There are very few things that genuinely worry me in cybersecurity. Recovering from ransomware is one of them.

真正让我担心网络安全的事情很少。 从勒索软件中恢复就是其中之一。

Ransomware is the digital equivalent of someone breaking into your house, while you’re in it, and deliberately destroying everything. There are no other, prevalent, cyber weapons that do that. Ransomware is the only one. It is the cruellest, most violent, and most invasive type of malware on the internet. If someone did it in the physical world they would be imprisoned for a long time.

勒索软件在数字上等同于某人在您进入房屋时闯入您的房屋，并故意破坏一切 。 没有其他流行的网络武器可以做到这一点。 勒索软件是唯一的一种。 它是互联网上最残酷，最暴力，最具入侵性的恶意软件。 如果有人在现实世界中这样做，他们将被长期监禁。

The catch with ransomware is that it offers you a lifeline. An undo button. A chance to reverse all damage. ‘Pay us and we’ll put it all back the way it was.’ Like it never happened. But it did.

勒索软件的好处是它为您提供了生命线。 撤消按钮。 有机会扭转所有伤害。 “付钱给我们，我们会把一切都恢复原状。” 就像从未发生过。 但是确实如此。

勒索软件通常是不分青红皂白的 (Ransomware is Generally Indiscriminate)

Ransomware doesn’t care who you are. The threat of ransomware affects both my personal and professional life. The photographs and videos of my daughter’s entire existence are just as vulnerable as the data and systems of FTSE listed companies.

勒索软件不在乎您是谁。 勒索软件的威胁影响到我的个人和职业生活。 我女儿整个生命的照片和视频与FTSE上市公司的数据和系统一样脆弱。

Wannacry, one of the most famous ransomware variants, originally spread from machine to machine through an unpatched file-sharing service. Once a host becomes infected it encrypts all local files and begins looking for other vulnerable hosts to attack. Whoever owns the host is irrelevant. If you’re on a network connected to a compromised host then you’re going to see infection attempts coming your way. Internet, home network, corporate office, or public Wi-Fi, it makes no difference.

Wannacry是最著名的勒索软件变体之一，最初是通过未修补的文件共享服务在计算机之间传播的。 一旦主机被感染，它将加密所有本地文件，并开始寻找其他容易受到攻击的主机。 拥有主机的人无关紧要。 如果您的网络连接的是受感染的主机，那么您会发现感染尝试正以自己的方式进行。 互联网，家庭网络，公司办公室或公共Wi-Fi，没有任何区别。

The vulnerable hosts that allowed Wannacry to spread initially have been patched or are already compromised. Now ransomware tends to spread through user interaction. A phishing email or drive-by download is the most likely cause of infection. Some malware variants even request permission to run to as an administrator to ensure no chances to access everything a missed. The recipient doesn’t matter, the outcome is the same.

最初允许Wannacry传播的易受攻击的主机已被修补或已经受到威胁。 现在，勒索软件倾向于通过用户交互传播。 网络钓鱼电子邮件或偷渡式下载是最可能的感染原因。 某些恶意软件变体甚至要求以管理员身份运行，以确保没有机会访问所有丢失的内容。 接收者无所谓，结果是一样的。

但是勒索软件罪犯会歧视 (But Ransomware Criminals Will Discriminate)

The only thing that differs between victims is the size of the ransom demand. If an attacker is able to identify the system as belonging to a registered company then the price of the decryption key will be proportionate to the company’s annual returns. The victim’s goal is to recover from the ransomware attack. The attacker’s goal is to receive payment. Therefore, ransomware criminals walk a fine line between ‘I can’t afford to do that’ and ‘I can’t afford to not do that’.

