【翻译】WannaCry ransomware attack
WannaCry ransomware attack
The WannaCry ransomware attack was a May 2017 worldwide cyberattack by the WannaCry[a] ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency.
The attack began on Friday, 12 May 2017,[5] and within a day was reported to have infected more than 230,000 computers in over 150 countries.[6][7] Parts of the United Kingdom's National Health Service (NHS) were infected, causing it to run some services on an emergency-only basis during the attack,[8] Spain's Telefónica, FedEx and Deutsche Bahn were hit, along with many other countries and companies worldwide.[9][10][11] Shortly after the attack began, Marcus Hutchins, a 22-year-old web security researcher from North Devon in England then known as MalwareTech[12] discovered an effective kill switch by registering a domain name he found in the code of the ransomware. This greatly slowed the spread of the infection, effectively halting the initial outbreak on Monday, 15 May 2017, but new versions have since been detected that lack the kill switch.[13][14][15][16] Researchers have also found ways to recover data from infected machines under some circumstances.[17]
维基百科,自由的百科全书 WannaCry勒索软件攻击是由WannaCry勒索软件加密蠕虫在2017年5月发动的一次全世界范围的网络攻击,目标是运行着Windows操作系统的计算机,通过加密数据并要求用密码货币-比特币支付赎金。 攻击始于2017年5月12日周五,据报道一天内感染了超过150个国家的23万多台电脑。部分英国国家医疗服务系统(NHS)的电脑被感染,导致其在攻击中仅在紧急情况下运行一些服务,西班牙的电信,联邦快递和德国铁路公司,以及世界上很多其他国家和公司都受到了冲击。 攻击开始后的不久,一个来自英格兰北部德文郡的22岁网络安全研究员-Marcus Hutchins,当时被称为MalwareTech,他在勒索软件中发现了一个域名,通过注册这个域名他发现了一个有效的“kill switch”(哈钦斯发现勒索病毒使用一个未注册的网域名称散播病毒,他随即注册了该网域)。这大大的减少了感染的传播,在2017年5月15日有效的阻止了病毒初步的爆发,但是后来的新版本检测到没有“kill switch”。在某些情况下,研究人员也找到了从被感染电脑中恢复数据的方法。
WannaCry propagates using EternalBlue, an exploit of Windows' Server Message Block(SMB) protocol. Much of the attention and comment around the event was occasioned by the fact that the U.S. National Security Agency (NSA) had already discovered the vulnerability, but used it to create an exploit for its own offensive work, rather than report it to Microsoft.[18][19] Microsoft eventually discovered the vulnerability, and on Tuesday, March 14, 2017, they issued security bulletin MS17-010, which detailed the flaw and announced that patches had been released for all Windows versions that were currently supported at that time, these being Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016, in addition to Windows Vista (which had recently ended support).[20] However, many Windows users had not installed the patches when, two months later on May 12, 2017, WannaCry used the EternalBlue vulnerability to spread itself. The next day, Microsoft released emergency security patches for Windows 7 and Windows 8. Organizations were advised to patch Windows and plug the vulnerability in order to protect themselves from the cyber attack.[21]
Those still running older, unsupported versions of Microsoft Windows, such as Windows XPand Windows Server 2003, were initially at particular risk, but Microsoft released an emergency security patch for these platforms as well.[22] Almost all victims of the cyberattack were running Windows 7, prompting a security researcher to argue that its effects on Windows XP users were "insignificant" in comparison.[23][17]
Within four days of the initial outbreak, new infections had slowed to a trickle.[24]
Several organizations released detailed technical writeups of the malware, including Microsoft,[25] Cisco,[26] Malwarebytes,[27]Symantec and McAfee.[28]
The "payload" works in the same fashion as most modern ransomware: it finds and encrypts a range of data files, then displays a "ransom note" informing the user and demanding a payment in bitcoin.[29] It is considered a network worm because it also includes a "transport" mechanism to automatically spread itself. This transport code scans for vulnerable systems, then uses the EternalBlue exploit to gain access, and the DoublePulsar tool to install and execute a copy of itself.[26]
