2018-07-09
实际上,这是我近三十年前职业生涯开始的地方。我提供咨询服务的第一起恶意软件疫情是波普博士(Dr. Popp)编写的“艾滋木马”(AIDS Trojan),该木马使得受害者无法访问数据,除非进行“软件续订租约”付款。此后很长一段时间,都没有出现可以称为勒索软件的威胁,除非把针对企业的持续性DDoS(分布式拒绝服务)攻击算在内。
在世纪之交,利用僵尸网络(由被僵尸程序感染的PC构成)放大的DoS攻击成为一个值得注意的问题,但是在过去几年中,DDoS勒索威胁与勒索软件威胁齐头并进。一些受害企业不愿透露攻击事件可能会影响统计数据,出于政治动机(而非单纯的经济动机)的DDoS攻击也出现了增长。然而,各种恶意软件之间还存在复杂的交互:在一些案例中,勒索软件变种包含了DDoS僵尸程序;最近,Mirai僵尸网络的模仿者对WannaCryptor的“域名开关”(kill switch)执行DDoS攻击,使休眠的恶意软件副本再次苏醒。
当然,被ESET称为Win32/Filecoder.WannaCryptor的恶意软件比Mirai更加复杂。虽然没有像我们在千禧年的头十年所看到的一些蠕虫攻击那样猛烈(部分原因是它的传播依赖于已经被广泛修复的漏洞),但勒索软件和蠕虫的结合加速了它的传播。然而,其对重要企业的经济影响引起了全球媒体的关注。
WannaCryptor的一个特点是,即使受害者支付赎金,也不太可能解密所有的数据。当然,在这方面它不是唯一的:在很多勒索软件案例中,犯罪分子因不完整的编码或从来没有打算恢复数据,而无法恢复部分或所有数据。例如,Ranscam和Hitler只是简单地删除了文件,没有进行加密,因此犯罪分子也不可能帮助受害者恢复数据。幸运的是,它们似乎并没有特别广泛地传播。也许最臭名昭著的例子是Petya(ESET将其命名为DiskCoder.C),它确实对数据进行加密。考虑到它的执行能力,没有恢复机制似乎并非是意外,而是一种“拿了钱就跑”的计策。
DiskCoder.C有时被称为NotPetya,这清楚地说明它不会作为勒索软件获取赎金,但其他“擦除程序”显然有不同的打算,例如最近卷土重来的Shamoon恶意软件。这个针对乌克兰的恶意软件具有擦除功能,包含KillDisk组件(与BlackEnergy相关)和Industroyer部署的其中一个载荷。
劫持用户数据并勒索赎金是攻击者赚钱的一种简便方法,而出于其他原因(如政治动机)破坏数据的事件似乎也在增加。与其猜测关于数据劫持的所有可能的变化,我们不如来看看一些能够降低风险的方法。
1. 即使受害者知道支付赎金会鼓励犯罪分子,他们仍然会支付赎金来恢复数据,我们理解这种做法。但是,在支付赎金之前,请与你的安全软件厂商确认:(a)不支付赎金,是否有可能恢复数据;(b)支付赎金是否也无法恢复数据。
2. 主动保护数据比依赖犯罪分子的能力和诚信更靠谱。请定期备份所有有价值的数据,在安全的物理环境中(最好是多个位置),使用不会遭勒索软件和其他恶意软件感染的存储媒体,保存离线备份。显然,备份能够防御勒索软件和其他恶意软件破坏数据,因此应该成为灾难恢复计划的一部分。
3. 如今,很多个人和企业对用光盘和U盘这样的物理媒体备份数据的关注程度比不上云存储——当然,云存储很可能是非现场(offsite)的。但是,如果云存储“一直开启”,那么其内容可能会像本地和其他联网存储一样易受勒索软件感染。非现场存储需要注意:
a. 不要一直开启
b. 当远程设备在线时,保护备份的数据免受自动和悄无声息的修改或被恶意软件覆盖。
c. 保护早期的备份数据不受损害,这样,即使恶意软件感染了最新的备份,你至少可以保住一部分数据,包括当前数据的早期版本。
d. 通过说明提供者的法律/合同责任、如果提供者停业会发生什么情况等问题来保护客户。
4. 不要低估非可重写/可重用备份媒体的有用性。如果你不能修改写入其中的内容,那么勒索软件也不能。定期检查,以确保你的备份/恢复操作(仍然)能够正常工作,你的存储媒体(只读,禁止写入或允许写入)仍然可读(允许写入的媒体不一定可写入)。此外,请备份你的备份。
5. 当然,不能只依靠备份而不使用安全软件。但要记住,使用安全软件删除活跃的勒索软件与恢复数据绝不是一回事:删除勒索软件然后决定支付赎金,意味着即使犯罪分子配合,数据也可能无法恢复了,因为解密机制是恶意软件的一部分。另一方面,你当然不希望将你的数据恢复到勒索软件仍然处于活动状态的系统中。幸运的是,如果恶意软件能够规避安全软件,备份也可以保护你的数据。