受害人之间唯一不同的是赎金要求的规模。 如果攻击者能够将系统标识为属于注册公司，那么解密密钥的价格将与公司的年收益成正比。 受害者的目标是从勒索软件攻击中恢复。 攻击者的目标是获得付款。 因此，勒索软件犯罪分子在“我负担不起”和“我负担不起不这样做”之间走了一条细线。

While individuals may struggle to pay more than a few hundred dollars, a big corporation can usually afford to pay a lot more. Many cyber insurance providers will willingly negotiate the value of the ransom demand on behalf of their customer. Paying for the decryption key can be cheaper than recovering everything from backups. It’s not always a certainty though as it’s hard to rely on criminals to honour the terms of an agreement. That said, ransomware criminals rely on the general public consensus of their own compliance in order to make money. Unless the majority of people who pay for a decryption key actually get what they pay for, people will stop paying.

尽管个人可能难以支付几百美元，但是大公司通常可以负担得起更多。 许多网络保险提供商愿意代表他们的客户商讨赎金要求的价值。 支付解密密钥要比从备份中恢复一切便宜。 不过，这并非总是可以确定的，因为很难依靠犯罪分子来遵守协议的条款。 就是说，勒索软件犯罪分子依靠公众对自己的合规性的共识来赚钱。 除非大多数为解密密钥付费的人实际得到了所支付的东西，否则人们将停止支付。

犯罪分子变得越来越聪明 (Criminals are Getting Smarter)

In the early days of ransomware, criminals would compromise a system then almost immediately trigger the encryption process. This generated a lot of short term profits but reduced the size of overall payouts possible from corporations. For many companies, restoring from backups was a painful but acceptable solution to the problem. For a criminal, this isn’t the outcome that makes money.

在勒索软件的早期，犯罪分子会破坏系统，然后几乎立即触发加密过程。 这产生了大量的短期利润，但减少了公司可能支付的总支出。 对于许多公司而言，从备份还原是一个痛苦但可以接受的解决方案。 对于罪犯来说，这不是赚钱的结果。

Now, ransomware attacks against corporations have evolved. Instead of immediately starting the encryption process, criminals are hanging around, observing, exploring, and waiting for the right moment to strike for maximum effect. If you were watching them you’d find them slowly poisoning backups, corrupting stale data, and monitoring backup software until retention periods have expired. In the style of Mr Robot, criminals are going after production systems and their online and offline backups through corruption and expiration.

现在，针对公司的勒索软件攻击已经发展。 犯罪分子没有立即启动加密过程，而是四处闲逛，观察，探索并等待适当的时机以发挥最大作用。 如果您正在观看它们，您会发现它们会慢慢使备份中毒，破坏陈旧数据并监视备份软件，直到保留期到期。 仿照Robot先生的风格，犯罪分子会通过腐败和过期来监视生产系统及其在线和离线备份。

This evolution makes it much, much harder to recover from ransomware. If you can’t recover from offline backups your only option is to buy the decryption key. At least that’s the reasoning of the new approach. Another other attack vector is to exfiltrate data before encrypting it locally and using the threat of GDPR fines to coerce payment. By leaking sensitive information to the press bit by bit until payment is made, a stronger case for paying the ransom demand can be built. Especially if someone is trying to keep the breach a secret. (By the way, don’t ever do that. Transparency and honesty are key.)

这种演变使得从勒索软件中恢复变得非常困难。 如果您无法从脱机备份中恢复，则唯一的选择就是购买解密密钥。 至少这就是新方法的原因。 另一个攻击媒介是在对数据进行本地加密之前先窃取数据，并利用GDPR罚款的威胁来强制付款。 通过将敏感信息一点一点地泄露给媒体直到付款，就可以建立支付赎金需求的更强的理由。 尤其是当有人试图将违规行为保密时。 (顺便说一句，永远不要那样做。透明和诚实是关键。)

那么我如何从勒索软件中恢复呢？ (So How Will I Recover from Ransomware?)

