【翻譯】WannaCry ransomware attack

來源【維基百科-wannacray】

 

WannaCry ransomware attack

---

 

From Wikipedia, the free encyclopedia

The WannaCry ransomware attack was a May 2017 worldwide cyberattack by the WannaCry^[a] ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency.

The attack began on Friday, 12 May 2017,^[5] and within a day was reported to have infected more than 230,000 computers in over 150 countries.^[6][7] Parts of the United Kingdom's National Health Service (NHS) were infected, causing it to run some services on an emergency-only basis during the attack,^[8] Spain's Telefónica, FedEx and Deutsche Bahn were hit, along with many other countries and companies worldwide.^[9][10][11] Shortly after the attack began, Marcus Hutchins, a 22-year-old web security researcher from North Devon in England then known as MalwareTech^[12] discovered an effective kill switch by registering a domain name he found in the code of the ransomware. This greatly slowed the spread of the infection, effectively halting the initial outbreak on Monday, 15 May 2017, but new versions have since been detected that lack the kill switch.^{[13][14][15][16]} Researchers have also found ways to recover data from infected machines under some circumstances.^[17]

維基百科，自由的百科全書
WannaCry勒索軟件攻擊是由WannaCry勒索軟件加密蠕蟲在2017年5月發動的一次全世界範圍的網絡攻擊，目標是運行着Windows操做系統的計算機，經過加密數據並要求用密碼貨幣-比特幣支付贖金。
攻擊始於2017年5月12日週五，據報道一天內感染了超過150個國家的23萬多臺電腦。部分英國國家醫療服務系統（NHS）的電腦被感染，致使其在攻擊中僅在緊急狀況下運行一些服務，西班牙的電信，聯邦快遞和德國鐵路公司，以及世界上不少其餘國家和公司都受到了衝擊。
攻擊開始後的不久，一個來自英格蘭北部德文郡的22歲網絡安全研究員-Marcus Hutchins，當時被稱爲MalwareTech，他在勒索軟件中發現了一個域名，經過註冊這個域名他發現了一個有效的「kill switch」（哈欽斯發現勒索病毒使用一個未註冊的網域名稱散播病毒，他隨即註冊了該網域）。這大大的減小了感染的傳播，在2017年5月15日有效的阻止了病毒初步的爆發，可是後來的新版本檢測到沒有「kill switch」。在某些狀況下，研究人員也找到了從被感染電腦中恢復數據的方法。

translation

WannaCry propagates using EternalBlue, an exploit of Windows' Server Message Block(SMB) protocol. Much of the attention and comment around the event was occasioned by the fact that the U.S. National Security Agency (NSA) had already discovered the vulnerability, but used it to create an exploit for its own offensive work, rather than report it to Microsoft.^[18][19] Microsoft eventually discovered the vulnerability, and on Tuesday, March 14, 2017, they issued security bulletin MS17-010, which detailed the flaw and announced that patches had been released for all Windows versions that were currently supported at that time, these being Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016, in addition to Windows Vista (which had recently ended support).^[20] However, many Windows users had not installed the patches when, two months later on May 12, 2017, WannaCry used the EternalBlue vulnerability to spread itself. The next day, Microsoft released emergency security patches for Windows 7 and Windows 8. Organizations were advised to patch Windows and plug the vulnerability in order to protect themselves from the cyber attack.^[21]

Those still running older, unsupported versions of Microsoft Windows, such as Windows XPand Windows Server 2003, were initially at particular risk, but Microsoft released an emergency security patch for these platforms as well.^[22] Almost all victims of the cyberattack were running Windows 7, prompting a security researcher to argue that its effects on Windows XP users were "insignificant" in comparison.^[23][17]

Within four days of the initial outbreak, new infections had slowed to a trickle.^[24]

Several organizations released detailed technical writeups of the malware, including Microsoft,^[25] Cisco,^[26] Malwarebytes,^[27]Symantec and McAfee.^[28]

The "payload" works in the same fashion as most modern ransomware: it finds and encrypts a range of data files, then displays a "ransom note" informing the user and demanding a payment in bitcoin.^[29] It is considered a network worm because it also includes a "transport" mechanism to automatically spread itself. This transport code scans for vulnerable systems, then uses the EternalBlue exploit to gain access, and the DoublePulsar tool to install and execute a copy of itself.^[26]

