Thng tin cnh bo: Cn trng vi m c tng tin

WannaCry
Kaspersky Lab pht hin v ngn chn thnh cng WannaCry

Vo ngy 12 thng 05, mt t tn cng bt cc d liu rng ri nhm vo nhiu t

chc trn th gii xy ra. Kaspersky Lab phn tch d liu v xc nhn rng cc
h thng bo mt ca chng ti pht hin t nht 45.000 tn cng ti 74 quc gia,
phn ln xy ra ti Nga.

M c tng tin ly nhim vo my tnh ca nn nhn bng cch khai thc l hng
ca Microsoft Windows c m t v v li ti Microsoft Security Bulletin MS17-
010. Vic khai thc s dng Eternal Blue c cng b trong Shadowbrokers
dump vo ngy 14 thng 04 va qua.

Trc khi cc thng tin gy chn ng v m c ny c bo ch cp th cc sn

phm ca Kaspersky Lab pht hin v ngn chn thnh cng mt s lng ln cc
cuc tn cng ransomware trn khp th gii. Trong cc cuc tn cng ny, d liu
c m ha vi phn m rng ".WCRY" c thm vo tn tp tin.

Cc gii php bo mt ca Kaspersky Lab pht hin c cc m c tng tin lin

quan n WannaCry, bo v ngi dng c nhn v doanh nghip an ton trc s
bng pht nguy him.

Thnh phn System Watcher (Gim st h thng) c trong gii php Kaspersky
Internet Security cho ngi dng cc nhn v Kaspersky Security for Business l l
chn then cht bo v d liu ca ngi dng trc s tn cng ca WannaCry hay
bt k phn mm tng tin no. Thnh phn System Watcher c kh nng phc hi li
trng thi ban u nhng thay i c thc hin bi phn mm tng tin trong trng
hp mt mu c hi vt qua cc lp phng th khc.

Ngoi ra, cng ngh Intrusion Detection c trong cc gii php ca Kaspersky Lab c
th chn ng s ly nhim ca WannaCry t cp mng.

Tn cc pht hin ca Kaspersky Lab lin quan n WannaCry:

Trojan-Ransom.Win32.Scatter.uf
Trojan-Ransom.Win32.Scatter.tr
Trojan-Ransom.Win32.Fury.fr
Trojan-Ransom.Win32.Gen.djd
 Trojan-Ransom.Win32.Wanna.b
Trojan-Ransom.Win32.Wanna.c
Trojan-Ransom.Win32.Wanna.d
Trojan-Ransom.Win32.Wanna.f
Trojan-Ransom.Win32.Zapchast.i
Trojan.Win64.EquationDrug.gen
Trojan.Win32.Generic

Cc phn m rng m m c nhm ti m ha gm cc nhm nh dng sau:

1. Cc phn m rng tp tin vn phng thng thng c s dng
(.ppt, .doc, .docx, .xlsx, .sxi).
2. Cc nh dng vn phng t ph bin v c th ca quc gia (.sxw, .odt, .hwp).
3. Lu tr, tp tin phng tin (.zip, .rar, .tar, .bz2, .mp4, .mkv)
4. Email v c s d liu email (.eml, .msg, .ost, .pst, .edb).
5. Cc tp tin c s d liu (.sql, .accdb, .mdb, .dbf, .odb, .myd).
6. M ngun v tp tin d n ca nh pht trin (.php, .java, .cpp, .pas, .asm).
7. Kha v chng ch m ha (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).
8. Cc tc gi thit k ho, tc gi v nhip nh gia (.vsd, .odg, .raw, .nf, .svg, .psd).
9. Tp tin my o (.vmx, .vmdk, .vdi).

Cc chuyn gia ca Kaspersky Lab hin ang tip tc lm vic v kh nng to ra mt

cng c gii m gip cc nn nhn. Chng ti s cp nht khi cng c ny sn
sng. Hoc cng ng c th theo di ti trang www.nomoreransom.org* tm kim
cng c gii m ph hp.