计算机科学家丹尼尔�德尔伯特�麦克拉肯(Daniel Delbert McCracken)曾说过:“不要对可以在你一生中检查的计算做出预测”。尽管如此,我们仍然可以根据勒索软件的近期演变做出一些推断,以便对其未来的演变提供一些见解。
AIDS木马的目标非常具体。即便在当时,也没多少人对研究它的细节感兴趣,用光盘传播木马的成本相对较高,而且赎金支付机制对攻击者没什么好处。(当然,在1989年,波普博士没有加密货币或暗黑网络,也没有简单的方法利用西联汇款[419诈骗者的最爱]或者裸照获利。)攻击本身是“经典的”勒索软件,因为它导致受害者无法访问数据。之后,DoS和DDoS攻击使得企业无法通过他们提供的服务受益:当客户无法使用这些服务时,服务提供商可能会支付赎金。但是,随着互联网的非企业化、个人化使用不断扩展,攻击面和潜在目标的范围也在扩展。这可能会影响到大多数现代勒索软件的传播。
当高知名度或高价值的受害者(医疗机构、学术机构、电话服务提供商、互联网服务提供商)被披露后,媒体和安全产品营销人员往往会感到兴奋,但认为这些机构就是攻击目标是不正确的。我们并不总是知道攻击活动的感染途径,因此我们不能说“它永远不会发生!”但是,看起来勒索软件团伙做得相当不错,他们首先攻击大型机构的员工,成功感染员工的帐户后在机构网络中进行横向运动,迫使机构支付大笔赎金。例如,英国医疗服务机构NHS Digital否认医疗机构是勒索软件的特定目标——我也这样认为,但它同时承认医疗机构的网站经常沦为受害者。
目前,似乎还有企业准备支付相当大笔的赎金。在某些情况下,这是一个合理的“备用战略”,即在技术防御失败的情况下保留支付赎金的选项。在其他情况下,公司可能认为相比于建立复杂的、并不总是有效的防御措施,支付赎金更具成本效益。这可能会吸引犯罪分子攻击“软柿子”公司或有能力支付大笔赎金的公司(金融机构、赌场等)。擦除攻击和即使支付赎金也无法恢复数据的勒索攻击的增加可能会减轻这种不健康的趋势,但是那些不太可能增强防御措施达到最佳效果的企业可能会面临更严重的攻击风险。毕竟,相比于攻击随机用户,攻击大型企业能够获得更多的赎金,且速度更快。
对智能手机和其他移动设备的攻击往往不太注重数据,更多的是导致用户无法使用设备和服务。这种情况很糟糕,如果用户不支付赎金,则可能会丢失设置和其他数据,尤其是现在更多的人选择使用移动设备而不是PC和笔记本电脑,这样可能会威胁到更广泛的数据。随着联网设备越来越多,攻击面越来越大,联网设备和传感器嵌入到更多的物品和环境中——从路由器到冰箱到智能电表,从电视到玩具,从发电站到加油站和起搏器。随着所有物品变得越来越“智能”,可能被恶意软件破坏的服务(无论是否要求赎金)的数量也越来越多。在过去的几年中,我们讨论过我的同事Steff Cobb所说的“勒索物联网”(Ransomware of Things)的可能性。到目前为止,相比于所引发的关注,这种威胁的实例远少于预期。然而,这很容易改变,特别是如果更多的传统勒索软件作为赚快钱的手段变得不再那么有效。不过,我并不确定这会很快发生。
另一方面,物联网安全跟不上物联网的发展速度。我们已经看到很多黑客利用物联网的不安全性赚钱。这并不像媒体报道会影响到大量物联网设备的恶意软件那样简单,所以没有理由恐慌,但是我们不应该低估网络犯罪分子的坚韧和震惊世界的能力。
https://www.welivesecurity.com/2018/03/07/ransomware-revolution/
DAVID HARLEY
7 MAR 2018
This is actually where I came in, nearly 30 years ago. The first malware outbreak for which I provided consultancy was Dr. Popp’s extraordinary AIDS Trojan, which rendered a victim’s data inaccessible until a ‘software lease renewal’ payment was made. And for a long time afterwards, there was not much else that could be called ransomware, unless you count threats made against organizations of persistent DDoS (Distributed Denial of Service) attacks.