WannaCry使用“永恒之蓝”传播,一个Windows的服务器消息块(SMB)协议漏洞。事件中引起人们关注和评论的是,美国国家安全局(NSA)发现了漏洞,并利用它为自己的攻击性工作创造了漏洞,而不是像微软报告这一事实。微软最终发现了这个漏洞,并在2017年3月14号星期二发布了安全公告MS17-010,详细的说明了缺陷,并宣布已经为所有仍提供服务支持的Windows版本发布了补丁,它们是Windows 7,Windows 8.1,Windows 10、Windows Server 2008、Windows Server 2012、Windows Vista和Windows Server 2016,还有Windows Vista(最近刚刚结束服务支持)。然而,很多Windows用户没有安装补丁,两个月后的2017年5月12日,WannaCry使用了“永恒之蓝”漏洞传播自己。第二天,微软发布了Windows 7和Windows 8的紧急安全补丁。为了在网络攻击中保护自己,建议各组织给Windows 7打好补丁,并堵上漏洞。 那些仍运行较旧的,不提供服务支持的微软Windows系统,比如Windows XP和Windows Server 2003最初存在特定的风险,但是微软也为这些平台发布了一个紧急安全补丁。几乎所有网络攻击的受害者都是运行Windows 7,这促使一名安全研究员辩称,相比之下,其对Windows XP用户的影响是“无关紧要的”。 在最初爆发的4天内,新的感染已经变成涓涓细流。 一些组织发布了恶意软件的详细技术报告,包括微软,思科,赛门铁克和麦咖啡。 这个"payload"和最现代的勒索软件运行方式一样:它找到并加密一系列的文件,然后显示一个“赎金条”,通知用户并要求支付比特币。它被认为是一种网络蠕虫,因为它还包括“传输”机制来自动传播它自己。这种传播代码扫描易受攻击的系统,然后使用“永恒之蓝”漏洞获取访问权限,工具“DoublePulsar”安装并执行自己的副本。
Contents
[hide]Description
The WannaCry ransomware attack was a May 2017 worldwide cyberattack by the WannaCry[b] ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency.[33]
WannaCry勒索软件攻击是一次2017年5月由WannaCry勒索软件加密蠕虫发动的全球网络攻击,目标是运行微软Windows系统的电脑,通过加密数据并要求以加密货币比特币的形式支付赎金。
"Kill switch"
The software contained a URL that, when discovered by a security researcher, Marcus Hutchins, and the corresponding domain registered to track activity from infected machines, was found to act as a "kill switch" that shut down the software before it executed its payload, stopping the spread of the ransomware. The researcher speculated that this had been included in the software as a mechanism to prevent it being run on quarantined machines used by anti-virus researchers; he observed that some sandbox environments will respond to all queries with traffic in order to trick the software into thinking that it is still connected to the internet, so the software attempts to contact an address which did not exist, to detect whether it was running in a sandbox, and do nothing if so.[34] He also noted that it was not an unprecedented technique, having been observed in the Necurs trojan.[34]
On 19 May, it was reported that hackers were trying to use a Mirai botnet variant to effect a distributed attack on WannaCry's kill-switch domain with the intention of knocking it offline.[35] On 22 May, @MalwareTechBlog protected the domain by switching to a cached version of the site, capable of dealing with much higher traffic loads than the live site.[36]
一个安全研究员Marcus Hutchins发现该软件包含一个URL,及相应的域名注册来追踪受感染机器的活动,发现它作为一个“kill switch”,在它执行载荷前关闭软件从而阻止勒索软件的传播。研究人员推测,软件中的这个开关被作为一种防止其在反病毒研究员的隔离机上运行的机制,他观察到一些沙箱环境为了欺骗软件让它认为依然是联网状态,会响应所有的流量查询,所以软件会试图联系一个并不存在的地址,检测它是否运行在沙箱中,如果是的话什么都不做。他还指出,这种技术并非前所未有,已经在Necurs木马上观察到过。 5月19日,据报道,黑客打算使用僵尸网络变种Mirai对WannaCry的死亡开关域发起一个分布式攻击,目的是使其脱机。在5月22日,@MalwareTechBlog通过把网站切换到缓存版本来保护域,有了处理比实时站点更高流量载荷的能力。
EternalBlue
The network infection vector, EternalBlue, was released by the hacker group called The Shadow Brokers on 14 April 2017, along with other tools apparently leaked from Equation Group, which is widely believed to be part of the United States National Security Agency.[37][38]
EternalBlue exploits a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol.[39] This Windows vulnerability was not a zero-day flaw, but one for which Microsoft had released a "critical" advisory, along with a security patch to fix the vulnerability two months before, on 14 March 2017.[40] The patch was to the Server Message Block (SMB) protocol used by Windows,[41][42] and fixed several versions of the Microsoft Windows operating system, including Windows Vista, Windows 7, Windows 8.1, and Windows 10, as well as server and embedded versions such as Windows Server 2008 onwards and Windows Embedded POSReady 2009 respectively, but not the older unsupported Windows XP, Windows Server 2003, and Windows 8(unsupported because Windows 8.1 is classified as a mandatory service pack upgrade).[40] The day after the WannaCry outbreak Microsoft released updates for these too.[23][22]
