How the Wanna Cry ransomware virus spreads. WannaCry virus: symptoms, principle of action, methods of protection. How to live this life further

On Friday, May 12, hundreds of thousands of computers around the world were infected by the WannaCry virus (also known as WCry and WanaCrypt0r 2.0). He "attacked" computers running operating system Windows, however, spread throughout the world in a few hours. The new virus has affected both the computers of individuals and the PCs of government institutions and large companies. Russia suffered the most from the virus, where the computers of many government agencies were affected.

Interesting fact: After the spread of the WannaCry virus in Russia, reports began to be received about the suspension of the issuance of driver’s licenses due to damage to the computers of the Ministry of Internal Affairs. In addition, the PCs of the Investigative Committee and many large companies, including Megafon, were infected.

What is the WannaCry virus?

Wanna virus Cry is a typical "data encryptor". This type viruses are one of the most dangerous and difficult to counter. Such viruses are most often aimed at extorting money from users whose computers become infected, and WannaCry is no exception.

Interesting fact: At the moment, it is not known exactly who is the creator of the WannaCry virus. At the same time, assumptions are made not only online, but also at the state level. In particular, the President Russian Federation Vladimir Putin accused US intelligence agencies of spreading the threat.

When it reaches a user’s computer, the WannaCry virus encrypts the data on it. Files that have been encrypted receive the extension ".WNCRY". The following message appears at the beginning of the name of the encrypted files: "WANACRY!". Decrypt these files using standard antiviruses and decryptors that are used to combat other similar malware are almost impossible.

After encrypting the user's data on the computer, the WannaCry virus displays a message window on the screen "Ooops, your files have been encrypted!". This is followed by information about what a virus is, whether files can be recovered, and so on.

Interesting fact: The creators of the WannaCry virus took care of users in different regions by localizing for them Announcement. In Russia, the virus explains in Russian to users how to unlock files infected with WannaCry.

How to unlock files infected with WannaCry

The creators of the WannaCry virus have provided the ability to unlock user files, but only for money and for a limited time:

• During 3 days after computer infection you can send the equivalent of $300 to the specified BitCoin wallet of the virus creators to unlock the files;
• If the extortionists do not receive the money within 3 days, the unlocking price will increase to the equivalent of $600 in bitcoins;
• If on the seventh day of infection with the virus WannaCry computer user will not transfer money to the extortionists, his files will be destroyed.

It is worth noting that the information window of the WannaCry virus contains counters that count down the time until the cost of unlocking and data destruction increases.

Interesting fact: Despite the fact that the WannaCry virus infected hundreds of thousands of computers on the first day, according to The Guardian, only about a hundred people agreed to pay the ransomware $300 to unlock their data.

Which computers are affected by the WannaCry virus?

The WannaCry virus exclusively affects computers running the Windows operating system. At the same time, it attacks computers using old versions of Windows – XP, Server 2003, 8.

Fun fact: Back in March Microsoft company has released an update that helps protect computers from being damaged by the WannaCry virus. But this patch was released only for operating systems that are supported by the company - these are Windows 7 and Windows 10 in various editions. As for users with other versions of Windows, they were at risk and were affected. Literally the next day after the mass infection of computers with the WannaCry virus became known, Microsoft released an update for Windows XP and other older systems, support for which was officially discontinued.

The WannaCry virus infects computers through scripts sent by mail and through various websites.

Important: If you see a message in the mail (especially from an unknown sender) with file attachments (in the .exe or .js extension), do not download them to your computer, even if the antivirus built into your browser does not see problems with the files!

How to protect your computer from the WannaCry virus

In addition to the fact that you do not need to visit unverified sites and download dubious files from email, there are several more recommendations that will help you avoid infecting your computer with the WannaCry virus:

Worth noting: There are several forms of the WannaCry virus. Some of these problems can be resolved by booting your computer into safe mode With network drivers, then scan your computer with SpyHunter Anti-Malware Tool, Malwarebytes Anti-malware or STOPZilla, and then select a decryptor to decrypt the data. But this method is only valid if your computer has been infected with earlier versions of the WannaCry virus.

Every few years, a virus appears on the network that can infect many computers in a short time. This time, such a virus was Wanna Cry (or, as users from Russia sometimes call it - “over there”, “I want to cry”). This malware infected about 57,000 thousand computers in almost all countries of the world in just a few days. Over time, the rate of infection by the virus has decreased, but new devices are still appearing that have been infected. At the moment, more than 200,000 computers have been affected - both private users and organizations.

Wanna Cry is the most serious computer threat of 2017 and you can still fall victim to it. In this article we will tell you what Wanna Cry is, how it spreads and how to protect yourself from the virus.

WannaCry encrypts most or even all files on your computer. Then software displays a specific message on the computer screen in which it demands a ransom of $300 to decrypt your files. The payment must be made to a Bitcoin wallet. If the user does not pay the ransom within 3 days, the amount is doubled to $600. After 7 days, the virus will delete all encrypted files and all your data will be lost.

Symantec has published a list of all file types that Wanna Cry can encrypt. This list includes ALL popular file formats including .xlsx, .xls, .docx, .doc, .mp4, .mkv, .mp3, .wav, .swf, .mpeg, .avi, .mov, .mp4, . 3gp, .mkv, .flv, .wma, .mid, .djvu, .png, .jpg, .jpeg, .iso, .zip, .rar. The full list is under the spoiler.

• .accdb
• .backup
• .class
• .djvu
• .docb
• .docm
• .docx
• .dotm
• .dotx
• .java
• .jpeg
• .lay6
• .mpeg
• .onetoc2
• .potm
• .potx
• .ppam
• .ppsm
• .ppsx
• .pptm
• .pptx
• .sldm
• .sldx
• .sqlite3
• .sqlitedb
• .tiff
• .vmdk
• .vsdx
• .xlsb
• .xlsm
• .xlsx
• .xltm
• .xltx

As you can see, a virus can encrypt almost any file on your computer’s hard drive. After encryption is completed, Wanna Cry posts instructions for decrypting files, which involves paying a certain ransom.

The US National Security Agency (NSA) discovered an exploit called “EternalBlue”, but chose to hide this fact in order to use it to their advantage. In April 2017, the hacker group Shadow Brokers published information about the exploit.

The Wanna Cry virus most often spreads in the following way: you receive an email with an attachment. The attachment may contain a photo, video file, or musical composition. However, if you take a closer look at the file, you can understand that the extension this file is .exe (executable file). