科普勒索软件：中毒后要不要支付赎金？

上个月，一个叫WannaCry的勒索软件搞得全世界很多公司欲哭无泪，而现在这种勒索病毒又出新变种了。

本周二，又一波肆虐的勒索软件攻击令很多毫无准备的公司陷入停滞。这波攻击的传播方式也WannaCry大同小异，都使用了一种叫做“永恒之蓝”的黑客工具，而据说这种工具还与美国国家安全局有关。

这两次攻击的主要区别之一是最近的这次攻击取消了“自杀开关”，这意味着这一波攻击或许更难抵御。

网络安全专家早就警告过那些没有安装微软Windows系统补丁的企业，下一次攻击对他们来说只是时间问题，他们的预言也果然应验了。

下面我们就这次勒索软件攻击做一个小小的科普。

究竟发生了什么？

本周二，一波勒索软件攻击像野火一般在全球蔓延开来。许多微软Windows操作系统的电脑都中招了，特别是那些没有针对SMB-1协议漏洞进行保护的计算机。很多企业的系统都被锁死了，无法进入桌面，只会显示勒索信息。

中了病毒的用户无法访问文件夹和文件，在勒索信息中，黑客要求中病毒者支付价值300美元的比特币作为赎金。比特币也是“网络敲诈犯”的最爱，因为它不仅支付起来很容易，而且也很难追踪其去向。

受影响的都有谁？

俄罗斯网络安全公司卡巴斯基的全球研究主任科斯廷·拉尤近日在他的推特账号上发布了一张图表，显示了该公司追踪到的此次勒索病毒受害者的地理分布。从图表上看，这一波袭击的重灾区主要是美国、意大利、德国、波兰、乌克兰和俄罗斯。但卡巴斯基的客户群在很大程度上向俄语国家倾斜，因此它给出这样的分布也是可以理解的。）

受到此轮攻击影响的企业有：丹麦航运巨头马士基、俄罗斯石油公司、英国广告公司WPP以及美国制药巨头默克公司等。另有报道表明，这次攻击也对银行、学校、政府机构、机场和其他一些组织造成了影响。

Petya病毒是什么？

初步分析表明，最近的这波网络攻击使用了一种基于Petya病毒的恶意软件。Petya是去年才首次出现的一种勒索软件程序。不过进一步的调查却对这种说法提出了质疑。为了将它与Petya病毒区分开，包括卡巴斯基在内的一些网络安全公司给这种最新的勒索软件起了个新名字，叫做“NotPetya”。

网络安全公司SentinelOne的首席安全战略师耶利米·格罗斯曼对《财富》表示，目前尚无足够证据揭露该恶意软件的源头。“此次病毒爆发与Petya病毒有些相似特点，比如它们都感染了MBR（MBR又叫主引导记录，是Windows系统硬盘驱动器的一个重要部分），最且对整个硬盘进行了加密。不过我们现在尚不清楚它是否是Petya病毒的变种。”

这一切是怎样发生的？

有些公司没有针对Windows的系统漏洞升级补丁，这是导致他们易感病毒的主要原因。我们现在还不知道该病毒的初始攻击途径。但它一旦进入了网络，就可以通过Windows系统的SBM-1协议漏洞，在计算机网络上迅速传播。

很多受勒索软件影响的企业运行的都是工业级系统。这些机器是很难打补丁的，因为它们上面运行着很多重要程序，企业很难允许这些重要内容下线。应用安全公司Veracode的联合创始人、首席技术官克里斯·威斯波尔表示：“像他们这样的企业，要想给所有机器都打上补丁是很难的，因为很多系统根本就不可能有停机检修的时间。” Veracode公司今年早些时候已经被CA Technologies公司收购了。

企业如何自保？

网络安全公司Palo Alto Networks在其“威胁简报”博客上指出，面对勒索病毒的威胁，企业是可以采取一些简单的措施进行自保的。首先要安装微软的MS17-010补丁。其次，要关闭微软Windows系统与相关漏洞有关的445端口。最后，要经常做好数据备份，必要时可以用它们来恢复系统。

中招了怎么办，该付赎金吗？

这也是信息安全界持续争论的一个问题。主流的看法是，用户不应向黑客支付赎金。首先，谁也不能保证黑客会不会解封你的文件。其次，一旦我们给网络罪犯提供了资助，只会刺激他们以后继续开展类似的攻击。

尽管如此，有时中招的企业也想赌一把，希望犯罪分子能够大发慈悲，还原他们电脑上的重要文件和信息。不过事实证明，即便受害人支付了赎金，他们的数据也无法还原。黑客们所使用的电子邮件系统的提供商Posteo近日表示，他们已经封锁了黑客创建的账号，这意味着黑客已经失去了与受害人联系沟通的渠道，因此也就无法向受害人发送解码密钥了。另外，截止到本周二美国东部时间的下午3点，黑客的比特币钱包已经收到了28笔转账，合计收入约3个比特币，价值超过了7000美元。（财富中文网）

译者：朴成奎

Meet the sequel to WannaCry, the wide-ranging ransomware attack that crippled businesses around the globe last month.