网络病毒载体EternalBlue在2017年4月14号被一个叫影子经纪人的黑客组织发布,还有连同其它的一些工具,明显是从方程式组织泄露的,该组织被广泛认为是美国国家安全局的一部分。 EternalBlue利用了微软实现服务器消息块(SMB)协议的漏洞。这个Windows漏洞并不是一个0day漏洞,而是2017年3月14号微软已经发布的一个"危险"的公告,以及2个月前的一个安全补丁。这个补丁是Windows使用的服务器消息块(smb)协议,和固定的微软Windows操作系统多个版本,包括Windows Vista, Windows 7, Windows 8.1,和Windows 10,以及服务器和嵌入式版本,比如分别是Windows Server 2008起和Windows Embedded POSReady 2009,但不包括旧的不受支持的Windows XP,Windows Server 2003和 Windows 8(不受支持是因为Windows 8.1被归为强制服务包升级)。WannaCry爆发后的第二天,微软也为这些发布了升级包。
DoublePulsar
DoublePulsar is a backdoor tool, also released by The Shadow Brokers on 14 April 2017, Starting from 21 April 2017, security researchers reported that computers with the DoublePulsar backdoor installed were in the tens of thousands.[43] By 25 April, reports estimated the number of infected computers to be up to several hundred thousands, with numbers increasing exponentially every day.[44][45] The WannaCry code can take advantage of any existing DoublePulsar infection, or installs it itself.[26][46][47]
DoublePulsar是一个后门工具,也是由影子经纪人在2017年4月14号发布,从2017年4月21号开始,安全研究人员报告说,有成千上万 的电脑被安装了DoublePulsar后门。4月25号,报告估计被感染的电脑多达数十万台,每天以指数级增长。WannaCry代码可以利用任何存在DoublePulsar感染的或者安装了他自己的电脑。
Attribution
Linguistic analysis of the ransom notes indicated the authors were likely fluent in Chinese and proficient in English, as the versions of the notes in those languages were probably human-written while the rest seemed to be machine-translated.[48][49]
Cybersecurity companies Kaspersky Lab and Symantec have both said the code has some similarities with that previously used by the Lazarus Group[50] (believed to have carried out the cyberattack on Sony Pictures in 2014 and a Bangladesh bank heist in 2016—and linked to North Korea).[50] This could also be either simple re-use of code by another group[51] or an attempt to shift blame—as in a cyber false flag operation;[50] but a leaked internal NSA memo is alleged to have also linked the creation of the worm to North Korea.[52] The President of Microsoft said he believed North Korea was the originator of the WannaCry attack,[53] and the UK's National Cyber Security Centre reached the same conclusion.[54]
North Korea itself denies being responsible for the cyberattack.[55][56]
对赎金条的语言分析表明,坐着很可能会说流利的中文并精通英语,因为那些语言版本的赎金条很有可能是人写的,而其余的则是机器翻译的。 网络安全公司卡巴斯基实验室和赛门铁克都表示,这些代码和萨鲁集团之前使用的有相似之处(该组织被认为在2014年对索尼影业实施了网络攻击,在2016年对孟加拉国银行进行了抢劫,并且与北朝鲜有关),这也可能是另一个组织简单的重复使用代码,或者试图推卸责任,就像一场网络虚旗攻击的操作。但是一份美国国家安全局内部备忘录的泄露,据称也将蠕虫的创建和北朝鲜联系在了一起。微软总裁说,他相信北朝鲜是WannaCry攻击的源头,英国国家网络安全中心也得到了相同的结论。 被朝鲜自己否认对网络攻击负责。
Cyberattack
On 12 May 2017, WannaCry began affecting computers worldwide,[58] with evidence pointing to an initial infection in Asia at 7:44am UTC.[5][59] The initial infection was likely through an exposed vulnerable SMB port,[60] rather than email phishing as initially assumed.[5]
When executed, the malware first checks the "kill switch" domain name;[c] if it is not found, then the ransomware encrypts the computer's data,[61][29][62] then attempts to exploit the SMB vulnerability to spread out to random computers on the Internet,[27] and "laterally" to computers on the same network.[28] As with other modern ransomware, the payload displays a message informing the user that files have been encrypted, and demands a payment of around $300 in bitcoin within three days, or $600 within seven days.[29][63] Three hardcoded bitcoin addresses, or "wallets", are used to receive the payments of victims. As with all such wallets, their transactions and balances are publicly accessible even though the cryptocurrency wallet owners remain unknown.[64] As of 14 June 2017, at 00:18 ET, a total of 327 payments totaling $130,634.77 (51.62396539 XBT) had been transferred.[65]