WannaCry使用「永恆之藍」傳播，一個Windows的服務器消息塊(SMB)協議漏洞。事件中引發人們關注和評論的是，美國國家安全局（NSA）發現了漏洞，並利用它爲本身的攻擊性工做創造了漏洞，而不是像微軟報告這一事實。微軟最終發現了這個漏洞，並在2017年3月14號星期二發佈了安全公告MS17-010，詳細的說明了缺陷，並宣佈已經爲全部仍提供服務支持的Windows版本發佈了補丁，它們是Windows 7,Windows 8.1,Windows 十、Windows Server 200八、Windows Server 20十二、Windows Vista和Windows Server 2016，還有Windows Vista（最近剛剛結束服務支持）。然而，不少Windows用戶沒有安裝補丁，兩個月後的2017年5月12日，WannaCry使用了「永恆之藍」漏洞傳播本身。次日，微軟發佈了Windows 7和Windows 8的緊急安全補丁。爲了在網絡攻擊中保護本身，建議各組織給Windows 7打好補丁，並堵上漏洞。
那些仍運行較舊的，不提供服務支持的微軟Windows系統，好比Windows XP和Windows Server 2003最初存在特定的風險，可是微軟也爲這些平臺發佈了一個緊急安全補丁。幾乎全部網絡攻擊的受害者都是運行Windows 7，這促使一名安全研究員辯稱，相比之下，其對Windows XP用戶的影響是「可有可無的」。
在最初爆發的4天內，新的感染已經變成涓涓細流。
一些組織發佈了惡意軟件的詳細技術報告，包括微軟，思科，賽門鐵克和麥咖啡。
這個"payload"和最現代的勒索軟件運行方式同樣：它找到並加密一系列的文件，而後顯示一個「贖金條」，通知用戶並要求支付比特幣。它被認爲是一種網絡蠕蟲，由於它還包括「傳輸」機制來自動傳播它本身。這種傳播代碼掃描易受攻擊的系統，而後使用「永恆之藍」漏洞獲取訪問權限，工具「DoublePulsar」安裝並執行本身的副本。

translation

Contents

   [hide] 

• 1Description
• 2"Kill switch"
• 3EternalBlue
• 4DoublePulsar
• 5Attribution
• 6Cyberattack
  • 6.1Ransomware analysis
  • 6.2Defensive response
  • 6.3Advice on ransom
  • 6.4Impact
• 7EternalRocks
• 8Reactions
• 9Affected organizations
• 10See also
• 11Notes
• 12References
• 13External links

Description

---

The WannaCry ransomware attack was a May 2017 worldwide cyberattack by the WannaCry^[b] ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency.^[33]

WannaCry勒索軟件攻擊是一次2017年5月由WannaCry勒索軟件加密蠕蟲發動的全球網絡攻擊，目標是運行微軟Windows系統的電腦，經過加密數據並要求以加密貨幣比特幣的形式支付贖金。

translation

 

"Kill switch"

---

 The software contained a URL that, when discovered by a security researcher, Marcus Hutchins, and the corresponding domain registered to track activity from infected machines, was found to act as a "kill switch" that shut down the software before it executed its payload, stopping the spread of the ransomware. The researcher speculated that this had been included in the software as a mechanism to prevent it being run on quarantined machines used by anti-virus researchers; he observed that some sandbox environments will respond to all queries with traffic in order to trick the software into thinking that it is still connected to the internet, so the software attempts to contact an address which did not exist, to detect whether it was running in a sandbox, and do nothing if so.^[34] He also noted that it was not an unprecedented technique, having been observed in the Necurs trojan.^[34]

On 19 May, it was reported that hackers were trying to use a Mirai botnet variant to effect a distributed attack on WannaCry's kill-switch domain with the intention of knocking it offline.^[35] On 22 May, @MalwareTechBlog protected the domain by switching to a cached version of the site, capable of dealing with much higher traffic loads than the live site.^[36]

一個安全研究員Marcus Hutchins發現該軟件包含一個URL，及相應的域名註冊來追蹤受感染機器的活動，發現它做爲一個「kill switch」，在它執行載荷前關閉軟件從而阻止勒索軟件的傳播。研究人員推測，軟件中的這個開關被做爲一種防止其在反病毒研究員的隔離機上運行的機制，他觀察到一些沙箱環境爲了欺騙軟件讓它認爲依然是聯網狀態，會響應全部的流量查詢，因此軟件會試圖聯繫一個並不存在的地址，檢測它是否運行在沙箱中，若是是的話什麼都不作。他還指出，這種技術並不是史無前例，已經在Necurs木立刻觀察到過。
5月19日，據報道，黑客打算使用僵屍網絡變種Mirai對WannaCry的死亡開關域發起一個分佈式攻擊，目的是使其脫機。在5月22日，@MalwareTechBlog經過把網站切換到緩存版原本保護域，有了處理比實時站點更高流量載荷的能力。

translation

 

EternalBlue

---

Main article:  EternalBlue

The network infection vector, EternalBlue, was released by the hacker group called The Shadow Brokers on 14 April 2017, along with other tools apparently leaked from Equation Group, which is widely believed to be part of the United States National Security Agency.^[37][38]

EternalBlue exploits a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol.^[39] This Windows vulnerability was not a zero-day flaw, but one for which Microsoft had released a "critical" advisory, along with a security patch to fix the vulnerability two months before, on 14 March 2017.^[40] The patch was to the Server Message Block (SMB) protocol used by Windows,^[41][42] and fixed several versions of the Microsoft Windows operating system, including Windows Vista, Windows 7, Windows 8.1, and Windows 10, as well as server and embedded versions such as Windows Server 2008 onwards and Windows Embedded POSReady 2009 respectively, but not the older unsupported Windows XP, Windows Server 2003, and Windows 8(unsupported because Windows 8.1 is classified as a mandatory service pack upgrade).^[40] The day after the WannaCry outbreak Microsoft released updates for these too.^[23][22]

