Imagine waking up to an urgent 5 a.m. call: Something has taken over your corporate network and encrypted all of your data, and supposedly the only way to get it all back is to pay a significant sum to an anonymous third party using Bitcoin. While that scene might sound like something out of Hollywood, it is actually very real – and it’s exactly what several variants of ransomware are doing to organizations around the globe.
Two recent appearances of ransomware in the news demonstrate that it is a problem that is growing in both volume and significance, as larger and larger organizations, some critical to public and social services, are impacted by an outbreak:
- The BBC reports that the Chino Valley Medical Center and Desert Valley hospital, in the state of California, were infected with ransomware. A spokesman for the owner of the medical center, Prime Healthcare Services, confirmed that there were some “significant disruptions of [the medical center’s] hospital systems.”
- 在最近备受关注的案件,好莱坞长老会医疗中心苦难勒索的爆发后宣布一个内部紧急情况。最终,这家医院决定付这笔钱需要的比特币支付赎金,移交$ 17000,以获得访问其电脑。原来的赎金是在比特币$ 3.7亿美元,因此,如果不出意外,这是对医院的部分一些体面的谈判。
- A Kentucky medical center, Methodist Hospital, was recently infected by a ransomware attack. This time, the strain of the ransomware was confirmed: Locky, a newer variant of Cryptolocker, infiltrated the defenses of the medical center’s network and spread to the entire internal network as well as several other systems,根据CNBC报道。在写这篇文章的时候,赎金是为$ 1,600这个特殊的医院,目前还不清楚如果医院打算在支付赎金。在Ars Technica的另一份报告引用了医院的代理律师: “I think it’s our position that we’re not going to pay it unless we absolutely have to.”
[Related:4 reasons not to pay up in a ransomware attack]
This stuff is阴险。勒索通常来自于作为电子邮件附件发送,声称是发票或货物跟踪文档或其他东西看似无害的。一旦开放,勒索通常默默地开始加密所能文件,无需任何用户交互或通知。只有一次,它的卑鄙行为完成后,它会提示与信息有关的赎金是多少,如何支付这多的用户。
It used to be that the first versions of Cryptolocker were not smart enough to go after data on network drives and only inflicted unwanted encryption on files stored locally to a machine. This could still be paralyzing in some instances, but for medium to large businesses who stored the majority of their data on network shared drives and SANs or NASes, this provided a level of relief.
这是可悲的是不一样了,因为病毒已经变得更加成功,更有利可图的作家,大部分的勒索软件的变种,现在可以遍历网络驱动器和UNC路径,与水平加密任何他们能够实际接触和访问授予在其下的恶意软件在执行用户帐户的权限。结果,你可以约勒索软件最近的新闻报道说,可以肆虐。
Strategies for dealing with ransomware
There are two basic solutions to the ransomware problem, one simple and one that will probably tear your team apart during the implementation. (Technically, there are three, but I don’t count actually paying the ransom as a solution because there are no blanket immunities offered in paying the ransom and surely the price will continue to increase as attacks and infestations become more successful.)
Regular and consistent backups along with tested and verified restores.The only way not to feel held hostage because of a ransomware attack is to have the next best viable alternative – to not pay it, because you have full and recent backups of all of your data that have also been tested through consistent, regular restore procedures to make sure that the backups actually worked.
然后,用警惕的监测沿(许多技术人员报告用文件监控筛查检测大量文件的成功序列被改变,特别是如果这些文件尚未否则在一段时间接触),并确保你有适当的文件和文件夹权限设定,你可以简单快速检测爆发,然后从备份中恢复任何加密数据。这样,您就不必支付赎金,并在潜在的不可逆加密风险的唯一数据是从最初感染到数据
应用白名单。Essentially the only way to definitively protect against a ransomware attack and invasion – or any other malware infestation for that matter – from even taking hold is to implement application whitelisting. Whitelisting involves computing checksums and other “digital fingerprints” for applications that you deem permitted to run on your systems, and then basically cutting everything else out and disallowing the code from executing at all.
听起来不错吧?无机可乘可以运行,如果它们尚未列入白名单,这样做不仅这种方式保护您免受目前的威胁,但它也可以作为对未来的恶意软件预防以及 - 即使你仍然会做得好一点,让边缘和端点安全,具有应用程序,然后黑洞化一切已知良好的名单将是安全显著的一步。
[Related:With few options, companies increasingly yield to ransomware demands]
Aye, but therein lies the rub: If you took the superset of all of the regularly used applications you have by all of your users as well as their varying versions and patch levels, you might very well have thousands of programs – and to use the built-in software whitelisting functions within Windows, you would need to create a signature for all of them. Every single one of them. There are various automated solutions available, but they all have a cost as well for the licensing as well as the administration time.
最后,白名单,还有的用户接受的因素:您的用户将无法下载任何东西,包括浏览器插件,您尚未允许提前。这包括即使是最轻微的程序,如腻子安全壳隧道通过使用SSH,流行与您的IT员工,或像记事本+互联网,一个伟大的文本编辑器,很多知识工作者要下载,以提高快速记笔记。(这两项方案都没有安装一个可执行文件要求和系统间相互移植,这意味着他们经常发现他们的方式到U盘或USB存储设备,并可以自由同事之间共享。)
你和你的IT组队不仅是巨大的努力来建立初始设置的白名单的定义,但也不断地保持它们,即使有新的补丁更改数字签名,新员工要求新节目,和其他服务来上网吗?这将真正成为一个艰巨的任务,但我把它称为核选择,只是因为它是最简单的(不简单,但最简单的明明白白),所有的方式,但消除勒索软件在您的系统的威胁。
This story, "You’ve been hit with ransomware. Now what?" was originally published byCIO 。