統，以確保它們也已打補丁并完全更新。

For further information please read the following status update:

有關更多信息，請閱讀以下狀態更新：

http://euk-status.com/2017/05/13/microsoft-vulnerability-urgent-attention-needed/

http://euk-status.com/2017/05/13/microsoft-vulnerability-urgent-attention-needed/

If you have any questions, please don’t hesitate to contact our 24x 7 support team.

如有任何疑問，請隨時與我們的24x 7支持團隊聯系。

翻譯自: https://www.eukhost.com/blog/webhosting/wannacry-autopsy-of-ransomware/

wannacry 勒索病毒

總結

以上是生活随笔為你收集整理的wannacry 勒索病毒_WannaCry：勒索软件尸检的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。