網絡病毒載體EternalBlue在2017年4月14號被一個叫影子經紀人的黑客組織發佈，還有連同其它的一些工具，明顯是從方程式組織泄露的，該組織被普遍認爲是美國國家安全局的一部分。
EternalBlue利用了微軟實現服務器消息塊（SMB）協議的漏洞。這個Windows漏洞並非一個0day漏洞，而是2017年3月14號微軟已經發布的一個"危險"的公告，以及2個月前的一個安全補丁。這個補丁是Windows使用的服務器消息塊（smb）協議，和固定的微軟Windows操做系統多個版本，包括Windows Vista, Windows 7, Windows 8.1,和Windows 10，以及服務器和嵌入式版本，好比分別是Windows Server 2008起和Windows Embedded POSReady 2009，但不包括舊的不受支持的Windows XP，Windows Server 2003和 Windows 8（不受支持是由於Windows 8.1被歸爲強制服務包升級）。WannaCry爆發後的次日，微軟也爲這些發佈了升級包。

translation

 

DoublePulsar

---

Main article:  DoublePulsar

DoublePulsar is a backdoor tool, also released by The Shadow Brokers on 14 April 2017, Starting from 21 April 2017, security researchers reported that computers with the DoublePulsar backdoor installed were in the tens of thousands.^[43] By 25 April, reports estimated the number of infected computers to be up to several hundred thousands, with numbers increasing exponentially every day.^[44][45] The WannaCry code can take advantage of any existing DoublePulsar infection, or installs it itself.^[26][46][47]

DoublePulsar是一個後門工具，也是由影子經紀人在2017年4月14號發佈，從2017年4月21號開始，安全研究人員報告說，有成千上萬
的電腦被安裝了DoublePulsar後門。4月25號，報告估計被感染的電腦多達數十萬臺，天天以指數級增加。WannaCry代碼能夠利用任何存在DoublePulsar感染的或者安裝了他本身的電腦。

translation

 

Attribution

---

Linguistic analysis of the ransom notes indicated the authors were likely fluent in Chinese and proficient in English, as the versions of the notes in those languages were probably human-written while the rest seemed to be machine-translated.^[48][49]

Cybersecurity companies Kaspersky Lab and Symantec have both said the code has some similarities with that previously used by the Lazarus Group^[50] (believed to have carried out the cyberattack on Sony Pictures in 2014 and a Bangladesh bank heist in 2016—and linked to North Korea).^[50] This could also be either simple re-use of code by another group^[51] or an attempt to shift blame—as in a cyber false flag operation;^[50] but a leaked internal NSA memo is alleged to have also linked the creation of the worm to North Korea.^[52] The President of Microsoft said he believed North Korea was the originator of the WannaCry attack,^[53] and the UK's National Cyber Security Centre reached the same conclusion.^[54]

North Korea itself denies being responsible for the cyberattack.^[55][56]

對贖金條的語言分析代表，坐着極可能會說流利的中文並精通英語，由於那些語言版本的贖金條頗有多是人寫的，而其他的則是機器翻譯的。
網絡安全公司卡巴斯基實驗室和賽門鐵克都表示，這些代碼和薩魯集團以前使用的有類似之處（該組織被認爲在2014年對索尼影業實施了網絡攻擊，在2016年對孟加拉國銀行進行了搶劫，而且與北朝鮮有關），這也多是另外一個組織簡單的重複使用代碼，或者試圖推卸責任，就像一場網絡虛旗攻擊的操做。可是一份美國國家安全局內部備忘錄的泄露，據稱也將蠕蟲的建立和北朝鮮聯繫在了一塊兒。微軟總裁說，他相信北朝鮮是WannaCry攻擊的源頭，英國國家網絡安全中心也獲得了相同的結論。
被朝鮮本身否定對網絡攻擊負責。

translation

 

Cyberattack

---

 On 12 May 2017, WannaCry began affecting computers worldwide,^[58] with evidence pointing to an initial infection in Asia at 7:44am UTC.^[5][59] The initial infection was likely through an exposed vulnerable SMB port,^[60] rather than email phishing as initially assumed.^[5]

When executed, the malware first checks the "kill switch" domain name;^[c] if it is not found, then the ransomware encrypts the computer's data,^[61][29][62] then attempts to exploit the SMB vulnerability to spread out to random computers on the Internet,^[27] and "laterally" to computers on the same network.^[28] As with other modern ransomware, the payload displays a message informing the user that files have been encrypted, and demands a payment of around $300 in bitcoin within three days, or $600 within seven days.^[29][63] Three hardcoded bitcoin addresses, or "wallets", are used to receive the payments of victims. As with all such wallets, their transactions and balances are publicly accessible even though the cryptocurrency wallet owners remain unknown.^[64] As of 14 June 2017, at 00:18 ET, a total of 327 payments totaling $130,634.77 (51.62396539 XBT) had been transferred.^[65]

