wannacry 勒索病毒_WannaCry：勒索软件尸检

wannacry 勒索病毒

In a twist of irony, the global spread of WannaCry, the malware that recently attacked the NHS, was caused by spying tools leaked from the US’ National Security Agency (NSA).

具有讽刺意味的是，最近袭击NHS的恶意软件WannaCry在全球的传播是由美国国家安全局(NSA)泄漏的间谍工具引起的。

Highly infectious, WannaCry (also known as WannaCryptor and WCry) spread to at least 150 countries within a few hours. According to antivirus company, Avast, it took less than 24 hours to infect more than 100,000 Windows systems, 57% of them in Russia. Besides the NHS, its other high-profile victims included Telefonica, Santander, FedEx, Vodafone and Renault.

WannaCry(也称为WannaCryptor和WCry)具有高度传染性，可在数小时内传播到至少150个国家。据反病毒公司Avast称，感染不到100,000个Windows系统仅用了不到24小时，其中有57％在俄罗斯。除了NHS之外，其其他受害人还包括西班牙电信，桑坦德银行，联邦快递，沃达丰和雷诺。

Many organisations were forced to shut down systems and even production sites to prevent the spread of the virus, and the NHS was virtually paralysed by the attack, postponing operations and cancelling thousands of appointments at over 48 hospitals, medical centres and GP surgeries. Six hospitals were still experiencing difficulties the following day and diverting emergencies as a result.

许多组织被迫关闭系统甚至生产站点，以防止病毒传播，而NHS实际上因袭击而瘫痪，推迟了行动，并取消了48多家医院，医疗中心和GP外科诊所的数千个约会。第二天，六家医院仍然遇到困难，因此紧急情况有所改观。

利用Windows SMB漏洞 (Exploiting Windows SMB Vulnerabilities)

WannaCry infects systems which operate on a vulnerable Windows Server and SMB (Server Message Block). It is spread using software the NSA had developed to spy with and which was stolen by a hacking group called the Shadow Brokers who then leaked it on the internet.

WannaCry感染可在易受攻击的Windows Server和SMB(服务器消息块)上运行的系统。它是使用国家安全局开发的用于监视的软件进行传播的，该软件被一个名为“影子经纪人”的黑客组织窃取，然后将其泄漏到互联网上。

It uses the same basic methods as most other ransomware, by getting users to open an attachment in an email, e.g. a Word document, PDF, image, etc. Once opened, the malware installs itself and a ransom request is shown on the screen asking for around £230 in Bitcoins to restore access.

它通过使用户打开电子邮件中的附件(例如Word文档，PDF，图像等)，使用与大多数其他勒索软件相同的基本方法。打开后，恶意软件会自行安装，并在屏幕上显示勒索要求，只需约230英镑的比特币即可恢复访问。

Because of the success of WannaCry, it is believed that other ransomware, such as the infamous Locky, will use the same leaked technology to improve their ability to infect and spread on a larger scale.

由于WannaCry的成功，人们相信其他勒索软件(例如臭名昭著的Locky)将使用相同的泄漏技术来提高其感染和大规模传播的能力。

感染的机理 (The Mechanics of the Infection)

The programs developed by the NSA to exploit the vulnerabilities in SMB are known as EternalBlue, EternalChampion, EternalSynergy and EternalRomance. Together, they are known as the FuzzBunch kit. These programs load a backdoor implant tool, called DoublePulsar, on to a compromised system, enabling attackers to load other malware.

由NSA开发的利用SMB中的漏洞的程序被称为EternalBlue，EternalChampion，EternalSynergy和EternalRomance。它们一起被称为FuzzBunch套件。这些程序将称为DoublePulsar的后门植入工具加载到受感染的系统上，从而使攻击者可以加载其他恶意软件。

WannaCry’s authors have obviously used this mechanism to accelerate the spread of their strain. The infection uses EternalBlue and DoublePulsar to execute remote commands through Samba (SMB) in order to distribute ransomware to other machines on the same network.

WannaCry的作者显然已经使用这种机制来加速其菌株的传播。感染使用EternalBlue和DoublePulsar通过Samba(SMB)执行远程命令，以便将勒索软件分发到同一网络上的其他计算机。

Windows XP上的WannaCry Preying (WannaCry Preying on Windows XP)

It is no surprise that cybercriminals are finding a use for these government developed, ultra-advanced hacking tools. According to Recorded Future, a US company specialising in threat intelligence, Chinese and Russian hackers had begun studying the malware leaked by Shadow Brokers with a particular interest in exploits that targeted SMB vulnerabilities.

毫无疑问，网络罪犯正在使用这些政府开发的超高级黑客工具。根据一家专注于威胁情报的美国公司Recorded Future的说法，中国和俄罗斯的黑客已经开始研究Shadow Brokers泄漏的恶意软件，尤其关注针对SMB漏洞的漏洞利用。

“We’re talking about very sophisticated techniques and tools that are generally beyond the reach of the underground community”, said Levi Gundert, Vice President of Intelligence and Strategy at Recorded Future

“我们谈论的是非常复杂的技术和工具，这些通常是地下社区无法企及的。” Recorded Future情报与战略副总裁Levi Gundert说

Microsoft had already patched the vulnerabilities exploited by these tools in March 2017. However, according to Recorded Future, Chinese hackers were not totally convinced of the solidity of these patches. Attack still remains a possibility against non-patched systems and against OS versions that are no longer supported by Microsoft. This is a problem for the NHS, where 5% of their machines still use Windows XP. They are not the only ones at risk, however: many media industry organisations and a multitude of others all rely on applications which need this legacy OS to run. The problem is that XP is so old that it no longer supported by Microsoft and so doesn’t get patches or updates.

微软已经在2017年3月修补了这些工具利用的漏洞。但是，根据Recorded Future的说法，中国黑客并不完全相信这些修补程序的可靠性。对于未打补丁的系统和Microsoft不再支持的OS版本，仍然有可能遭到攻击。对于NHS来说，这是一个问题，因为他们的5％的计算机仍使用Windows XP。但是，它们并不是唯一面临风险的组织：许多媒体行业组织以及许多其他组织都依赖于需要此旧版OS才能运行的应用程序。问题是XP太旧了，以至于Microsoft不再支持它，因此它没有补丁或更新。

WannaCry停了下来……碰运气 (WannaCry stopped … by a stroke of luck)

In response to the WannaCry emergency, Microsoft took the unusual step of releasing patches for SMB flaws on Windows XP (including embedded version of SP3), Windows Server 2003 and Windows 8. In this attack, Windows 10 has remained unscathed, however, Microsoft expects that the threat will evolve and eventually bypass Windows 10’s first line of defence. It, therefore, recommends disabling SMB on the network, if possible.

为了应对WannaCry紧急情况，Microsoft采取了非同寻常的步骤，针对Windows XP(包括SP3的嵌入式版本)，Windows Server 2003和Windows 8上的SMB缺陷发布了补丁程序。在此攻击中，Windows 10仍然完好无损，但是，微软希望威胁将演变并最终绕过Windows 10的第一道防线。因此，建议尽可能禁用网络上的SMB。

Thanks to a stroke of luck, WannaCry is in temporary decline. A security researcher, known only as MalwareTech, accidentally stopped the malware spreading by registering a domain appearing in its code. This blocked the execution of WannaCry and stopped its broadcast. According to MalwareTech, the domain he registered was a security feature devised WannaCry’s developers to prevent it being analysed by security systems.

多亏了运气，WannaCry暂时处于下降状态。安全研究人员(仅称为MalwareTech)通过注册出现在其代码中的域，意外阻止了恶意软件的传播。这阻止了WannaCry的执行，并停止了其广播。根据MalwareTech的说法，他注册的域是WannaCry的开发人员设计的安全功能，以防止安全系统对其进行分析。

Unfortunately, malware developers can easily modify WannaCry to get around this pitfall. In fact, within 24 hours of the first attack ending, Costin Raiu, Director of research and analysis team at Kaspersky Lab, identified the release of new versions no longer hampered by MalwareTech operations. The WannaCry threat is, therefore, back out in cyberspace and looking for its next set of victims.

不幸的是，恶意软件开发人员可以轻松地修改WannaCry来解决这个陷阱。实际上，在第一次攻击结束后的24小时内，卡巴斯基实验室研究与分析团队主管Costin Raiu确定了不再受恶意软件技术运营阻碍的新版本的发布。因此，WannaCry威胁正在网络空间中撤退，并寻找其下一组受害者。

在eUKhost上全部清除 (All Clear at eUKhost)

At eUKhost, we found no evidence of infection on any of our Windows servers. However, we remain fully vigilant and have taken the preemptive step of patching all managed servers that are potentially vulnerable, in order to protect them from this exploit.

在eUKhost，我们没有发现任何Windows服务器感染病毒的迹象。但是，我们仍保持高度警惕，并已采取先发步骤修补所有可能易受攻击的受管服务器，以防止它们受到此攻击。

If you manage your own servers and use Windows OS, we strongly recommend that you check and make sure you have the latest Windows patches installed.

如果您管理自己的服务器并使用Windows操作系统，强烈建议您检查并确保已安装最新的Windows修补程序。

We urge all of you the check your desktop / laptop operating system to make sure that they are also patched and fully up to date.

我们敦促大家检查台式机/笔记本电脑的操作系统，以确保它们也已打补丁并完全更新。

For further information please read the following status update:

有关更多信息，请阅读以下状态更新：

http://euk-status.com/2017/05/13/microsoft-vulnerability-urgent-attention-needed/

If you have any questions, please don’t hesitate to contact our 24x 7 support team.

如有任何疑问，请随时与我们的24x 7支持团队联系。

翻译自: https://www.eukhost.com/blog/webhosting/wannacry-autopsy-of-ransomware/

wannacry 勒索病毒