源头在哪?
The Petya ransomware worm began spreading Tuesday morning with a fake software update that was pushed out to businesses and other enterprises in Ukraine. The software concerned, called MEDoc, is a financial-monitoring application that all businesses in Ukraine must have installed.
Petya勒索软件蠕虫于本周二早上开始传播,它假借软件更新,强制推送给乌克兰企业。涉事软件叫做MEDoc,是所有乌克兰企业都必须安装的一个财务监控应用程序。
How did Petya spread?
Petya如何传播?
From its initial infection point in Ukraine, the Petya worm quickly spread to companies in other European countries through enterprise networks.
通过企业网络,Petya蠕虫迅速从最初位于乌克兰的感染点传播到其他欧洲公司。
There's some evidence that Petya also spread via infected email attachments, but that theory is not quite as well established.
有证据表明,Petya还会以被感染的电子邮件附件的形式传播,不过这一理论并不完善。
What does Petya do?
Petya能做什么?
Petya is really four things. It's a worm that uses Windows networking tools, and exploits used by the NSA, to spread through local networks.
实际上,关于Petya需要说明四点。蠕虫利用Windows网络工具和美国国家安全局使用过的漏洞并通过局域网传播。
It's a piece of ransomware that encrypts the Master Boot Record — the guts of a Windows hard drive — to prevent a computer from starting up properly.
勒索软件通过加密主引导记录即Windows硬盘驱动器的重要部分来阻止计算机正常启动。
There's also a second piece of ransomware that encrypts various files on the machine if the Master Boot Record attack fails.
如果攻击主引导记录失败,则有第二个勒索软件加密电脑上的各类文件。
And there's a fourth component that steals usernames and passwords from infected machines, possibly only so it can infect more machines.
此外,第四个组件可以从已感染的电脑中窃取用户名和密码,这可能是为了感染更多电脑。
Who is at risk?
哪些电脑有感染风险?
The silver lining is that properly patched Windows systems that are not connected to enterprise networks, such as home computers, are at little risk of being infected by the Petya worm — at least for now. If you use a home computer to connect to a corporate VPN, however, you greatly increase the chances of your home network becoming infected.
还算幸运的是,未连接到企业网络并打过正确补丁的Windows系统,比如家用电脑几乎不会受到Petya蠕虫感染,至少目前不会。但是,假如你用家用电脑连接到企业VPN,则会大大增加家庭网络受感染的几率。
Does the Petya worm infect Macs, iPhone, Android devices or Linux boxes?
Petya蠕虫是否会感染Mac、iPhone、安卓设备或Linux电视盒?
Only Windows machines appear to be at risk.
只有运行Windows系统的电脑存在感染风险。
Does fully patching a Windows computer stop Petya?
打过完全补丁的Windows电脑能阻止Petya吗?
Even fully updated Windows computers on an enterprise network can be infected by the Petya worm. That's because once it establishes itself on even one machine inside an enterprise network, Petya will spread by stealing Windows administrative passwords and using standard Windows network-administration tools to install itself on every Windows machine it can.
即便是企业网络上彻底更新过的Windows电脑也可能被Petya蠕虫感染。这是因为一旦Petya感染了企业网络中的一台电脑,它将通过窃取Windows管理密码并使用标准的Windows网络管理工具来让每台Windows电脑都安装Petya,以此传播病毒。
Will antivirus software stop the Petya worm?
杀毒软件能阻止Petya蠕虫吗?
It should. All good antivirus software products should block the Petya worm from installing. That may change if the worm's code or behavior drastically changes.
应该能。所有好的杀毒软件都应该阻止电脑安装Petya蠕虫。不过随着蠕虫代码或行为产生巨变,这一情形可能会改变。
Is Petya related to WannaCry?
Petya和此前的WannaCry有关联吗?
Petya also uses the ETERNALBLUE exploit, also used by the otherwise unrelated WannaCry ransomware worm in mid-May, to spread among Windows machines in an enterprise network.
Petya也利用“永恒之蓝”漏洞在企业网络内的Windows电脑间传播,这一点和5月中旬爆发的WannaCry勒索软件蠕虫相似,除此以外并无关联。
Who's behind Petya?
谁是幕后黑手?
It's not clear who created and released Petya, but a lot of circumstantial evidence points to "patriotic" Russian hackers.
不清楚是谁制作和发布了Petya,不过很多间接证据指向了“爱国”的俄罗斯黑客。
Why is it called Petya?
为什么叫做Petya?
The ransomware component of this new worm bears at least superficial resemblance to the latest iterations of Petya, a ransomware strain first spotted in 2015. (Petya is Russian for "Pete.")
这种新蠕虫的勒索软件组件至少表面上看来与最新的Petya迭代相似,Petya是2015年首次发现的勒索病毒(Petya对应俄语中的“Pete”)。
Should I pay the Petya ransom?
中招后应该支付赎金吗?
If your computer is encrypted by Petya, there's no point in paying the ransom. The email address that you have to contact to collect the decryption key, wowsmith123456@posteo.net, has been shut down by the email host. Unless new strains of the ransomware provide a different contact email address, there's no way to recover your files.
如果你的电脑不幸被Petya加密,那么即便支付赎金也无济于事。你必须联系wowsmith123456@posteo.net来获取解密密钥,而该电子邮件地址已被邮箱服务商关闭。除非新的勒索软件提供另一个电子邮件地址,否则不可能恢复你的文件。
Is there a Petya "kill switch"?
有没有Petya“自杀开关”?
No. However, there are a couple of ways that you might be able to prevent or stop the encryption process.
没有。不过倒有几种方法可以防止或中断加密过程。
First, if your computer randomly begins to shut down, abort the shutdown process and keep it running. The Petya worm has to reboot the machine in order encrypt the hard drive's Master Boot Record, which is essential to the Windows startup process.
首先,如果你的电脑突然开始关机,应立即中止关机,保持电脑开机状态。Petya蠕虫必须重启电脑才能加密硬盘驱动器的主引导记录,主引导记录对Windows启动过程至关重要。
Second, you can try to "immunize" your machine by creating a read-only file called "perfc" and putting it in the Windows directory. In some instances, if the Petya worm sees that file, it won't encrypt the machine — but it will continue to spread to other machines on the same network. However, we've seen reports that this method doesn't work on Windows 7, and that new versions of the Petya code may not have this function.
其次,你可以尝试通过创建一个名为“perfc”的只读文件并将其放入Windows目录中来“免疫”你的电脑。在某些情况下,如果Petya蠕虫看到该文件,它便不会加密这台电脑,但它会继续扩散到同一网络上的其他电脑。不过,我们已经见到报告说这种方法不适用于Windows 7系统,而且新版Petya代码可能没有这一功能。