Organizations that had not installed Microsoft's security update were affected by the attack.^[41] Those still running the older Windows XP^[66] were at particularly high risk because no security patches had been released since April 2014 (with the exception of one emergency patch released in May 2014).^[23] However, on the day after the outbreak, an emergency, out-of-band security update was released for XP and Windows Server 2003.^[22] A Kaspersky Labs study reported that less than 0.1 percent of the affected computers were running Windows XP, and that 98 percent of the affected computers were running Windows 7.^[17] In a controlled testing environment, the cybersecurity firm Kryptos Logic found that they were unable to infect a Windows XP system with WannaCry using just the exploits, as the payload failed to load, or caused the operating system to crash rather than actually execute and encrypt files. However, when executed manually, WannaCry could still operate on Windows XP.^[67][68]

在2017年5月12日，WannaCry開始影響全世界的電腦，有證據代表，最初的的感染是在亞洲UTK時間上午7：44。最初的感染彷佛是經過暴露的有漏洞的SMB端口，而非開始設想的郵件釣魚。
在執行時，惡意軟件首先會檢測「死亡開關」域名（原理查看「KILL SWITCH」部分），若是沒找到，勒索軟件就會加密電腦的數據，而後試圖利用SMB漏洞傳播到網絡上任意的電腦以及橫向傳播到同一網絡的電腦。和其餘現代勒索軟件同樣，載荷會顯示一條信息提示用戶文件已被加密，須要在三天內支付大約300美圓的比特幣，或者一週內支付600美圓的比特幣。有三個硬編碼比特幣地址或者錢包接受受害者支付的付款。像全部此類錢包同樣，他們的交易和餘額是公開可訪問的，儘管加密貨幣錢包的主人仍然不知道是誰。從2017年6月14號00：18起，總共有327筆支付共計130634.77美圓（(51.62396539 XBT）被轉移。
那些沒有安裝微軟安全補丁的組織受到了攻擊的影響。那些仍然運行舊系統Windows XP的風險會特別高由於從2014年4月起就再也不發佈安全補丁（除了2014年5月發佈的一個緊急補丁）。然而，在爆發後的次日，針對XP和Windows Server 2003發佈了一個緊急的帶外數據安全更新。卡巴斯基實驗室的一項研究報告說，受影響的電腦雨哦不到0.1%是運行Windows XP，98%是運行的Windows 7。在一個受控的測試環境中，網絡安全公司Kryptos Logic發現，WannaCry僅使用漏洞沒法感染Windows XP系統，由於在和加載失敗，或者引起操做系統奔潰而不是執行並加密文件。然而，手動執行（猜想手動加載載荷？），WannaCry仍能在Windows XP上操做。

translation

 

Ransomware analysis

---

 The process of virus execution can be divided into three steps: the main program file uses the vulnerability to spread itself, and run "WannaCry" ransom program; "WannaCry" ransom program will encrypt the file; the ransom interface (@ WanaDecryptor @ .exe) displays the ransom information and decrypts the samples.^[69]

Main program (mssecsvc.exe) file analysis: The sample main program is the main spread program of this event that is responsible for spreading itself and releasing the "WannaCry" ransom program, and then "WannaCry" encrypts user files and execute malicious behavior.

「WannaCry」 ransom program (tasksche.exe) analysis: The sample itself has an encrypted original RSA public key, and the attacker retains the decrypted RSA private key. Before encrypting the files, the CryptoAPI that calls Windows generates a new pair of RSA key, known as the sub-public key and sub-private key. And then, the sample encrypts the sub-private key with the original RSA public key and saves it as "00000000.eky" and the sub-public key is saved as "00000000.pky".

The sample generates an AES key for encrypting the file, the contents of the encrypted file are M2, and the AES key is encrypted with the sub-public key "00000000.pky". The contents of the encrypted file are M1. Then merge M1 and M2 and add file header "WANACRY!" to save the encrypted file.

When decrypting a file, the attacker decrypts the sub-private key "00000000.eky" and saves the file as "00000000.dky" for decrypting the file after receiving the decrypted file. The sample itself also has another pair of primary RSA public keys and private keys, which are used to decrypt the display files.

Each encrypted file uses a different AES key. If you want to decrypt the file, you need to acquire the RSA sub-private key, decrypt the AES key of the file header, and then use the AES key to decrypt files. If there is no RSA sub-private key, the AES key cannot be decrypted and the file cannot be decrypted.

Ransomware interface, decryption program (@WanaDecryptor@.exe) analysis： "@ WanaDecryptor @ .exe" is the ransomware interface program that displayed after sample has encrypted user data, which is responsible for displaying the Bitcoin wallet address and presenting part of the decrypted files. If wanting to decrypt all the files, you need to pay the "ransom". For darknet (Tor), the majority of infected users show the three default Bitcoin wallet address, which makes a lot of people think that the attacker cannot distinguish who paid the money and cannot decrypt the file for specified users.

