Abstract: Extortion virus mainly spreads in the form of mail, program Trojan horse, web page hanging horse, etc. It encrypts files by using various asymmetric encryption algorithms, and the infected person can not decrypt them generally. Only by getting the decrypted private key, can it be possible to decrypt them. Extortion virus is extremely harsh and extremely harmful. Once infected, it will bring immeasurable loss to users. Therefore, the identification, disposal and defense of extortion virus is particularly important. In the recognition of extortion virus, we usually use the combination of conventional anti-virus software and behavioral identification methods; in the disposal of extortion virus, we can thoroughly clean it up by manual and automatic methods; in terms of defensive measures, traffic level analysis, early warning and terminal level protection and encryption are important links.

Key words: extortion virus, terminal EDR, early warning APT, bait engine, protection engine

摘要： 勒索病毒主要以邮件、程序木马、网页挂马等形式进行传播，利用各种非对称加密算法对文件进行加密，被感染者一般无法解密，必须拿到解密的私钥才有可能破解.勒索病毒性质恶劣、危害极大，一旦感染将给用户带来无法估量的损失.因此，勒索病毒的识别、处置和防御就显得尤为重要.在勒索病毒的识别上一般采用常规的杀毒软件与行为识别方法相结合；勒索病毒的处置上一般是人工与自动化的方法并用才可以彻底清理完成；在防御措施上，流量层面分析预警和终端层面的防护和加密阻止都是重要环节.

关键词: 勒索病毒, 终端EDR, 预警APT, 诱饵引擎, 防护引擎