Organizations that had not installed Microsoft's security update were affected by the attack.[41] Those still running the older Windows XP[66] were at particularly high risk because no security patches had been released since April 2014 (with the exception of one emergency patch released in May 2014).[23] However, on the day after the outbreak, an emergency, out-of-band security update was released for XP and Windows Server 2003.[22] A Kaspersky Labs study reported that less than 0.1 percent of the affected computers were running Windows XP, and that 98 percent of the affected computers were running Windows 7.[17] In a controlled testing environment, the cybersecurity firm Kryptos Logic found that they were unable to infect a Windows XP system with WannaCry using just the exploits, as the payload failed to load, or caused the operating system to crash rather than actually execute and encrypt files. However, when executed manually, WannaCry could still operate on Windows XP.[67][68]
在2017年5月12日,WannaCry开始影响全世界的电脑,有证据表明,最初的的感染是在亚洲UTK时间上午7:44。最初的感染似乎是通过暴露的有漏洞的SMB端口,而非开始设想的邮件钓鱼。 在执行时,恶意软件首先会检测“死亡开关”域名(原理查看“KILL SWITCH”部分),如果没找到,勒索软件就会加密电脑的数据,然后试图利用SMB漏洞传播到网络上任意的电脑以及横向传播到同一网络的电脑。和其他现代勒索软件一样,载荷会显示一条信息提示用户文件已被加密,需要在三天内支付大约300美元的比特币,或者一周内支付600美元的比特币。有三个硬编码比特币地址或者钱包接受受害者支付的付款。像所有此类钱包一样,他们的交易和余额是公开可访问的,尽管加密货币钱包的主人仍然不知道是谁。从2017年6月14号00:18起,总共有327笔支付共计130634.77美元((51.62396539 XBT)被转移。 那些没有安装微软安全补丁的组织受到了攻击的影响。那些仍然运行旧系统Windows XP的风险会特别高因为从2014年4月起就不再发布安全补丁(除了2014年5月发布的一个紧急补丁)。然而,在爆发后的第二天,针对XP和Windows Server 2003发布了一个紧急的带外数据安全更新。卡巴斯基实验室的一项研究报告说,受影响的电脑雨哦不到0.1%是运行Windows XP,98%是运行的Windows 7。在一个受控的测试环境中,网络安全公司Kryptos Logic发现,WannaCry仅使用漏洞无法感染Windows XP系统,因为在和加载失败,或者引发操作系统奔溃而不是执行并加密文件。然而,手动执行(猜测手动加载载荷?),WannaCry仍能在Windows XP上操作。
Ransomware analysis
The process of virus execution can be divided into three steps: the main program file uses the vulnerability to spread itself, and run "WannaCry" ransom program; "WannaCry" ransom program will encrypt the file; the ransom interface (@ WanaDecryptor @ .exe) displays the ransom information and decrypts the samples.[69]
Main program (mssecsvc.exe) file analysis: The sample main program is the main spread program of this event that is responsible for spreading itself and releasing the "WannaCry" ransom program, and then "WannaCry" encrypts user files and execute malicious behavior.
“WannaCry” ransom program (tasksche.exe) analysis: The sample itself has an encrypted original RSA public key, and the attacker retains the decrypted RSA private key. Before encrypting the files, the CryptoAPI that calls Windows generates a new pair of RSA key, known as the sub-public key and sub-private key. And then, the sample encrypts the sub-private key with the original RSA public key and saves it as "00000000.eky" and the sub-public key is saved as "00000000.pky".
The sample generates an AES key for encrypting the file, the contents of the encrypted file are M2, and the AES key is encrypted with the sub-public key "00000000.pky". The contents of the encrypted file are M1. Then merge M1 and M2 and add file header "WANACRY!" to save the encrypted file.
When decrypting a file, the attacker decrypts the sub-private key "00000000.eky" and saves the file as "00000000.dky" for decrypting the file after receiving the decrypted file. The sample itself also has another pair of primary RSA public keys and private keys, which are used to decrypt the display files.
Each encrypted file uses a different AES key. If you want to decrypt the file, you need to acquire the RSA sub-private key, decrypt the AES key of the file header, and then use the AES key to decrypt files. If there is no RSA sub-private key, the AES key cannot be decrypted and the file cannot be decrypted.
Ransomware interface, decryption program (@WanaDecryptor@.exe) analysis: "@ WanaDecryptor @ .exe" is the ransomware interface program that displayed after sample has encrypted user data, which is responsible for displaying the Bitcoin wallet address and presenting part of the decrypted files. If wanting to decrypt all the files, you need to pay the "ransom". For darknet (Tor), the majority of infected users show the three default Bitcoin wallet address, which makes a lot of people think that the attacker cannot distinguish who paid the money and cannot decrypt the file for specified users.