病毒執行能夠劃分爲三步：主程序文件使用漏洞傳播本身，並運行"WannaCry"勒索程序；"WannaCry"勒索程序將會加密文件；勒索接口 (@ WanaDecryptor @ .exe)顯示勒索信息並解密樣本。
主程序文件(mssecsvc.exe)解析：樣本主程序是事件中的主要傳播程序，負責傳播本身和釋放"WannaCry"贖金程序，而後 "WannaCry"加密用戶文件並執行惡意行爲。
「WannaCry」贖金程序(tasksche.exe)分析：樣本自己有一個加密的原始RSA公鑰，攻擊者保留了解密的RSA私鑰。在加密文件以前，加密API調用Windows生成一對新的RSA密鑰，稱爲子公鑰和子密鑰。而後樣本用原RSA公鑰加密子私鑰並以"00000000.eky"格式保存，子公鑰以"00000000.pky"格式保存。
樣本生成一個AES密鑰用於加密文件，加密文件的內容是M2，AES密鑰被子公鑰"00000000.pky"加密。加密的內容是M1。而後合併M1和M2，添加文件頭"WANACRY!"而後保存到加密文件。
當解密一個文件時，攻擊者解密子私鑰"00000000.eky"，而後把文件保存爲"00000000.dky"，用於在接收到解密文件後對文件進行解密，樣本自己還有另外一對主要的RSA公鑰和私鑰，用於解密顯示文件。
每個加密文件使用不一樣的AES密鑰，若是你要解密文件，你須要請求RSA子私鑰，解密文件頭的AES密鑰，而後使用AES密鑰解密文件。若是沒有RSA子私鑰，就不能解密AES密鑰，也不能解密文件。
勒索軟件接口，解密程序(@WanaDecryptor@.exe)分析："@ WanaDecryptor @ .exe"是一個樣本加密用戶數據後顯示的贖金軟件接口程序，負責顯示比特幣錢包地址和展現部分解密文件。若是想要解密全部的文件，你須要支付贖金。
對於暗網(Tor)，大部分受感染的用戶顯示了三個比特幣錢包地址，這使得不少人認爲攻擊者不能分辨誰支付了錢，也不能解密指定用戶的文件。

translation

 

Defensive response

---

 Several hours after the initial release of the ransomware on 12 May 2017, while trying to establish the size of the attack, a researcher known by the name MalwareTech^[70][34] accidentally discovered what amounted to a "kill switch" hardcoded in the malware.^[71][72][73]Registering a domain name for a DNS sinkhole stopped the attack spreading as a worm, because the ransomware only encrypted the computer's files if it was unable to connect to that domain, which all computers infected with WannaCry before the website's registration had been unable to do. While this did not help already infected systems, it severely slowed the spread of the initial infection and gave time for defensive measures to be deployed worldwide, particularly in North America and Asia, which had not been attacked to the same extent as elsewhere.^{[74][75][76][77]}

On 16 May 2017, researchers from University College London and Boston University reported that their PayBreak system could defeat WannaCry and several other families of ransomware.^[78][79]

Within four days of the initial outbreak, new infections had slowed to a trickle.^[24]

It was discovered that Windows encryption APIs used by WannaCry may not completely clear the prime numbers used to generate the payload's private keys from the memory, making it possible to potentially retrieve the required key if they had not yet been overwritten or cleared from resident memory. This behaviour was used by a French researcher to develop a tool known as WannaKey, which automates this process on Windows XP systems.^[80][81][82] This approach was iterated upon by a second tool known as Wanakiwi, which was tested to work on Windows 7 and Server 2008 R2 as well.^[83]

The scale of the attack and subsequent exposure of vulnerabilities prompted Micosoft to release new security updates for older versions of Windows that are no longer supported, including for Windows XP, Windows Server 2003, Windows XP Embedded and Windows 7 Embedded.^[84] In a statement regarding the matter, the head of Microsoft’s Cyber Defense Operations Center, Adrienne Hall, said that 「Due to the elevated risk for destructive cyber-attacks at this time, we made the decision to take this action because applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt [alternative name to WannaCry]」.^[85]

2017年5月12號勒索軟件最初發布的幾小時後，當試圖創建攻擊規模時，一個叫MalwareTech 的研究員意外的發現了硬編碼在惡意軟件中的「鎖死開關」。爲 DNS sinkhole註冊了一個域名從而阻止了以蠕蟲形式傳播的攻擊，由於勒索軟件只加密那些沒法鏈接那個域名的電腦上的文件，全部在網站註冊以前感染了WannaCry的電腦，沒法阻止文件被加密。這對已被感染的系統沒有幫助，可是這極大的延緩了感染初期的傳播，併爲全球部署防護措施提供了時間，尤爲是北美和亞洲，這些地方沒有受到像其餘地方那種程度的攻擊。
在2017年5月16日，倫敦大學和波士頓大學的研究員報告他們的PayBreak系統能夠打敗WannaCry和一些其餘相似的勒索軟件。
在病毒爆發的初期，感染被減緩到了像涓涓細流。
咱們發現WannaCry使用的Windows加密API可能沒有徹底清除內存中用於生成載荷的私鑰的素數，這使得若是所需密鑰尚未被從常駐存儲器中重寫或者刪除，就有潛在回覆的可能。一名法國研究員使用這種行爲開發了一個叫WannaKey的工具，能夠在Windows XP系統上自動化這個過程。使用這種方法第二次迭代更新的工具是Wanakiwi，在Windows 7和Server 2008 R2上測試使用。
攻擊的規模和隨後爆出的漏洞，促使微軟爲再也不提供支持的老版本Windows發佈了新的安全補丁，包括Windows XP, Windows Server 2003, Windows XP Embedded和Windows 7 Embedded。關於此事的一份聲明中，微軟網絡防護做戰中心的老大Adrienne Hall說，「因爲此次破壞性網絡攻擊的風險增長，咱們決定採起這一行動，由於應用這些更新能夠提供更多的保護，免受相似WannaCrypt特徵的潛在攻擊[更名爲WannaCry]」

translation

 

