Ransomware指南

勒索软件是如何工作的? 

Ransomware works by attempting to force a victim to pay the ransom. 具体来说, 恶意软件 deployed by an attacker in a ransomware attack will follow a pattern of breaking in, maliciously encrypting targeted data, and then forcing the ransom from the company or individual.

As mentioned above, double extortion has become more common. It’s not enough for modern attackers to block access to a company’s data, they also see the value in stealing it and demanding an extra payment to get it back.

The effects of ransomware on network systems can vary, depending on the type of defenses in place and response time. 当获得访问权限时, 攻击者可以使用利用后框架来搜索环境并获得更高的权限. If a threat actor gains full access, they could encrypt the entire network, leading to complete disruption of business services.

大型网络生态系统中受感染的端点可能会在一段时间内遏制威胁, but it’s a race against the clock before the 恶意软件 spreads. 迅速清除这些受感染的设备对于限制攻击的爆炸半径至关重要.

勒索软件攻击的各个阶段 

Let's now take a look at some specifics of the different stages of a ransomware attack:

• 首次访问: Attackers will scan servers for any vulnerabilities that are exploitable. 
• 部署: The ransomware will either be injected into a running process or executed as a 动态链接库. 
• 后开发: After successful injection or execution, the ransomware will build its imports and kill processes that could stop it. 
• 横向运动攻击者将获得特权，并能够通过窃取凭证从一个系统跳到另一个系统. This lets them easily scour the network and find desirable data to encrypt. 
• 数据收集: Attacker-targeted data is typically of the mission-critical type. 如果攻击者能够进入，组织日常运作所需的任何东西都将被攻破, 阻塞, 救赎, 和偷来的.
• 漏出: Attackers will have tailored ransomware to automate the data-exfiltration process. 一旦他们找到了他们要找的东西，它就会被送到一个安全的地方. 

Ransomware例子

Ransomware is ubiquitous in today's world. Let's take a look at some recent notable examples. 

WannaCry Ransomware

这2017 WannaCry勒索软件攻击 is one of the most notable and infamous recent examples of ransomware. 它与传统的勒索软件不同，它包含了一个能够找到易受攻击系统并迅速传播的组件. 因为这种行为, this type of ransomware is known as a worm, tunneling its way through a network and doing the maximum amount of damage.

由于采用传统的网络钓鱼策略和蠕虫格式的恶意软件的性质, it was particularly nasty and caused fallout around the globe. 黑客向用户和组织索要比特币赎金，这些组织通常没有最新的软件，或者在权限方面可能不卫生, 密码, 和凭证.

彼佳Ransomware

类似于WannaCry, Petya勒索软件的部署通常具有轻松传播和快速定位漏洞的能力. 用户将遇到它作为重新启动请求，之后他们的系统将不可用. Petya最初是作为恶意电子邮件附件发布的，当用户点击附件并在本地下载后，它会感染系统.

The initial Petya attack did large-scale damage across Ukraine, 严重影响其银行基础设施以及该国其他关键部门. 从那里, it was able to spread across Europe like wildfire. 随后的变体, 被称为NotPetya, 比原始版本更具有恶意功能，也造成了数十亿美元的损失.

CryptoLocker Ransomware

Perhaps the most persistent of these examples, CryptoLocker主要通过包含恶意附件的网络钓鱼电子邮件引诱受害者. This might be a good time to pause and extol the virtues of 安全意识培训. 并不是所有的, 但是，这些攻击中的许多都需要用户采取行动才能访问他们的系统。, so it’s important that workforces are aware of actions to take and not to take.

值得注意的, 由于坏人模仿联邦快递和联合包裹等知名公司的提示动作，CryptoLocker特别有效. Asymmetric encryption is used to lock users out of their files, meaning two keys are employed: one for encryption and one for decryption.

如何预防勒索软件

勒索软件可以通过遵循贯穿整个安全程序的关键最佳实践行为来防止. 放大, 勒索软件攻击有两个关键阶段，在此期间采取行动至关重要，以降低风险并防止攻击的最坏影响. 

• 袭击发生前最小化 攻击表面 by identifying specific techniques attackers use to deploy ransomware. 从那里, 安全团队可以应用多层预防措施(包括员工培训)来降低风险. 有目的的网络分段可以确保关键机器被隔离，以防止恶意软件的传播.
• 攻击期间: For in-progress attacks, access to mission-critical data should be extremely limited. 恒定的系统备份应该是一个高优先级，以便在关键任务数据受到损害的情况下，可以使用最近的数据部署数据恢复, 不妥协的备份.

通过识别和修复第一次攻击中的初始访问和执行向量，以确保完全根除攻击者，从而避免成为重复受害者. 

如何移除勒索软件? 

Ransomware can be removed by scanning networks with an effective anti-恶意软件 solution. 团队应该能够在勒索软件/恶意软件造成真正的破坏之前自动调查和遏制它.

扫描发现后, 从本地管理员组中快速删除目标用户的域帐户是个好主意. 具有管理员权限的用户帐户允许自动和有针对性的攻击，以与系统级权限交互，并轻松部署勒索软件.

另外, 系统管理员可以为安全分析人员生成决策点，以阻止受感染的用户帐户和恶意软件通信，或者完全隔离网络中的计算机. Leveraging automation to slow the infection, security responders will have more time to fully eradicate the ransomware threat.

阅读更多关于勒索软件

Learn about Rapid7's Ransomware Protection Solution

Ransomware-as-a-Service (RAS) Cheat Sheet

Ransomware: Latest Rapid7 博客 Posts

Report: Pain Points: Ransomware Data Disclosure Trends