You can’t say you haven’t been warned. The alarms about increasing ransomware attacks, especially during the past year, have come from multiple sources — cybersecurity experts, federal agencies like the FBI and regular headlines.

你不能说你没有被警告过。 有关勒索软件攻击增加的警报，尤其是在过去的一年中，来自多个方面，包括网络安全专家，联邦调查局等联邦机构以及定期的头条新闻。

Even from me. I predicted a “ransomware tsunami” more than a year ago after a couple of Florida cities chose to pay the attackers rather than try to rebuild their networks and restore their files manually.

即使是我 在一年多前，在佛罗里达州的两个城市选择向攻击者付款而不是尝试重建其网络并手动还原其文件之后，我曾预测会发生“勒索软件海啸” 。

And here it is. Ransomware attacks for the first half of the year are at an all-time high. According to some estimates, there is an attack every 11 seconds globally, and the cumulative damages could reach $20 billion by next year.

在这里。 今年上半年，勒索软件攻击达到了历史最高水平。 据估计 ，全球每11秒钟就会发生一次攻击，到明年，累计损失可能达到200亿美元。

Not only are there more attacks, but the criminals perpetuating them are diversifying, building extortion into their business plans. No longer is it just about encrypting files and demanding a ransom to unlock them. Now it’s also about threats to sell stolen data to competitors, use it to attack victims’ business partners, and/or make victims’ sensitive information public.

不仅存在更多的攻击，而且使攻击永存的犯罪分子还在不断多样化，将敲诈勒索纳入其商业计划。 它不再只是加密文件并要求赎金来解锁它们。 现在还涉及到威胁，将被盗的数据出售给竞争对手，使用它来攻击受害者的商业伙伴和/或将受害者的敏感信息公开。

Indeed, Bleeping Computer reported last week on a new ransomware gang calling itself DarkSide that claimed it had already collected millions from its victims. The group issued a press release stating that it wouldn’t attack medical, educational, government or nonprofit organizations, but warned that if a target it breached didn’t pay the ransom, they will post the stolen data publicly on a “data leak site” for six months, notify “the media and your partners and customers … (and) NEVER provide you decryptors.”

确实，Bleeping Computer 上周报道了一个新的勒索软件帮派，称其为DarkSide，称其已从受害者那里收集了数百万美元。 该组织发布了一份新闻稿，指出它将不会攻击医疗，教育，政府或非营利组织，但警告说，如果违反的目标没有支付赎金，他们将在“数据泄漏站点”上公开发布被盗数据。 ”六个月内，通知“媒体以及您的合作伙伴和客户……(并且永远不会向您提供解密器。”

CRN reported in June that victims of the 11 biggest ransomware attacks in 2020 had (so far) spent $144.2 million on costs “ranging from investigating the attack, rebuilding networks and restoring backups, to paying the hackers’ ransom and putting preventative measures in place to avoid future incidents.”

CRN于6月报告称， 2020年11种最大的勒索软件攻击的受害者(到目前为止)已花费1.442亿美元用于“从调查攻击，重建网络和还原备份，到支付黑客的赎金并采取预防措施，避免将来发生事故。”

The most recent headline is about the University of Utah, which paid $457,000 to attackers who had taken down some of its servers on July 19. A statement from the university last week said only .02% of the data on those servers were affected, but that they included “employee and student information.”

最近的新闻标题是犹他大学，该大学向7月19日拆除了部分服务器的攻击者支付了457,000美元，该大学上周发表的一份声明说，这些服务器上只有2.02％的数据受到了影响，但他们包括“雇员和学生信息”。

More and more

越来越多

The university is not alone, however. Add to that attack a collection of others that either occurred or were reported over just the past couple of weeks. They include cruise operator Carnival Corp., Jack Daniel’s and Finlandia alcoholic beverages maker Brown-Forman, Konica Minolta, Canon, and Garmin.

但是，大学并不孤单。 在过去的几周内，该攻击增加了一系列其他已发生或已报告的其他事件。 它们包括邮轮运营商Carnival Corp. ，Jack Daniel's和Finlandia酒精饮料制造商Brown-Forman ， Konica Minolta ， Canon和Garmin 。

Earlier ransomware lowlights of 2020 include:

2020年早期的勒索软件亮点包括：

• Travelex: It wasn’t a Happy New Year for the world’s largest chain of money-exchange shops. An attack on New Year’s Eve forced Travelex to take down its internal networks, consumer-facing websites, and app for several weeks.The Wall Street Journal reported that the Sodinokibi group of hackers claimed credit for the attack and that Travelex paid $2.3 million in bitcoin to recover its files.