Advice on ransom

---

 Experts advised against paying the ransom due to no reports of people getting their data back after payment and as high revenues would encourage more of such campaigns.^[86][87][88]

專家建議不要支付贖金，由於沒有報告說人們在支付贖金後取回他們的數據，並且高收入會鼓勵更多相似的活動發生。

translation

 

Impact

---

 The ransomware campaign was unprecedented in scale according to Europol,^[6] which estimates that around 200,000 computers were infected across 150 countries. According to Kaspersky Lab, the four most affected countries were Russia, Ukraine, India and Taiwan.^[89]

The attack affected many National Health Service hospitals in England and Scotland,^[90] and up to 70,000 devices – including computers, MRI scanners, blood-storage refrigerators and theatre equipment – may have been affected.^[91] On 12 May, some NHS services had to turn away non-critical emergencies, and some ambulances were diverted.^[92][93] In 2016, thousands of computers in 42 separate NHS trusts in England were reported to be still running Windows XP.^[66] NHS hospitals in Wales and Northern Ireland were unaffected by the attack.^[94][92]

Nissan Motor Manufacturing UK in Tyne and Wear, England, halted production after the ransomware infected some of their systems. Renault also stopped production at several sites in an attempt to stop the spread of the ransomware.^[95][96]

The attack's impact is said to be relatively low compared to other potential attacks of the same type and could have been much worse had a security expert, who was independently researching the malware, not discovered that a kill-switch had been built in by its creators^[97][98] or if it had been specifically targeted on highly critical infrastructure, like nuclear power plants, dams or railway systems.^[99][100]

According to Cyber risk modeling firm Cyence, economic losses from the cyber attack could reach up to $4 billion, with other groups estimating the losses to be in the hundreds of millions.^[101]

勒索軟件活動在歐洲規模空前，估計有150個國家大約20萬臺電腦被感染。據卡巴斯基實驗室稱，受影響最嚴重的四個國家是俄羅斯、烏克蘭、印度和臺灣。
此次攻擊影響了英國和蘇格蘭不少國家衛生服務醫院，超過7萬臺設備可能受影響-包括電腦、核磁共振儀、儲血冰箱和影院設備。在5月12號，一些國民保健服務機構不得不拒絕非關鍵的緊急事件，一些救護車已被轉移。在2016年，據報道英國42個單獨的NHS信託公司的數千臺電腦仍然運行着Windows XP。威爾士和北愛爾蘭的NHS醫院沒有受到攻擊的影響。
英國泰恩威爾的日產汽車製造公司，在勒索軟件感染了他們一些系統後，中止了生產。雷諾也中止了幾個地點的生產，試圖阻止勒索軟件的傳播。
聽說與其餘類型的潛在攻擊相比，攻擊的影響相對較低，狀況可能會更糟，若是獨立研究惡意軟件的安全專家沒有發現被創做者編譯在內的鎖死開關，或者若是它是專門針對很是關鍵的技術設施，好比核電站，大壩或者鐵路系統。
根據網絡風險建模公司Cyence的數據，網絡攻擊中的經濟損失超過40億，其餘組織的的損失估計數以億計。

translation

 

EternalRocks

---

 Via a honeypot mechanism, Security researcher Miroslav Stampar detected a new malware named "EternalRocks" that uses seven leaked NSA hacking tools and leaves Windows machines vulnerable for future attacks that may occur at any time. When installed, the worm names itself WannaCry in attempt to evade security experts.^{[102][103][104][105]}

經過蜜罐機制，安全研究員Miroslav Stampar發現了一個新的惡意軟件"EternalRocks"，使用了7個被泄露的NSA黑客工具，使Windows機器容易受到將來隨時可能發生的攻擊。安裝時，蠕蟲名字自己WannaCry試圖躲避安全專家。

translation

 

Reactions

---

 A number of experts highlighted the NSA's non-disclosure of the underlying vulnerability, and their loss of control over the EternalBlue attack tool that exploited it. Edward Snowden said that if the NSA had "privately disclosed the flaw used to attack hospitals when they found it, not when they lost it, the attack may not have happened".^[106] British cybersecurity expert Graham Cluley also sees "some culpability on the part of the U.S. intelligence services". According to him and others "they could have done something ages ago to get this problem fixed, and they didn't do it". He also said that despite obvious uses for such tools to spy on people of interest, they have a duty to protect their countries' citizens.^[107] Others have also commented that this attack shows that the practice of intelligence agencies to stockpile exploits for offensive purposes rather than disclosing them for defensive purposes may be problematic.^[98]Microsoft president and chief legal officer Brad Smith wrote, "Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen."^{[108][109][110]} Russian President Vladimir Putin placed the responsibility of the attack on U.S. intelligence services, for having created EternalBlue.^[111]
On 17 May, United States bipartisan lawmakers introduced the PATCH Act^[112] that aims to have exploits reviewed by an independent board to "balance the need to disclose vulnerabilities with other national security interests while increasing transparency and accountability to maintain public trust in the process".^[113]