Khuyn ngh phng chng m c WannaCry:

m bo rng tt c cc my tnh c ci t phn mm bo mt v bt cc

thnh phn chng phn mm tng tin.
Ci t bn v chnh thc (MS17-010) t Microsoft nhm v l hng SMB Server b
khai thc trong cuc tn cng ny.
m bo rng cc sn phm ca Kaspersky Lab bt thnh phn System Watcher
(trng thi Enable)
Thc hin qut h thng (Critical Area Scan) c trong cc gii php ca Kaspersky
Lab pht hin cc ly nhim nhanh nht (nu khng cc ly nhim s c pht
hin t ng nhng sau 24 gi)
Nu pht hin c tn cng t phn mm c hi nh tn gi MEM:
Trojan.Win64.EquationDrug.gen th cn reboot li h thng.
Mt ln na, hy chc chn bn v MS17-010 c ci t.
Tin hnh sao lu d liu thng xuyn vo cc ni lu tr khng kt ni vi Internet
Cch thc v quy m tn cng

Phn tch ca chng ti cho thy cuc tn cng, c gi l "WannaCry", c bt u

thng qua vic trin khai m t xa SMBv2 trong Microsoft Windows. Khai thc ny
(c tn m l "EternalBlue") c lm sn trn internet thng qua Shadowbrokers
dump vo ngy 14 thng 4 nm 2017 v c v bi Microsoft vo ngy 14 thng
3.Tht khng may, c v nh nhiu t chc v ngi dng cha ci t bn v ny.

iu ng lo ngi l khng nhng cc my tnh Windows cha c v ang phi by

cc dch v SMB ca h c th b tn cng t xa bng khai thc "EternalBlue" v b
ly nhim bi WannaCry, m k c cc my tnh khng tn ti l hng vn c kh
nng b h gc d dng. Tuy nhin, l hng ny c xem l yu t chnh gy ra s
bng n ca WannaCry.

Top 20 quc gia b nh hng nhiu nht bao gm: Nga Ukraine, n , i Loan,
Tajkistan, Kazakhstan, Luxembour, Trung Quc, Romania, Vit Nam v.v Nhng ghi
nhn ny c th b hn ch v c th cha th hin c bc tranh ton cnh, s lng
thc t c th cao hn.

Lu rng "s tin cn thanh ton s c tng ln" sau mt ln m ngc c th,
cng vi mn hnh hin th khc lm tng mc khn cp tr tin, e da rng
ngi dng s hon ton mt tp tin ca h sau khong thi gian thng bo. Khng
phi tt c ransomware u cung cp b m thi gian ny nh WannaCry.
m bo rng ngi dng khng b l cnh bo, cng c s thay i hnh nn ca
ngi dng bng cc hng dn v cch tm b gii m.
 s dng cch thanh ton bng bitcoin, phn mm c hi hng ti mt trang c
m QR btcfrog, lin kt vi mt v bitcoin chnh
13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94. Siu d liu hnh nh khng cung
cp bt k thng tin b sung no

Nhng ngi thit k WannaCry chun b sn phn "Hi - p" bng cc ngn ng
khc nhau, bao gm ting Vit, Ting Trung Quc, an Mch, H Lan, Ting Anh,
Philippin, Ting Php, Ting Nht v.v. Nhng Hi p ny dng nh: Ti c th
phc hi cc tp tin ca mnh khng? Ti tr tin nh th no? Lm sao lin h? v.v

Xem thm chi tit v bo co phn tch m c WannaCry ti y.

*Nomoreransom.org l mt d n phi li nhun c Kaspersky Lab, cc t chc an ninh mng nh

Europol, Politie hp tc pht trin nhm cp nht min ph tt c thng tin cn thit v cc m c tng
tin cng nh cung cp cng c gii m tng ng.

- Ht -