病毒执行可以划分为三步:主程序文件使用漏洞传播自己,并运行"WannaCry"勒索程序;"WannaCry"勒索程序将会加密文件;勒索接口 (@ WanaDecryptor @ .exe)显示勒索信息并解密样本。 主程序文件(mssecsvc.exe)解析:样本主程序是事件中的主要传播程序,负责传播自己和释放"WannaCry"赎金程序,然后 "WannaCry"加密用户文件并执行恶意行为。 “WannaCry”赎金程序(tasksche.exe)分析:样本本身有一个加密的原始RSA公钥,攻击者保留了解密的RSA私钥。在加密文件之前,加密API调用Windows生成一对新的RSA密钥,称为子公钥和子密钥。然后样本用原RSA公钥加密子私钥并以"00000000.eky"格式保存,子公钥以"00000000.pky"格式保存。 样本生成一个AES密钥用于加密文件,加密文件的内容是M2,AES密钥被子公钥"00000000.pky"加密。加密的内容是M1。然后合并M1和M2,添加文件头"WANACRY!"然后保存到加密文件。 当解密一个文件时,攻击者解密子私钥"00000000.eky",然后把文件保存为"00000000.dky",用于在接收到解密文件后对文件进行解密,样本本身还有另一对主要的RSA公钥和私钥,用于解密显示文件。 每一个加密文件使用不同的AES密钥,如果你要解密文件,你需要请求RSA子私钥,解密文件头的AES密钥,然后使用AES密钥解密文件。如果没有RSA子私钥,就不能解密AES密钥,也不能解密文件。 勒索软件接口,解密程序(@WanaDecryptor@.exe)分析:"@ WanaDecryptor @ .exe"是一个样本加密用户数据后显示的赎金软件接口程序,负责显示比特币钱包地址和展示部分解密文件。如果想要解密所有的文件,你需要支付赎金。 对于暗网(Tor),大部分受感染的用户显示了三个比特币钱包地址,这使得很多人认为攻击者不能分辨谁支付了钱,也不能解密指定用户的文件。
Defensive response
Several hours after the initial release of the ransomware on 12 May 2017, while trying to establish the size of the attack, a researcher known by the name MalwareTech[70][34] accidentally discovered what amounted to a "kill switch" hardcoded in the malware.[71][72][73]Registering a domain name for a DNS sinkhole stopped the attack spreading as a worm, because the ransomware only encrypted the computer's files if it was unable to connect to that domain, which all computers infected with WannaCry before the website's registration had been unable to do. While this did not help already infected systems, it severely slowed the spread of the initial infection and gave time for defensive measures to be deployed worldwide, particularly in North America and Asia, which had not been attacked to the same extent as elsewhere.[74][75][76][77]
On 16 May 2017, researchers from University College London and Boston University reported that their PayBreak system could defeat WannaCry and several other families of ransomware.[78][79]
Within four days of the initial outbreak, new infections had slowed to a trickle.[24]
It was discovered that Windows encryption APIs used by WannaCry may not completely clear the prime numbers used to generate the payload's private keys from the memory, making it possible to potentially retrieve the required key if they had not yet been overwritten or cleared from resident memory. This behaviour was used by a French researcher to develop a tool known as WannaKey, which automates this process on Windows XP systems.[80][81][82] This approach was iterated upon by a second tool known as Wanakiwi, which was tested to work on Windows 7 and Server 2008 R2 as well.[83]
The scale of the attack and subsequent exposure of vulnerabilities prompted Micosoft to release new security updates for older versions of Windows that are no longer supported, including for Windows XP, Windows Server 2003, Windows XP Embedded and Windows 7 Embedded.[84] In a statement regarding the matter, the head of Microsoft’s Cyber Defense Operations Center, Adrienne Hall, said that “Due to the elevated risk for destructive cyber-attacks at this time, we made the decision to take this action because applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt [alternative name to WannaCry]”.[85]
2017年5月12号勒索软件最初发布的几小时后,当试图建立攻击规模时,一个叫MalwareTech 的研究员意外的发现了硬编码在恶意软件中的“锁死开关”。为 DNS sinkhole注册了一个域名从而阻止了以蠕虫形式传播的攻击,因为勒索软件只加密那些无法连接那个域名的电脑上的文件,所有在网站注册之前感染了WannaCry的电脑,无法阻止文件被加密。这对已被感染的系统没有帮助,但是这极大的延缓了感染初期的传播,并为全球部署防御措施提供了时间,尤其是北美和亚洲,这些地方没有受到像其他地方那种程度的攻击。 在2017年5月16日,伦敦大学和波士顿大学的研究员报告他们的PayBreak系统可以战胜WannaCry和一些其他类似的勒索软件。 在病毒爆发的初期,感染被减缓到了像涓涓细流。 我们发现WannaCry使用的Windows加密API可能没有完全清除内存中用于生成载荷的私钥的素数,这使得如果所需密钥还没有被从常驻存储器中重写或者删除,就有潜在回复的可能。一名法国研究员使用这种行为开发了一个叫WannaKey的工具,可以在Windows XP系统上自动化这个过程。使用这种方法第二次迭代更新的工具是Wanakiwi,在Windows 7和Server 2008 R2上测试使用。 攻击的规模和随后爆出的漏洞,促使微软为不再提供支持的老版本Windows发布了新的安全补丁,包括Windows XP, Windows Server 2003, Windows XP Embedded和Windows 7 Embedded。关于此事的一份声明中,微软网络防御作战中心的老大Adrienne Hall说,“由于这次破坏性网络攻击的风险增加,我们决定采取这一行动,因为应用这些更新可以提供更多的保护,免受类似WannaCrypt特征的潜在攻击[改名为WannaCry]”
Advice on ransom
Experts advised against paying the ransom due to no reports of people getting their data back after payment and as high revenues would encourage more of such campaigns.[86][87][88]
专家建议不要支付赎金,因为没有报告说人们在支付赎金后取回他们的数据,而且高收入会鼓励更多类似的活动发生。
Impact
The ransomware campaign was unprecedented in scale according to Europol,[6] which estimates that around 200,000 computers were infected across 150 countries. According to Kaspersky Lab, the four most affected countries were Russia, Ukraine, India and Taiwan.[89]
