4、安全厂商揭示勒索软件Petya第二阶段攻击
标题:Ransomware And The Boot Process
作者信息:Feb 01, 2017 By Raul Alvarez
//BEGIN
Since its discovery in early 2016, we have tracked a number variations of Petya, a ransomware variant famous for multi-stage encryption that not only locks your computer, but also overwrites the Master Boot Record. Petya continues to persist, and in this blog we will take a deeper look at its more complex second stage of attack.
安全公司Fortinet的研究人员最近发现了勒索软件Petya的第二攻击波,其实该勒索软件从2016年的年初就开始流行,到目前为止也出现了多个变种,这个最新的变种呈现出多层加密的特性:不仅仅锁住了您的机器,而且还会重写机器的主引导扇区MBR。显然这会导致被感染的机器不能正常启动。就这一点来说,就与其他的我们常见的勒索软件大不相同。
//END
Wrap Up
Most ransomware still allows you to use the infected machine to pay the ransom. But Petya doesn’t give you that opportunity. You have to use a different computer to go online, pay the ransom, and get the decryption key. But be aware that if you pay the ransom, there is no guarantee that you will recover your infected system.
The userland version of ransomware is easier to analyze than an MBR version like Petya. It is interesting to note how different strategies and deployments of ransomware pose a different threat to different victims. The modification of MBR or other sectors in the hard drive requires elevated privilege. Which means that one way to effectively avoid infection with similar malware or ransomware is to lower your privilege level in your computer system. Our advice is to always login to your computer with a non-admin account.
Always follow best safety practices to avoid being infected, including regularly installing patches and updates, scheduled drive scanning with updated AV files, filtering your web and email traffic, and scanning links and attachments before clicking on them. And for ransomware, a consistent backup strategy will save you a lot of headaches. Stay safe.
一般来说,勒索软件至少会让用户的计算机能正常启动,这样好提示用户如何支付赎金。但是我们这里提到的勒索软件Petya却特立独行:被感染了就不能启动,逼迫受害者找另外的一台机器,给勒索者支付赎金,获取解密码后,才能解密机器,并正常启动,并访问被锁机器里的文件。
需要说明的是,即使您支付了赎金,也不能保证能正常恢复机器的使用。
显然修改MBR扇区,需要高级的权限才行,一般的程序都不能访问这个区域,更别说改写其中的内容了。
因此建议用户不要采用高级的账户,比如系统管理员登录计算机。一般平时的工作,只需要一般的权限即可。
点评:对付勒索软件,建议采用备份备份再备份的3B原则:Backup、Backup、Backup(Beifen、Beifen、Beifen)。 |