勒索軟體Ransomware

勒索軟體是一種加密檔案和資料夾的惡意程式碼類型,可讓您無法存取重要的檔案。Ransomware is a type of malware that encrypts files and folders, preventing access to important files. 勒索軟體會以 exchange 中的解密金鑰要求金錢(通常以 cryptocurrencies 的形式)來 extort 受害者的金錢。Ransomware attempts to extort money from victims by asking for money, usually in form of cryptocurrencies, in exchange for the decryption key. 但是,電腦罪犯不一定會一直追蹤並解除鎖定其加密的檔案。But cybercriminals won't always follow through and unlock the files they encrypted.

日益複雜的惡意程式碼為的趨勢,由利用漏洞及其他攻擊向量加以醒目提示,使得較舊的平臺尤其容易受到勒索軟體的攻擊。The trend towards increasingly sophisticated malware behavior, highlighted by the use of exploits and other attack vectors, makes older platforms especially susceptible to ransomware attacks.

勒索軟體的運作方式How ransomware works

大多數的勒索軟體病毒感染開頭為:Most ransomware infections start with:

  • 電子郵件訊息,其中的附件會嘗試安裝勒索軟體。Email messages with attachments that try to install ransomware.

  • 可嘗試在網頁瀏覽器和其他軟體中安裝勒索軟體之漏洞的網站主機 利用漏洞套件Websites hosting exploit kits that attempt to use vulnerabilities in web browsers and other software to install ransomware.

當勒索軟體感染裝置後,就會開始加密檔案、資料夾,整個硬碟分區(例如 RSA 或 RC4 等加密演算法)。Once ransomware infects a device, it starts encrypting files, folders, entire hard drive partitions using encryption algorithms like RSA or RC4.

勒索軟體是一種最 lucrative 的罪犯收入頻道,所以惡意軟體作者會持續改善其惡意程式碼,以更好地在企業環境中進行目標。Ransomware is one of the most lucrative revenue channels for cybercriminals, so malware authors continually improve their malware code to better target enterprise environments. 勒索代碼與服務是一種 cybercriminal 的商務模型,惡意程式碼建立者會將其勒索代碼或其他服務出售給罪犯,由誰來操作勒索軟體攻擊。Ransomware-as-a-service is a cybercriminal business model where malware creators sell their ransomware and other services to cybercriminals, who then operate the ransomware attacks. 商務模型也會定義惡意程式碼製作者、勒索代碼與您可能參與的其他各方之間的利潤分享。The business model also defines profit sharing between the malware creators, ransomware operators, and other parties that may be involved. 在罪犯中,勒索軟體是由個人和公司所擁有的大型企業。For cybercriminals, ransomware is big business at the expense of individuals and businesses.

範例Examples

複雜的勒索軟體(例如 SporaWannaCrypt (也稱為 WannaCry) ,而 Petya (也稱為 NotPetya) 透過網路共用或利用漏洞傳播至其他電腦。Sophisticated ransomware like Spora, WannaCrypt (also known as WannaCry), and Petya (also known as NotPetya) spread to other computers via network shares or exploits.

  • Spora 會在網路共用中刪除勒索軟體複本。Spora drops ransomware copies in network shares.

  • WannaCrypt 利用伺服器訊息區塊 (SMB) 漏洞 CVE-2017-0144 (也稱為 EternalBlue) 來感染其他電腦。WannaCrypt exploits the Server Message Block (SMB) vulnerability CVE-2017-0144 (also called EternalBlue) to infect other computers.

  • Petya 變種除了 CVE-2017-0145 (也稱為 EternalRomance) ,且使用盜竊的認證,在網路上橫向移動。A Petya variant exploits the same vulnerability, in addition to CVE-2017-0145 (also known as EternalRomance), and uses stolen credentials to move laterally across networks.

較舊的勒索軟體(例如 Reveton (Nicknamed "警方特洛伊木馬程式" 或「警方勒索軟體(您) ) 鎖定畫面,而不是加密檔案。Older ransomware like Reveton (nicknamed "Police Trojan" or "Police ransomware") locks screens instead of encrypting files. 它們會顯示全螢幕影像,然後停用 [工作管理員]。They display a full screen image and then disable Task Manager. 檔案是安全的,但實際上是無法存取的。The files are safe, but they're effectively inaccessible. 影像通常包含聲稱來自執法的郵件,這表示電腦已在非法的 cybercriminal 活動中使用,且需要支付良好的費用。The image usually contains a message claiming to be from law enforcement that says the computer has been used in illegal cybercriminal activities and a fine needs to be paid.

勒索軟體(例如 CerberLocky )搜尋及加密特定檔案類型,通常是檔和媒體檔案。Ransomware like Cerber and Locky search for and encrypt specific file types, typically document and media files. 當加密完成時,惡意程式碼會使用文字、影像或 HTML 檔案來留下 ransom 筆記,並提供 ransom 來復原檔案的指示。When the encryption is complete, the malware leaves a ransom note using text, image, or an HTML file with instructions to pay a ransom to recover files.

已發現不正確的 Rabbit勒索軟體,試圖在強力攻擊中使用硬式編碼使用者名稱和密碼來散佈網路。Bad Rabbit ransomware was discovered attempting to spread across networks using hardcoded usernames and passwords in brute force attacks.

如何防範勒索軟體How to protect against ransomware

組織可由攻擊者專門設定,或可透過 cybercriminal 操作,在寬網路轉換中捕獲。Organizations can be targeted specifically by attackers, or they can be caught in the wide net cast by cybercriminal operations. 大型組織是高價值的目標,而且攻擊者可以要求更大的 ransoms。Large organizations are high value targets and attackers can demand bigger ransoms.

我們建議:We recommend:

  • 定期備份重要的檔案。Back up important files regularly. 使用3-2-1 規則。Use the 3-2-1 rule. 保留資料的三個備份、兩種不同的儲存類型,以及至少一個備份到異地。Keep three backups of your data, on two different storage types, and at least one backup offsite.

  • 將最新的更新套用至您的作業系統和 app。Apply the latest updates to your operating systems and apps.

  • 教育員工,讓他們能夠辨識社交工程與 spear 網路釣魚攻擊。Educate your employees so they can identify social engineering and spear-phishing attacks.

  • 受控資料夾存取權Controlled folder access. 它可以停止勒索軟體來加密檔案並保留 ransom 的檔案。It can stop ransomware from encrypting files and holding the files for ransom.

如需更多一般秘訣,請參閱 防止惡意程式碼感染For more general tips, see prevent malware infection.