The attack affected many National Health Service hospitals in England and Scotland,[90] and up to 70,000 devices – including computers, MRI scanners, blood-storage refrigerators and theatre equipment – may have been affected.[91] On 12 May, some NHS services had to turn away non-critical emergencies, and some ambulances were diverted.[92][93] In 2016, thousands of computers in 42 separate NHS trusts in England were reported to be still running Windows XP.[66] NHS hospitals in Wales and Northern Ireland were unaffected by the attack.[94][92]
Nissan Motor Manufacturing UK in Tyne and Wear, England, halted production after the ransomware infected some of their systems. Renault also stopped production at several sites in an attempt to stop the spread of the ransomware.[95][96]
The attack's impact is said to be relatively low compared to other potential attacks of the same type and could have been much worse had a security expert, who was independently researching the malware, not discovered that a kill-switch had been built in by its creators[97][98] or if it had been specifically targeted on highly critical infrastructure, like nuclear power plants, dams or railway systems.[99][100]
According to Cyber risk modeling firm Cyence, economic losses from the cyber attack could reach up to $4 billion, with other groups estimating the losses to be in the hundreds of millions.[101]
勒索软件活动在欧洲规模空前,估计有150个国家大约20万台电脑被感染。据卡巴斯基实验室称,受影响最严重的四个国家是俄罗斯、乌克兰、印度和台湾。 这次攻击影响了英国和苏格兰很多国家卫生服务医院,超过7万台设备可能受影响-包括电脑、核磁共振仪、储血冰箱和影院设备。在5月12号,一些国民保健服务机构不得不拒绝非关键的紧急事件,一些救护车已被转移。在2016年,据报道英国42个单独的NHS信托公司的数千台电脑仍然运行着Windows XP。威尔士和北爱尔兰的NHS医院没有受到攻击的影响。 英国泰恩威尔的日产汽车制造公司,在勒索软件感染了他们一些系统后,停止了生产。雷诺也停止了几个地点的生产,试图阻止勒索软件的传播。 据说与其他类型的潜在攻击相比,攻击的影响相对较低,情况可能会更糟,如果独立研究恶意软件的安全专家没有发现被创作者编译在内的锁死开关,或者如果它是专门针对非常关键的技术设施,比如核电站,大坝或者铁路系统。 根据网络风险建模公司Cyence的数据,网络攻击中的经济损失超过40亿,其他组织的的损失估计数以亿计。
EternalRocks
Via a honeypot mechanism, Security researcher Miroslav Stampar detected a new malware named "EternalRocks" that uses seven leaked NSA hacking tools and leaves Windows machines vulnerable for future attacks that may occur at any time. When installed, the worm names itself WannaCry in attempt to evade security experts.[102][103][104][105]
通过蜜罐机制,安全研究员Miroslav Stampar发现了一个新的恶意软件"EternalRocks",使用了7个被泄露的NSA黑客工具,使Windows机器容易受到未来随时可能发生的攻击。安装时,蠕虫名字本身WannaCry试图躲避安全专家。
Reactions
A number of experts highlighted the NSA's non-disclosure of the underlying vulnerability, and their loss of control over the EternalBlue attack tool that exploited it. Edward Snowden said that if the NSA had "privately disclosed the flaw used to attack hospitals when they found it, not when they lost it, the attack may not have happened".[106] British cybersecurity expert Graham Cluley also sees "some culpability on the part of the U.S. intelligence services". According to him and others "they could have done something ages ago to get this problem fixed, and they didn't do it". He also said that despite obvious uses for such tools to spy on people of interest, they have a duty to protect their countries' citizens.[107] Others have also commented that this attack shows that the practice of intelligence agencies to stockpile exploits for offensive purposes rather than disclosing them for defensive purposes may be problematic.[98]Microsoft president and chief legal officer Brad Smith wrote, "Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen."[108][109][110] Russian President Vladimir Putin placed the responsibility of the attack on U.S. intelligence services, for having created EternalBlue.[111]
On 17 May, United States bipartisan lawmakers introduced the PATCH Act[112] that aims to have exploits reviewed by an independent board to "balance the need to disclose vulnerabilities with other national security interests while increasing transparency and accountability to maintain public trust in the process".[113]
The United States Congress will also hold a hearing on the attack on June 15.[114] Two subpanels of the House Science Committee will hear the testimonies from various individuals working in the government and non-governmental sector about how the US can improve its protection mechanisms for its systems against similar attacks in the future.[114]