While Denial of Service attacks amplified by the use of networks of bot-compromised PCs were becoming a notable problem by the turn of the century, DDoS extortion threats have accelerated in parallel (if less dramatically) with the rise in ransomware in the past few years. However, statistics may be obscured by a reluctance on the part of some victim organizations to speak out, and a concurrent rise in DDoS attacks with a political dimension rather than a simple profit motive. There are other complex interactions between malware types, though: there have been instances of ransomware variants that incorporated a DDoS bot, while more recently the charmers behind the Mirai botnet chose to DDoS the WannaCryptor (a.k.a. WannaCry) “kill switch” in order to allow dormant copies of the malware to reactivate.
Of course, there’s a great deal more to the malware ESET calls Win32/Filecoder.WannaCryptor than the Mirai factor. The combination of ransomware and worm accelerated the spread of the malware, though not as dramatically in terms of sheer volume as some of the worm attacks we saw in the first decade of the millennium, partly because its spread was reliant on a vulnerability that was already widely patched. However, its financial impact on major organizations caught the attention of the media worldwide.
One of the quirks of WannaCryptor was that it was never very likely that someone who paid the ransom would get all their data decrypted. That’s not unique, of course: there are all too many examples of ransomware where the criminals were unable to recover some or any data because of incompetent coding, or never intended to enable recovery. Ranscam and Hitler, for example, simply deleted files: no encryption, and no likely way the criminal can help recover them. Fortunately, these don’t seem to have been particularly widespread. Perhaps the most notorious example, though, is the Petya semi-clone ESET detects as DiskCoder.C, which does encrypt data. Given how competently the malware is executed, the absence of a recovery mechanism doesn’t seem accidental. Rather, a case of ‘take the money and run’.
While the DiskCoder.C malware sometimes referred to as NotPetya clearly doesn’t eschew making some profit by passing itself off as ransomware, other ‘wipers’ clearly have a different agenda, such as the (fairly) recently revived Shamoon malware. Malware with wiper functionality aimed at Ukraine include KillDisk (associated with BlackEnergy) and, more recently, one of the payloads deployed byIndustroyer.
Holding your data to ransom is an easy way for an attacker to make a dishonest profit, and destroying data for other reasons such as a political agenda seems to be on the rise. Rather than speculate about all the possible variations on the theme of data mangling, let’s look at some measures that reduce the risk across the board.
1. We understand that people choose to pay in the hope of getting their data back even though they know that this encourages the criminals. Before paying up, though, check with your security software vendor (a) in case recovery may be possible without paying the ransom (b) in case it’s known that paying the ransom won’t or can’t result in recovery for that particular ransomware variant.
2. Protecting your data proactively is safer than relying on the competence and good faith of the criminal. Back up everything that matters to you, often, by keeping at least some backups offline – to media that aren’t routinely exposed to corruption by ransomware and other malware – in a physically secure location (preferably more than one location). And, obviously, backups defend against risks to data apart from ransomware and other malware, so should already be part of a disaster recovery plan.
3. Many people and organizations nowadays don’t think of backup in terms of physical media like optical disks and flash storage, so much as in terms of some form of cloud storage. Which are very likely to be offsite, of course. Remember, however, where such storage is ‘always on’, its contents may be vulnerable to compromise by ransomware in the same way that local and other network-connected storage is. It’s important that offsite storage:
1. Is not routinely and permanently online
2. Protects backed-up data from automatic and silent modification or overwriting by malware when the remote facility is online
3. Protects earlier generations of backed-up data from compromise so that even if disaster strikes the very latest backups, you can at least retrieve some data, including earlier versions of current data.
4. Protects the customer by spelling out the provider’s legal/contractual responsibilities, what happens if the provider goes out of business, and so on.
4. Don’t underestimate the usefulness of backup media that aren’t rewriteable/reusable. If you can’t modify what’s been written there, then neither can ransomware. Check every so often that yourbackup/recovery operation is (still) working properly and that your media (read-only, write-disabled, or write-enabled) are still readable (and that write-enabled media aren’t routinely writeable). And back up your backups.
