本帖最后由 pal家族 于 2017-5-14 15:04 编辑
转载于今日(5.14)。 文章末尾提到的securelist上的文章发表于5.12
https://forum.kaspersky.com/index.php?showtopic=370234
On May 12th, a massive ransomware attack was unleashed, hitting organizations across the world.
Kaspersky Lab’s researchers have analysed the data and can confirm that the company’s protection subsystems detected at least 45,000 infection attempts in 74 countries, most of them in Russia.
The ransomware infects victims by exploiting a Microsoft Windows vulnerability described and fixed in Microsoft Security Bulletin MS17-010. The exploit used, “Eternal Blue” was revealed in the Shadowbrokers dump on April 14.
Once inside the system, the attackers install a rootkit, which enables them to download the software to encrypt the data. The malware encrypts the files. A request for $600 in Bitcoin is displayed along with the wallet – and the ransom demand increases over time.
Kaspersky Lab experts are currently trying to determine whether it is possible to decrypt data locked in the attack – with the aim of developing a decryption tool as soon as possible.
Kaspersky Lab security solutions detect the malware used in this attack by the following detection names:
• Trojan-Ransom.Win32.Scatter.uf
• Trojan-Ransom.Win32.Scatter.tr
• Trojan-Ransom.Win32.Fury.fr
• Trojan-Ransom.Win32.Gen.djd
• Trojan-Ransom.Win32.Wanna.b
• Trojan-Ransom.Win32.Wanna.c
• Trojan-Ransom.Win32.Wanna.d
• Trojan-Ransom.Win32.Wanna.f
• Trojan-Ransom.Win32.Zapchast.i
• Trojan.Win64.EquationDrug.gen
• Trojan.Win32.Generic (the System Watcher component must be enabled)
We recommend taking the following measures to reduce the risk of infection:
• Install theofficial patch from Microsoft that closes the vulnerability used in the attack
• Ensure that security solutions are switched on all nodes of the network
• If Kaspersky Lab’s solution is used, ensure that it includes the System Watcher, a behavioral proactive detection component, and that it is switched on
• Run the Critical Area Scan task in Kaspersky Lab’s solution to detect possible infection as soon as possible (otherwise it will be detected automatically, if not switched off, within 24 hours).
• Reboot the system after detecting MEM: Trojan.Win64.EquationDrug.gen
• Use Customer-Specific Threat Intelligence Reporting services
A detailed description of the WannaCry attack method, and Indicators of Compromise can be found in the blogpost on Securelist.
谷歌渣翻译:
5月12日,全球发生大规模的ransomware攻击,击中了组织。
卡巴斯基实验室的研究人员已经分析了数据,并且可以确认该公司的保护子系统在74个国家中发现了至少45,000次感染尝试,其中大多数在俄罗斯。
ransomware通过利用Microsoft安全公告MS17-010中描述和修复的Microsoft Windows漏洞感染受害者。 4月14日,Shadowbrokers转储中使用的“永恒之蓝”被利用。
一旦进入系统,攻击者就会安装一个rootkit,这样他们就可以下载软件来加密数据。恶意软件加密文件。与钱包一起显示600美元的比特币要求,随着时间的推移,赎金需求也随之增加。
卡巴斯基实验室专家目前正在尝试确定是否有可能解密攻击中锁定的数据,目的是尽快开发解密工具。
卡巴斯基实验室安全解决方案通过以下检测名称检测此攻击中使用的恶意软件:
•木马Ransom.Win32.Scatter.uf
•Trojan-Ransom.Win32.Scatter.tr
•Trojan-Ransom.Win32.Fury.fr
•木马Ransom.Win32.Gen.djd
•木马Ransom.Win32.Wanna.b
•木马Ransom.Win32.Wanna.c
•木马Ransom.Win32.Wanna.d
•木马Ransom.Win32.Wanna.f
•木马Ransom.Win32.Zapchast.i
•Trojan.Win64.EquationDrug.gen
•Trojan.Win32.Generic(必须启用系统监视器组件)
我们建议采取以下措施降低感染的风险:
•安装来自Microsoft的官方补丁,以关闭攻击中使用的漏洞
•确保安全解决方案在网络的所有节点上都被切换
•如果使用卡巴斯基实验室的解决方案,请确保它包括系统监视器,行为主动检测组件,并且它被打开
•在卡巴斯基实验室的解决方案中运行临界区域扫描任务,以尽快检测可能的感染(否则将在24小时内自动检测,如果没有关闭)。
•检测到MEM:Trojan.Win64.EquationDrug.gen后重新启动系统
•使用客户特定的威胁情报报告服务
WannaCry攻击方法的详细描述和“妥协指标”可以在Securelist的博客中找到:
https://securelist.com/blog/inci ... all-over-the-world/By GReAT on May 12, 2017. 5:30 pm
|
发表于 2017-5-14 15:00:55
参考这个测试,卡巴半年前的库都能防....
楼主