A cybersecurity researcher, working in loose collaboration with UK's National Cyber Security Centre,[115][116] researched the malware and discovered a "kill switch".[34] Later globally dispersed security researchers collaborated online to develop open sourcetools[117][118] that allow for decryption without payment under some circumstances.[119] Snowden states that when "[NSA]-enabled ransomware eats the Internet, help comes from researchers, not spy agencies" and asks why this is the case.[120][121][116]
Other experts also used the publicity around the attack as a chance to reiterate the value and importance of having good, regular and secure backups, good cybersecurity including isolating critical systems, using appropriate software, and having the latest security patches installed.[122] Adam Segal, director of the digital and cyberspace policy program at the Council on Foreign Relations, stated that "the patching and updating systems are broken, basically, in the private sector and in government agencies".[98] In addition, Segal said that governments' apparent inability to secure vulnerabilities "opens a lot of questions about backdoors and access to encryption that the government argues it needs from the private sector for security".[98] Arne Schönbohm, President of Germany's Federal Office for Information Security (BSI), stated that "the current attacks show how vulnerable our digital society is. It's a wake-up call for companies to finally take IT security [seriously]".[42]
The effects of the attack also had political implications; in the United Kingdom, the impact on the National Health Service quickly became political, with claims that the effects were exacerbated by Government underfunding of the NHS; in particular, the NHS ceased its paid Custom Support arrangement to continue receiving support for unsupported Microsoft software used within the organization, including Windows XP.[123] Home Secretary Amber Rudd refused to say whether patient data had been backed up, and Shadow Health Secretary Jon Ashworth accused Health Secretary Jeremy Hunt of refusing to act on a critical note from Microsoft, the National Cyber Security Centre (NCSC) and the National Crime Agency that had been received two months previously.[124] Others argued that hardware and software vendors often fail to account for future security flaws, selling systems that − due to their technical design and market incentives − eventually won't be able to properly receive and apply patches.[125] The NHS denied that it was still using XP, claiming only 4.7% of devices within the organization ran Windows XP.[126][67]
一些专家强调美国国家安全局不披露潜在的漏洞,以及他们对利用漏洞的EternalBlue攻击工具失去控制。爱德华斯诺德说如果美国国家安全局“在他们发现这个用于攻击医院的漏洞时就私下披露出来,而不是等到它丢失,攻击可能就不会发生”。英国网络安全专家Graham Cluley也说“就美国情报部门而言,他们是有罪责的”。通过他和其他人的说法“他们很久以前就可以做一些事情来解决这个问题,但是他们没做”。他还说,尽管这些工具明显用于监视感兴趣的人,但是他们有责任保护他们国家的公民。也有人评论说这次攻击表明,情报部门是以攻击性的目的存储漏洞,而不是以防御性的目的披露他们,这可能是有问题的。微软总裁兼首席法律官Brad Smith写到“政府手中的漏洞一而再的泄露到公共领域并引发广泛的损害。如果用常规武器来说,这就等同于美国军队的战斧导弹被窃”。俄罗斯总统弗拉基米尔·普京把责任归咎于制造永恒之蓝的美国情报部门。在5月17日,美国两党国会议员介绍了“补丁法案”,目的在于让独立董事会审查漏洞,“在增加透明度和责任性以保持公众信任的过程中,平衡揭露漏洞的需求和其他国家安全利益”。 美国国会在6月15号也将举行听证会。众议院科学委员会的两个小组将会听取在政府和民间各部门不同工作人员的证词,关于美国如何提高系统的保护机构以应对将来类似的攻击。 一个网络安全研究员,在于应该国家网络安全中心的松散合作中,研究恶意软件并发现了一个“锁死开关”。之后全球分散的安全研究员在线合作开发了开源的安全工具,能够在某些环境下,无需支付也能解密文件。斯诺登说“当NSA支持勒索软件蚕食互联网时,帮助是来自研究人员,而非间谍机构门”,并发问为什么会这样。 其他专家也利用这一次攻击的宣传作为一个机会,重申有一个良好的,定期的和安全的备份的价值和重要性,良好的网络安全包括隔离关键系统,使用合适的软件,安装最新的安全补丁。亚当西格尔是外交关系委员会数字和网络空间政策项目的负责人,说“在私营部门和政府机构中,补丁和更新系统基本上都被破坏了。”另外,西格尔说政府明显无法保护漏洞“带来很多关于后门和访问加密的问题,政府认为这应该由私营部门保证”。Arne Schönbohm,德国联邦信息安全办公室的主席说“目前的攻击展现出我们的数字社会是多么的脆弱。这敲响了警钟,让企业最终严肃对待IT安全”。 攻击的影响也有政治的影响,在英国,对国家健康服务的影响迅速成为政治性的,声称政府对NHS提供的资金不足使影响恶化,特别是,NHS停止付费的自定义支持安排,以继续获得支持在组织内部使用不受支持的微软软件,包括Windows XP。内政大臣Amber Rudd拒绝透露患者数据是否已经备份,影子卫生部长Jon Ashworth指责卫生部长Jeremy Hunt拒绝按照微软的关键注意事项行动,国家网络安全中心和国家犯罪署两个月以前就收到了通知。有些人认为硬件和软件供应商也没有考虑到未来的安全缺陷,销售系统,由于他们的技术设计和市场激励机制,最终未能正常接收并应用补丁。NHS否认他们仍然使用XP系统,声称组织内部只有4.7%的设备使用Windows XP。
Affected organizations
The following is an alphabetical list of organisations confirmed to have been affected:
以下是已经被证实受影响的组织列表,按字母顺序排列:
整理:
The software contained a URL that, when discovered by a security researcher, Marcus Hutchins, and the corresponding domain registered to track activity from infected machines, was found to act as a "kill switch" that shut down the software before it executed its payload, stopping the spread of the ransomware?
