勒索病毒横扫全球，你需要了解什么？

自上周五以来，来势汹汹的计算机攻击已经席卷全球，成千上万的计算机受到影响，政府和企业的主要业务面临严重损坏。这种恶意软件名为WannaCry。本文在此向读者介绍一些需要了解的知识。

计算机攻击还没有结束吗？

绝对没有。上周六，大量报道指出，一位网络安全研究人员发现了“kill switch”机制，阻止勒索病毒的继续蔓延，但是这种说法只是部分属实。当然，kill switch减缓了WannaCry的蔓延速度，但是它只是阻止了这种恶意软件的部分蔓延方式。此外，卡巴斯基实验室（Kaspersky Lab）网络安全研究人员在数小时内确认，已检测到勒索病毒的新版本，而kill switch机制无法阻止病毒的变种。专家预计，最快将于本周一出现新一轮的计算机感染。

何为WannaCry？

WannaCry是一种不断变化且极为可恶的恶意勒索病毒。一旦在计算机上激活，该病毒会加密该计算机上的文件，使文件无法读取。之后，该病毒指示计算机用户支付比特币赎金，从而换取文件的解密。

WannaCry的攻击目标是谁？

一般而言，WannaCry利用Windows XP等旧版Windows操作系统中的漏洞。上周五，微软公司（Microsoft）针对旧版操作系统发布了补丁，但是未能阻止该病毒攻击150个国家的20万台计算机。受损用户包括数十家大型机构和公司，如英国的国家卫生署（National Health Service）、中国石油天然气集团公司（China's National Petroleum Corporation）以及雷诺公司（Renault）位于法国的工厂。

如何防御病毒攻击?

如果您的个人或企业计算机使用旧版Windows操作系统（特别是XP、8或Server 2003），您或您的管理员应该立即安装微软公司新版安全更新。此外，象往常一样，在打开已知或未知来源的电子邮件中的附件时，您应该非常谨慎。但是，据报道，无需用户交互，WannaCry病毒便可在本地网络中蔓延，这才是WannaCry病毒真正令人可怕之处。一些政府部门，包括印度尼西亚政府，建议中断不受保护的计算机的互联网连接。

如果我的计算机感染病毒，有修复办法吗？

简短回答：没有。网络安全公司能更好地解码受勒索病毒攻击的文件，但是迄今尚没有针对WannaCry的卓越解密器（清除勒索病毒的工具），但是这种情况可以随时发生改变。此外，请勿两次中招。黑客甚至会用WannaCrypt修复的承诺作为诱饵，从而造成计算机进一步的感染，所以用户需要保持高度怀疑。此外，迈克菲公司（McAfee）的研究人员表示，WannaCry删除有时被用于存储文件的所谓的卷影备份。

即便如此，还有一个让人厌恶的解决方案：支付赎金。WannaCry要求支付300美元比特币，用于解锁计算机上的文件，而历史经验表明，在兑现讨价还价中许下的承诺方面，运行勒索病毒的黑客非常“值得信赖”。（至于支付赎金是否道德，则是一场规模庞大和棘手的辩论。）

病毒来源于何处？

据称，WannyCry是在美国国家安全局（U.S. National Security Agency）（非故意）协助下开发的病毒。美国国家安全局开发的漏洞利用程序永恒之蓝（EternalBlue），是黑客组织影子经纪人（Shadow Brokers）四月版本的一部分，是病毒的核心所在。

黑客为何开发病毒？

为了赚钱，尽管效果似乎并没有预想的那么棒。一方面，计算机攻击造成的全球经济损失轻松达到数以亿计的金额；另一方面，（可公开查看的）为黑客索要赎金的比特币地址少得可笑：截至发稿时止，索要金额刚刚超过3.4万美元比特币。（财富中文网）

A massive cyberattack has been spreading across the globe since Friday, hitting hundred of thousands of computers and crippling major government and corporate operations. The malware is known as WannaCry, and here's what you need to know.

Isn’t the Attack Over?

Absolutely not. There were widespread reports on Saturday that a security researcher had discovered a “kill switch” that stopped the ransomware from spreading, but that’s only partly true. The kill switch certainly slowed WannaCry down, but it only stopped some of the ways the malware could spread. And Kaspersky Lab security researchers confirmed within hours that new versions of the malware had been detected which were not stopped by the kill switch. Experts expect a new wave of infections as soon as Monday.

What Does WannaCry Do?

WannaCry is ransomware, a growing category of extremely heinous malware. Once it has activated on a machine, it encrypts the files on that machine so they are inaccessible. Then it instructs the owner to pay a ransom in Bitcoin in exchange for unlocking the files.

Who Is it Targeting?

Broadly speaking, WannaCry exploits vulnerabilities in older Windows operating systems, including Windows XP. Microsoft issued a patch for those systems on Friday, but that didn’t stop it from hitting more than 200,000 machines in 150 countries. That has included dozens of large institutions and companies, including the U.K.'s National Health Service, China’s National Petroleum Corporation, and Renault factories in France.

How Can I Protect Myself?

If any of your personal or corporate systems run an older version of Windows (XP, 8, or Server 2003 specifically), you or your admins should immediately install Microsoft’s new security update. You should also, as always, remain extremely careful about opening any email attachments, from known or strange sources. But the truly scary thing about WannaCry is that it can reportedly spread over local networks without user interaction. Some authorities—including the government of Indonesia—are suggesting disconnecting unprotected machines from the Internet.

Is There a Fix If My Computer Is Infected?

Short answer: No. Security firms are getting better at decrypting files from ransomware attacks, but there are as yet no reputable decryptors (tools for removing ransomware) for WannaCry—though that could change at any time. And don't get tricked twice. Hackers could even use the promise of a WannaCrypt fix as bait for further infections, so be extremely skeptical. Also, according to McAfee researchers, WannaCry deletes so-called ‘Volume Shadow’ backups that can sometimes be used to restore files.

That said, there is one unsavory option here: pay the ransom. WannaCry demands $300 in Bitcoin to unlock files on a machine, and hackers running ransomware have historically proven remarkably trustworthy in fulfilling their end of that bargain. (Whether paying is the ethical move is a big, thorny debate.)

Where Did It Come From?

WannaCry is believed to have been created with the (unintentional) assistance of the U.S. National Security Agency. An NSA exploit known as EternalBlue, part of an April release by a hacking group called the Shadow Brokers, is at its core.

Why Would Someone Do This?

To make money, though that doesn’t seem to be working out so well. While global financial damages from the attack could easily climb into the hundreds of millions, the (publicly viewable) Bitcoin addresses collecting ransom for the attackers are almost comically light: at this writing, they contain barely over $34,000 worth of Bitcoin.