5. I’m certainly not going to say that you should rely on backups instead of using security software, but bear in mind that removing active ransomware with security software that detects ransomware is by no means the same as recovering data: removing the ransomware and then deciding to pay up means that the data may no longer be recoverable even with the cooperation of the criminals, because the decryption mechanism is part of the malware. On the other hand, you certainly don’t want to restore your data to a system on which the ransomware is still active. Fortunately, safe backups can save your data if/when something malicious slips past your security software.
“Don’t make predictions about computing that can be checked in your lifetime” – wise words fromDaniel Delbert McCracken. Still, we can risk some extrapolation from the recent evolution of ransomware in order to offer some cautious thoughts about its future evolution.
The AIDs Trojan was pretty specific in its targeting. Even then, not many people were interested in the minutiae of AIDS research, distribution of the Trojan by floppy disk was relatively expensive, and the mechanism for paying the ransom didn’t really work to the attacker’s advantage. (Of course, in 1989 Dr. Popp didn’t have the advantage of access to cryptocurrency or the Dark Web, or easy ways to use Western Union (the 419 scammer’s favorite) or to monetize nude photographs.)
The attack itself was ‘classic’ ransomware, in that it deprived the victim of his or her data. Later, DoS and DDoS attacks deprived companies of the ability to benefit from the services they provided: while customers were deprived of those services, it was the provider who was expected to pay. However, as the non-corporate, individual use of the Internet has exploded, the attack surface and the range of potential targets have also widened. Which probably has an influence on the promiscuous distribution of most modern ransomware.
While the media and security product marketers tend to get excited when a highly visible or high-value victim is disclosed – healthcare sites, academic institutions, telephony service providers, ISPs – it’s inappropriate to assume that these institutions are always being specifically targeted. Since we don’t always know what vector of compromise was used by a specific campaign, we can’t say ‘It never happens!’. But it looks as if ransomware gangs are doing quite nicely out of payments made by large institutions compromised via lateral attacks from employees who have been successfully attacked when using their work accounts. The UK’s NHS Digital, for example, denies that healthcare is being specifically targeted – a view I happen to share, in general – while acknowledging that healthcare sites have ‘often fallen victim’.
At the moment, there still seem to be organizations that are prepared to spend relatively large sums in ransom payment. In some cases, this is a reasonable ‘backup strategy’, acknowledging that it’s sensible to keep a (ransom)war(e) chest topped up in case technical defences fail. In other cases, companies may be hoping that paying up will be more cost-effective than building up complex additional defences that cannot always be fully effective. That in itself may attract targeting of companies perceived to be a soft touch or especially able to pay (financial organizations, casinos). The increased volume of wiper attacks and ransomware attacks where payment does not result in recovery may mitigate this unhealthy trend, but companies that are still perceived as unlikely to harden their defences to the best of their abilities might then be more specifically targeted. It is, after all, likely that a successful attack on a large organization will pay better and more promptly than widespread attacks on random computer users and email addresses.
Looking at attacks on smartphones and other mobile devices, these tend to be less focused on data and more on denying the use of the device and the services it facilitates. That’s bad enough where the alternative to paying the ransom may be to lose settings and other data, especially as more people use mobile devices in preference to personal computers and even laptops, so that a wider range of data might be threatened. As the Internet of Unnecessarily Networked Things becomes less avoidable, the attack surface increases, with networked devices and sensors embedded into unexpected items and contexts: from routers to fridges to smart meters, from TVs to toys, from power stations to petrol stations and pacemakers. As everything gets ‘smarter’, the number of services that might be disrupted by malware (whether or not a ransom is demanded) becomes greater. In previous years we’ve discussed the possibilities of what my colleague Stephen Cobb calls the Ransomware of Things. There are fewer in-the-wild examples to date of such threats than you might expect, given the attention they attract. That could easily change, though, especially if more conventional ransomware becomes less effective as a means of making a quick buck. Though I’m not sure that’s going to happen for a while…
On the other hand, there’s not much indication that Internet of Things security is keeping pace with IoT growth. We are already seeing plenty of hacker interest in the monetization of IoT insecurity. It’s not as simple as the media sometimes assume to write and distribute malware that will affect a wide range of IoT devices and beyond, so there’s no cause for panic, but we shouldn’t underestimate the digital underworld’s tenacity and ability to come up with surprising twists.
附件:
《Trends 2018 - The ransomware revolution》--原文.pdf
《Trends 2018 - The ransomware revolution》--译文.pdf
微信公众号