  Travelex：对于全球最大的货币兑换连锁店来说，这不是一个新年快乐。 对新年前夜的一次攻击迫使Travelex关闭了其内部网络，面向消费者的网站和应用程序达数周之久。《华尔街日报》报道称，Sodinokibi黑客集团称其为此次攻击的功劳，Travelex支付了230万美元的比特币恢复其文件。

• Tillamook County, Ore.: The local Tillamook Headlight Herald reported in March that an attack in January had taken down the county’s server, internal computer systems, website, phone systems, and email networks, forcing officials to disable the computer network connection to try to limit the damage. The perpetrators were a group called REvil, also known as Sodinokibi or Sodin.The county paid the $300,000 ransom demand, and officials declared that it could have taken 12 to 24 months and $1 million to unlock the county’s computer system independently.

  俄勒冈州蒂拉穆克县：当地的蒂拉穆克前灯先驱报在3月报道说 ，1月的一次袭击摧毁了该县的服务器，内部计算机系统，网站，电话系统和电子邮件网络，迫使官员禁用计算机网络连接以尝试限制损害。 犯罪者是一个叫做REvil的组织，该县也支付了30万美元的赎金，官员宣布可能需要12到24个月的时间和100万美元来独立解锁该县的计算机系统。

• University of California San Francisco (UCSF) School of Medicine: In a campus notice dated June 26, the university said an attack on June 1 encrypted some servers, making them temporarily inaccessible. It said it agreed to pay “a portion of the ransom, approximately $1.14 million …”加州大学旧金山分校(UCSF)医学院：在6月26日的校园通知中，该大学表示6月1日的攻击对某些服务器进行了加密，使其暂时无法访问。 它说，它同意支付“一部分赎金，大约114万美元……”

• ISS World: Computer Weekly reported in February that a ransomware attack forced the Danish facilities management firm to take its networks down, leaving hundreds of thousands of employees without access to their systems or email.

  ISS World：《 计算机周刊》于2月报道说 ，勒索软件攻击迫使这家丹麦设施管理公司关闭了网络，使成千上万的员工无法访问其系统或电子邮件。

The company said its losses could exceed $112 million, starting with $45 million to $75 million on remediation, creating workarounds to enable continuous delivery of services, service underperformance because of system down-time, and cost duplication associated with contract operations. It said rebuilding its IT infrastructure would cost another $22.5 million to $45 million.

该公司表示，其损失可能超过1.12亿美元，其中补救措施的损失从4,500万美元至7,500万美元不等，从而创建了变通办法，以确保持续交付服务，由于系统停机而导致服务表现不佳以及与合同运营相关的成本重复。 该公司表示，重建其IT基础设施将再花费2250万美元至4500万美元。

About the only positive news on the ransomware front was word last week that a Tesla employee had resisted the lure of a $1 million bribe from a Russian group to plant malware in the company’s network. The U.S. Department of Justice said in a press release that the intent was not only to encrypt the files, but also to exfiltrate the data to the attackers’ servers to be used for extortion.

关于勒索软件方面唯一的积极消息是，上周有消息称，特斯拉的一名员工拒绝了俄罗斯集团向其行贿100万美元，将恶意软件植入公司网络的诱惑。 美国司法部在一份新闻稿中表示，其目的不仅是对文件进行加密，而且还将数据泄露到攻击者的服务器中以勒索。

No surprise

没有惊喜

None of this should be surprising. The frequency of ransomware attacks has been building for years because of its proven success rate. It’s tough to blame the victims of attacks for paying the ransom, especially if the need for the files is desperate and the ransom is less, by orders of magnitude, than the cost of trying to rebuild a network and systems and restore files manually.

这些都不奇怪。 勒索软件的成功率已经证明，其攻击频率已经建立了多年。 很难指责攻击的受害者支付了赎金，特别是如果对文件的需求非常迫切并且赎金比尝试重建网络和系统以及手动还原文件的成本要低几个数量级时。

Still, the perverse incentives are obvious. A band of thieves can rake in a payday from one digital holdup that ranges from hundreds of thousands to millions of dollars without breaking a sweat. It doesn’t even require that much coding skill — exploit kits are available online just like other COTS [commercial off-the-shelf] software.