1. encyclopedia,百科全书
2. cryptoworm,加密蠕虫。构词成分的crypto-(或crypt-)源于希腊语中的kryptos(加密的),加上表示“蠕虫病毒”的worm。英语中近年来还出现了一个与其词义相近的,它是,可直译作“”。但就实际使用频率而言,这两个词远远不及)
3. cryptotrojan,加密木马。由crypto-和表示木马病毒的Trojan horse拼合而成。
4. cryptovirus,加密病毒
5. cryptocurrency,加密货币。crypto-和currency货币组成
6. propagate,繁衍,传播
7. occasion,场合,时机;引起
8. bulletin,公告
9. plug,塞子,塞住
10. comparison,比较
11. trickle,滴,涓流
12. fashion,方式,时尚
13. a range of ,一系列,一套
14. mechanism ,机制
15. speculate,推测
16. quarantine,隔离,隔离期
17. queries with traffic,流量查询
18. trick ,欺骗
19. unprecedented,空前的,前所未有的
20. botnet variant,僵尸网络变种
21. knocking it offline,将其脱机
22. live site ??实时网络?
23. infection,影响,感染
24. vector,矢量,带菌者
25. apparently ,看似,似乎,显然,视情景而定
26. implementation,成就,实施
27. advisory,劝告的,公告
28. embedded,植入的,把。。。嵌入
29. onwards,向前
30. respectively,各自的
31. classified,分类的
32. mandatory,强制的
33. tens of thousands,数以万计,成千上万。several hundred thousands,数十万
34. exponentially,以指数的方式
35. take advantage of,利用,欺骗
36. fluent in,流利。proficient,精通,熟练
37. carried out,实施
38. heist,抢劫
39. shift blame,推卸责任
40. false flag,虚旗攻击
41. alleged,声称,断言
42. lateral,侧面的,横向的
43. hardcoded ,硬编码,写死在代码中不易修改
44. transactions,交易,事务,chuli
45. balances,余额,平衡
46. out-of-band,带外数据,传输层协议使用带外数据发送一些重要数据
47.darknet,暗网
48.amounted to,总计,等于,此处不会翻译
49. deploye,部署
50. extent,程度,扣押
60. elsewhere,别处
61. defeat ,v.击败,战胜 ; n. 战胜,失败
62. prime number,质数,素数,prime,最好的,最初的,首要的,精华
63. potentially,潜在的
64. retrieve,取回,恢复
65. iterated upon by,迭代的?
66. subsequent ,随后的
67. Embedded ,植入的
68. In a statement regarding the matter,在关于这件事的一份声明中
69. revenue,收入,税收
70. refrigerator,冰箱
71. ambulance,救护车
72. divert,转移,娱乐
73. separate,分离
74. halt,暂停
75. relatively ,相对的
76. critical,关键的,批评的,重要的
77. infrastructure,基础设施
78. honeypot ,蜜罐
79. culpability ,有罪,苛责
80. ages ago ,老早,从前
81. stockpile ,存储
82. problematic,成问题的,有疑问的
83. Repeatedly,再三的,反复的
84. scenario ,方案,剧情概要
85. conventional weapons,传统的武器
86. Tomahawk missiles,战斧导弹
87. bipartisan lawmakers ,两党国会议员
88. independent board,独立董事会
89. balance A with B
90. transparency and accountability,透明性和责任制,有责任
91. disperse,分散,传播
92. reiterate ,重申,反复的
92. regular ,有规律的;正规军,主力;定期的
93. secure ,保护;安全的。security,安全,保证;安全的
94. wake-up call for,唤醒,枪响警钟
95. account for ,说明,导致
96. market incentives,市场激励制