Thankfully I haven’t been hit by ransomware, yet. Unfortunately, it’s only a matter of time. No matter how hard you try you will always get hacked in the end. That’s why we apply our focus on response and recovery as much as on the protection against and detection of threats. Just like everyone else, the best way to recover from ransomware is to ensure you have offline backups of everything. Not just the data but full images of servers, installation files, license keys, processes and documentation, your active directory database in a tested, recoverable form… literally everything you could need to rebuild everything from scratch.

值得庆幸的是，我还没有受到勒索软件的攻击。 不幸的是，这只是时间问题。 无论您多么努力，最终都将被黑。 这就是为什么我们将重点放在响应和恢复以及防御和检测威胁上的原因。 就像其他所有人一样，从勒索软件中恢复的最佳方法是确保您拥有所有内容的脱机备份。 不仅是服务器的完整数据，还包括服务器，安装文件，许可证密钥，进程和文档的完整映像，以及经过测试且可恢复的形式的活动目录数据库……从字面上看，您需要从头开始重建所有内容。

As evolved ransomware attacks are targeting offline backups, the solution here is longer retention periods. If you only keep backups for 30 days it is really easy to lose everything. If you keep a combination of daily, weekly, monthly, and yearly backups, you’ll at least have something to work with. It’ll be less than ideal but something is better than nothing. Long retention and early detection are your best defences.

随着勒索软件攻击的发展针对脱机备份，这里的解决方案是更长的保留期。 如果您仅将备份保留30天，那么丢失所有内容确实很容易。 如果您结合使用每日，每周，每月和每年的备份，则至少可以使用一些功能。 它不会理想，但是总有总比没有好。 长期保留和及早发现是您的最佳防御方法。

In my personal life, I take the same approach. I use a combination of different online backup solutions with different retention policies. I combine that with offline snapshots of everything important to me on multiple disks. Simply replicating everything to a cloud-based mirror of isn’t enough as ransomware changes to your local files will be replicated offsite just like your regular updates. Even if you use a backup provider that guarantees immutability of your data for a given period of time, all an attacker has to do is observe your password and delete your account before encrypting everything. Offline backups are the only safe option. Just don’t plug them back in again unless you’re sure your machine is safe.

在我的个人生活中，我采用相同的方法。 我将不同的在线备份解决方案与不同的保留策略结合使用。 我将其与对多个磁盘上对我而言重要的所有内容的脱机快照结合在一起。 仅将所有内容复制到基于云的镜像是不够的，因为勒索软件对本地文件的更改将像常规更新一样在异地复制。 即使您使用保证在给定时间内数据不变的备份提供程序，攻击者所要做的就是在加密所有内容之前先观察您的密码并删除您的帐户。 脱机备份是唯一安全的选择。 除非您确定机器安全，否则就不要再将它们插回去。

您无法备份您的声誉 (You Can’t Backup Your Reputation)

The only thing you can’t backup is your reputation. No matter how well you respond, if you were the one responsible for protecting against a ransomware threat and you ‘failed’, you will be blamed. Even if only by yourself. Just remember, there’s only so much you can do with the time, money, and people available to you. Make sure you have offline backups that can’t be corrupted and at least you’ll be able to recover something in the end. You might not be able to backup your reputation, but with perseverance, you’ll be able to restore it.

您唯一无法备份的是您的声誉。 无论您的React如何好，如果您是负责防范勒索软件威胁的人员，而您却“失败”，您将受到指责。 即使只有你自己。 请记住，您可以利用的时间，金钱和人只有那么多。 确保您拥有不会损坏的脱机备份，并且至少最终可以恢复某些内容。 您可能无法备份您的声誉，但是只要有毅力，就可以恢复它。

Join the others in my private email list to stay up-to-date with my latest articles, videos, thoughts, and more.

将其他人加入我的私人电子邮件列表中，以了解我的最新文章，视频，想法等最新信息。

Originally published at https://craighays.com on February 23, 2020.

最初于 2020年2月23日 在 https://craighays.com 上 发布 。