The United States Congress will also hold a hearing on the attack on June 15.^[114] Two subpanels of the House Science Committee will hear the testimonies from various individuals working in the government and non-governmental sector about how the US can improve its protection mechanisms for its systems against similar attacks in the future.^[114]

A cybersecurity researcher, working in loose collaboration with UK's National Cyber Security Centre,^[115][116] researched the malware and discovered a "kill switch".^[34] Later globally dispersed security researchers collaborated online to develop open sourcetools^[117][118] that allow for decryption without payment under some circumstances.^[119] Snowden states that when "[NSA]-enabled ransomware eats the Internet, help comes from researchers, not spy agencies" and asks why this is the case.^{[120][121][116]}

Other experts also used the publicity around the attack as a chance to reiterate the value and importance of having good, regular and secure backups, good cybersecurity including isolating critical systems, using appropriate software, and having the latest security patches installed.^[122] Adam Segal, director of the digital and cyberspace policy program at the Council on Foreign Relations, stated that "the patching and updating systems are broken, basically, in the private sector and in government agencies".^[98] In addition, Segal said that governments' apparent inability to secure vulnerabilities "opens a lot of questions about backdoors and access to encryption that the government argues it needs from the private sector for security".^[98] Arne Schönbohm, President of Germany's Federal Office for Information Security (BSI), stated that "the current attacks show how vulnerable our digital society is. It's a wake-up call for companies to finally take IT security [seriously]".^[42]

The effects of the attack also had political implications; in the United Kingdom, the impact on the National Health Service quickly became political, with claims that the effects were exacerbated by Government underfunding of the NHS; in particular, the NHS ceased its paid Custom Support arrangement to continue receiving support for unsupported Microsoft software used within the organization, including Windows XP.^[123] Home Secretary Amber Rudd refused to say whether patient data had been backed up, and Shadow Health Secretary Jon Ashworth accused Health Secretary Jeremy Hunt of refusing to act on a critical note from Microsoft, the National Cyber Security Centre (NCSC) and the National Crime Agency that had been received two months previously.^[124] Others argued that hardware and software vendors often fail to account for future security flaws, selling systems that − due to their technical design and market incentives − eventually won't be able to properly receive and apply patches.^[125] The NHS denied that it was still using XP, claiming only 4.7% of devices within the organization ran Windows XP.^[126][67]

一些專家強調美國國家安全局不披露潛在的漏洞，以及他們對利用漏洞的EternalBlue攻擊工具失去控制。愛德華斯諾德說若是美國國家安全局「在他們發現這個用於攻擊醫院的漏洞時就私下披露出來，而不是等到它丟失，攻擊可能就不會發生」。英國網絡安全專家Graham Cluley也說「就美國情報部門而言，他們是有罪責的」。經過他和其餘人的說法「他們好久之前就能夠作一些事情來解決這個問題，可是他們沒作」。他還說，儘管這些工具明顯用於監視感興趣的人，可是他們有責任保護他們國家的公民。也有人評論說此次攻擊代表，情報部門是以攻擊性的目的存儲漏洞，而不是以防護性的目的披露他們，這多是有問題的。微軟總裁兼首席法律官Brad Smith寫到「政府手中的漏洞一而再的泄露到公共領域並引起普遍的損害。若是用常規武器來講，這就等同於美國軍隊的戰斧導彈被竊」。俄羅斯總統弗拉基米爾·普京把責任歸咎於製造永恆之藍的美國情報部門。在5月17日，美國兩黨國會議員介紹了「補丁法案」，目的在於讓獨立董事會審查漏洞，「在增長透明度和責任性以保持公衆信任的過程當中，平衡揭露漏洞的需求和其餘國家安全利益」。
美國國會在6月15號也將舉行聽證會。衆議院科學委員會的兩個小組將會聽取在政府和民間各部門不一樣工做人員的證詞，關於美國如何提升系統的保護機構以應對未來相似的攻擊。
一個網絡安全研究員，在於應該國家網絡安全中心的鬆散合做中，研究惡意軟件並發現了一個「鎖死開關」。以後全球分散的安全研究員在線合做開發了開源的安全工具，可以在某些環境下，無需支付也能解密文件。斯諾登說「當NSA支持勒索軟件蠶食互聯網時，幫助是來自研究人員，而非間諜機構門」，併發問爲何會這樣。
其餘專家也利用這一次攻擊的宣傳做爲一個機會，重申有一個良好的，按期的和安全的備份的價值和重要性，良好的網絡安全包括隔離關鍵系統，使用合適的軟件，安裝最新的安全補丁。亞當西格爾是外交關係委員會數字和網絡空間政策項目的負責人，說「在私營部門和政府機構中，補丁和更新系統基本上都被破壞了。」另外，西格爾說政府明顯沒法保護漏洞「帶來不少關於後門和訪問加密的問題，政府認爲這應該由私營部門保證」。Arne Schönbohm，德國聯邦信息安全辦公室的主席說「目前的攻擊展示出咱們的數字社會是多麼的脆弱。這敲響了警鐘，讓企業最終嚴肅對待IT安全」。
攻擊的影響也有政治的影響，在英國，對國家健康服務的影響迅速成爲政治性的，聲稱政府對NHS提供的資金不足使影響惡化，特別是，NHS中止付費的自定義支持安排，以繼續得到支持在組織內部使用不受支持的微軟軟件，包括Windows XP。內政大臣Amber Rudd拒絕透露患者數據是否已經備份，影子衛生部長Jon Ashworth指責衛生部長Jeremy Hunt拒絕按照微軟的關鍵注意事項行動，國家網絡安全中心和國家犯罪署兩個月之前就收到了通知。有些人認爲硬件和軟件供應商也沒有考慮到將來的安全缺陷，銷售系統，因爲他們的技術設計和市場激勵機制，最終未能正常接收並應用補丁。NHS否定他們仍然使用XP系統，聲稱組織內部只有4.7%的設備使用Windows XP。