尽管如此，不正当的动机仍然很明显。 一群盗贼可以在一次发薪日从数十万到数百万美元不等的数字保留中赚钱。 它甚至不需要那么多的编码技能，就可以像其他COTS(现成的商用)软件一样在线获得漏洞利用工具包。

All with no guns and bullets, lock picking, skullduggery, or high-speed police chases. What’s not to like, for them?

所有这些都没有枪支，子弹，撬锁，劫匪或高速警察追逐。 对他们来说，不喜欢什么？

But plenty not to like for everybody else. The damage from ransomware can be catastrophic, not just to the organization that is attacked but also for those it serves if it is part of healthcare, government, education or critical infrastructure.

但是，很多其他人都不喜欢。 勒索软件造成的损害不仅是遭受攻击的组织的灾难性灾难，而且如果它是医疗保健，政府，教育或重要基础设施的一部分，则可能对其服务的组织造成灾难性的破坏。

So while nothing will make an organization bulletproof, it is worth some focused effort to keep it from becoming low-hanging-fruit.

因此，尽管没有什么可以使组织防弹，但值得进行一些集中的努力，以防止其成为低落的果实。

The good news is that there are effective ways to do that. They have been said before, but obviously they bear repeating. It takes a combination of technology and training. On the technology front:

好消息是有有效的方法可以做到这一点。 之前已经说过，但显然它们需要重复。 它需要技术和培训的结合。 在技​​术方面：

• Back up! Everything!: The first, most obvious measure is to create regular backups that are not connected to the network. A backup that is accessible through a network that gets breached is, obviously, worthless — it will be encrypted as well. But if it’s isolated and protected, an organization can rebuild its system quickly at minimal expense, without paying the ransom.备份！ 一切！：第一个最明显的措施是创建未连接到网络的常规备份。 通过网络遭到破坏的可访问备份显然是毫无价值的，它也会被加密。 但是，如果隔离和保护它，组织可以以最小的费用快速重建其系统，而无需支付赎金。
• Improve detection and protection: Ransomware has observable patterns that ransomware protection software can detect. In some cases, attackers will fall for “bait” — files that are fake. But keep in mind that in the cat-and-mouse game between attackers and defenders, it’s crucial to keep any anti-ransomware software up to date.改进检测和保护：勒索软件具有可观察到的模式，勒索软件保护软件可以检测到这种模式。 在某些情况下，攻击者会因“诱饵”而落空-这些文件是伪造的。 但是请记住，在攻击者和防御者之间的猫捉老鼠游戏中，至关重要的是要使任何反勒索软件保持最新。

• Think like attackers: Besides email phishing (more on that below), the top two most popular intrusion methodsinclude unsecured remote desk protocol (RDP) endpoints and the exploitation of corporate virtual private network (VPN) appliances. That shouldn’t be a surprise, given that millions more people are working from home and are therefore not inside a better protected office environment. So organizations should especially focus on hardening the security of that part of the attack surface.

  像攻击者一样思考：除了电子邮件网络钓鱼(在下面进行更多介绍)之外， 最流行的两种入侵方法包括不安全的远程桌面协议(RDP)端点和对公司虚拟专用网络(VPN)设备的利用。 鉴于有数百万人在家中工作，因此不在更好保护的办公环境中，所以这不足为奇。 因此，组织应特别关注加强攻击面那部分的安全性。

Boris Cipot, senior security engineer at Synopsys, says while RDP is a good technology with many benefits, “it has to be used the right way.”

Synopsys的高级安全工程师Boris Cipot说，尽管RDP是一项具有很多好处的优秀技术，但“必须以正确的方式使用它。”

That means maintaining it with upgrades and patches. It means requiring strong passwords and two-factor authentication (2FA) for users. It means limiting access only to those who need it, “and the ones who do need it do not all need to have the same privileges,” he said, adding that “the best way to restrict access to your RDP servers and clients is to use an RDP gateway.”

这意味着要通过升级和补丁来维护它。 这意味着需要用户使用强密码和两因素身份验证(2FA)。 他说，这意味着仅将访问权限限制为那些需要它的人，而“需要的人并不需要都具有相同的特权”，他补充说，“限制对RDP服务器和客户端访问的最佳方法是：使用RDP网关。”

Finally, “protect your RDP with firewalls and do not use the default port for the RDP. And deploy network monitoring to detect weird or uncommon connection attempts,” Cipot said.