On Tuesday, another widespread ransomware attack began halting unprepared businesses in their tracks. The new attack uses the same method of propagation as WannaCry: A leaked hacking tool called Eternal Blue, which has been linked to the U.S. National Security Agency.

One of the major differences between the two attacks is that the most recent event does not yet appear to be susceptible to a hardcoded "kill switch." That means it may prove harder to overcome.

Security experts have been warning organizations that failed to apply security patches to their Microsoft Windows-based computer systems that it was only a matter of time before another digital siege surfaced. It seems their predictions have borne true.

Here's a quick FAQ to get you up to speed.

What has happened?

A wave of ransomware attacks spread like wildfire on Tuesday. Many Microsoft Windows-based computers—specifically, ones not protected against a vulnerability in a Microsoft messaging protocol called SMB-1—began seizing up worldwide, locking employees out of their desktops, and displaying ransom notes.

Unable to access their files and folders, workers and managers were greeted by on-screen demands for payment of $300 in Bitcoin, a digital currency often used by cyber extortionists because it's easy to send and hard to track.

Who has been affected?

The attack struck organizations in the U.S., Italy, Germany, Poland, Ukraine and Russia. Costin Raiu, director of global research at Russian security firm Kaspersky Labs, posted a bar graph on Twitter showing the geographic distribution of victims, according to what his firm could measure. (Kaspersky's customer base skews towards Russian-speaking countries, which might explain the spread.)

Some of the affected companies include Maersk (amkby, +0.41%), the Danish shipping giant, Rosneft, the Russian oil company, WPP, the British advertising agency, and Merck (mrk, -0.58%), the U.S. pharmaceutical giant. There are reports that the attack has also affected banks, hospitals, governments, airports, and other organizations.

What is Petya?

Initial analyses suggested that the latest wave of attacks involved malware based on Petya, a type of ransomware that first surfaced last year. Further investigations have disputed this analysis. In lieu of a better name, some cybersecurity firms, such as Kaspersky, have begun referring to the latest malware as "NotPetya."

Jeremiah Grossman, chief security strategist at the cybersecurity firm SentinelOne, told Fortune there isn't enough evidence yet to uncover the malware's provenance. "This outbreak has similar characteristics as Petya, such as infecting the MBR [Master Boot Record, an important component of Microsoft computer hard drives] and encrypting the entire drive, however, it is not clear yet that this is a Petya variant," he said.

How did this happen?

Companies that failed to patch their systems against the Microsoft vulnerability were open to this attack. It's still not clear what the initial attack vector was. But once inside, the worm could spread across computer networks via the hole in Microsoft SMB-1.

It seems that many of the organizations affected by the malware operated industrial systems. These machines can be hard to patch because they run critical processes are difficult to take offline. "Organizations like these typically have a hard time patching all of their machines because so many systems simply cannot have down time," said Chris Wysopal, cofounder and chief tech officer of Veracode, an application security firm purchased by CA Technologies earlier this year.

What can businesses do to protect themselves?

There are a few simple steps businesses can take, as the cybersecurity firm Palo Alto Networks (panw, -1.55%) explains on its "threat brief" blog. First, apply Microsoft patch MS17-010. Second, block connections to Microsoft Windows' port 445, the part of the operating system associated with the vulnerable protocol. And finally, maintain regular data backups, and use them to restore systems.

Should you pay the ransom?

This is a continual source of debate in the information security community. The general belief is, no, you should not pay the ransom. For one, there's no guarantee extortionists will return your files. Second, funding cybercriminals will encourage them to develop similar attacks in the future.

Still, sometimes companies take a gamble and pay up in the hopes that the criminals will restore access to their files and information. In this case, it appears as though customers will not be able to reclaim their data even if they do pay up. Posteo, the email service chosen by the attackers, said it blocked the account they created, meaning the extortionists have lost their channel to communicate with victims and hand over decryption keys. Despite this, the attackers' Bitcoin wallet had already received 28 transactions equaling 3 Bitcoins, or more than $7,000, as of 3 P.M. ET on Tuesday.