translation

 

Affected organizations

---

 The following is an alphabetical list of organisations confirmed to have been affected:

如下是已經被證明受影響的組織列表，按字母順序排列：

translation

 

---

 

整理：

The software contained a URL that, when discovered by a security researcher, Marcus Hutchins, and the corresponding domain registered to track activity from infected machines, was found to act as a "kill switch" that shut down the software before it executed its payload, stopping the spread of the ransomware？

1. encyclopedia，百科全書

2. cryptoworm，加密蠕蟲。構詞成分的crypto-（或crypt-）源於希臘語中的kryptos（加密的），加上表示「蠕蟲病毒」的worm。英語中近年來還出現了一個與其詞義相近的，它是，可直譯做「」。但就實際使用頻率而言，這兩個詞遠遠不及）

3. cryptotrojan，加密木馬。由crypto-和表示木馬病毒的Trojan horse拼合而成。

4. cryptovirus，加密病毒

5. cryptocurrency，加密貨幣。crypto-和currency貨幣組成

---

6. propagate，繁衍，傳播

7. occasion，場合，時機；引發

8. bulletin，公告

9. plug，塞子，塞住

10. comparison，比較

11. trickle，滴，涓流

12. fashion，方式，時尚

13. a range of ，一系列，一套

14. mechanism ，機制

---

15. speculate，推測

16. quarantine，隔離，隔離期

17. queries with traffic，流量查詢

18. trick ，欺騙

19. unprecedented，空前的，史無前例的

20. botnet variant，僵屍網絡變種

21. knocking  it offline，將其脫機

22. live site ？？實時網絡？

---

 23. infection，影響，感染

24. vector，矢量，帶菌者

25. apparently ，看似，彷佛，顯然，視情景而定

26. implementation，成就，實施

27. advisory，勸告的，公告

28. embedded，植入的，把。。。嵌入

29. onwards，向前

30. respectively，各自的

31. classified，分類的

32. mandatory，強制的

---

33. tens of thousands，數以萬計，成千上萬。several hundred thousands，數十萬

34. exponentially，以指數的方式

35.  take advantage of，利用，欺騙

---

36. fluent in，流利。proficient，精通，熟練

37. carried out，實施

38. heist，搶劫

39. shift blame，推卸責任

40. false flag，虛旗攻擊

41. alleged，聲稱，斷言

---

42. lateral，側面的，橫向的

43. hardcoded ，硬編碼，寫死在代碼中不易修改

44.  transactions，交易，事務，chuli

45.  balances，餘額，平衡

46. out-of-band，帶外數據，傳輸層協議使用帶外數據發送一些重要數據

---

47.darknet，暗網

---

48.amounted to，總計，等於，此處不會翻譯

49. deploye，部署

50. extent，程度，扣押

60. elsewhere，別處

61. defeat ，v.擊敗，打敗 ； n. 打敗，失敗

62. prime number，質數，素數，prime，最好的，最初的，首要的，精華

63. potentially，潛在的

64. retrieve，取回，恢復

65. iterated upon by，迭代的？

66. subsequent ，隨後的

67. Embedded ，植入的

68. In a statement regarding the matter，在關於這件事的一份聲明中

---

69. revenue，收入，稅收

---

70. refrigerator，冰箱

71. ambulance，救護車

72. divert，轉移，娛樂

73. separate，分離

74. halt，暫停

75. relatively ，相對的

76. critical，關鍵的，批評的，重要的

77. infrastructure，基礎設施

---

78. honeypot ，蜜罐

---

79. culpability ，有罪，苛責

80. ages ago ，老早，從前

81. stockpile ，存儲

82. problematic，成問題的，有疑問的

83. Repeatedly，再三的，反覆的

84. scenario ，方案，劇情概要

85. conventional weapons，傳統的武器

86. Tomahawk missiles，戰斧導彈

87. bipartisan lawmakers ，兩黨國會議員

88. independent board，獨立董事會

89. balance A with B

90. transparency and accountability，透明性和責任制，有責任

91. disperse，分散，傳播

92. reiterate ，重申，反覆的

92. regular ，有規律的；正規軍，主力；按期的

93. secure ，保護；安全的。security，安全，保證；安全的

94. wake-up call for，喚醒，槍響警鐘

95.  account for ，說明，致使

96.  market incentives，市場激勵制