最后，“使用防火墙保护您的RDP，并且不要将默认端口用于RDP。 并部署网络监视以检测奇怪或不常见的连接尝试。” Cipot说。

• Limit plug-ins: They can be an entry point. Either disable them or make sure they are updated regularly.限制插件：它们可以作为入口点。 禁用它们或确保它们定期更新。
• Verify, then trust: All documents should have viewable file extensions from trusted sources. Don’t let your system download irrelevant documents that may be coming from malicious sources.验证，然后信任：所有文档都应具有来自可信来源的可见文件扩展名。 不要让您的系统下载可能来自恶意源的无关文档。
• Know what you have and keep it up to date: Keep strict track of the software components running applications, systems, and networks, and keep them up to date. Failing to install an available patch for a known vulnerability is like leaving the door to a vault wide open.了解您拥有的并保持最新：严格跟踪运行应用程序，系统和网络的软件组件，并保持最新。 无法为已知漏洞安装可用补丁程序就像是将库打开的大门一样。

Then there is the human element. Most employees, except for a rogue here and there, want to protect the organization’s assets. But if they fall for a phishing email, reuse passwords or don’t create complex ones, the best technology in the world can’t protect against those failures.

然后是人为因素。 除了无处不在的流氓外，大多数员工都希望保护组织的资产。 但是，如果它们陷入网络钓鱼电子邮件，重复使用密码或不创建复杂密码的情况，那么世界上最好的技术将无法防范这些失败。

Indeed, multiple estimates are that more than 90% of all attacks on organizations are phishing. That’s because, as criminals know, social engineering has a better chance of working.

确实，有多种估计表明，对组织的所有攻击中有90％以上是网络钓鱼。 正如罪犯所知，这是因为社会工程学有更好的工作机会。

So, to make employees an asset rather than a liability:

因此，要使员工成为资产而不是负债：

• Train them: Employees need to be taught how to spot suspicious communications — to develop a healthy paranoia. Organizations should train them in social engineering and help them spot, and avoid, clicking on any unknown link or attachment, even if it appears to come from a trusted source.培训他们：需要教会员工如何发现可疑的沟通，以建立健康的妄想症。 组织应该对他们进行社会工程学方面的培训，并帮助他们发现并避免单击任何未知的链接或附件，即使该链接或附件似乎来自受信任的来源。
• Limit access: Yes, you should value all of your employees. But the reality is that the more of them who have access to sensitive data, no matter how dedicated they are, the greater your risk. So organizations should employ network segregation to limit access.限制访问权限：是的，您应该重视所有员工。 但是现实是，无论敏感程度如何，访问敏感数据的人越多，您的风险就越大。 因此，组织应采用网络隔离来限制访问。

Tim Mackey, senior security strategist within the Synopsys Cybersecurity Research Center (CyRC), has said more than once that a personnel basic should be to apply the “principle of least privilege.” That means “limiting the level of trust a given employee has at any point in time to only the level of access required to perform specific tasks,” he said.

Synopsys网络安全研究中心(CyRC)的高级安全策略师蒂姆·麦基(Tim Mackey)不止一次地表示，人员基础应该是应用“最低特权原则”。 他说，这意味着“将给定员工在任何时间的信任级别限制为仅执行特定任务所需的访问级别”。

But the much less good news is that many organizations hear all that advice and complain that they have neither the time nor the money to implement those protections.

但是，要好得多的消息是，许多组织听到了所有这些建议，并抱怨说他们没有时间或财力来实施这些保护措施。

It is true that And they cost money and time. But the harsh reality is that the cost of paying cyber criminals and recovering from a ransomware attack is likely to be greater, by orders of magnitude, than any “savings” from failing to implement good security.

的确，而且他们花费金钱和时间。 但是，严酷的现实是，付钱给网络犯罪分子和从勒索软件攻击中恢复的成本，可能比不实施良好安全性所带来的任何“节省”要高出几个数量级。

Consider it an investment. You may never know the ROI, but that’s the point — you don’t want to know.

认为这是一项投资。 您可能永远都不知道ROI，但这就是要点-您不想知道。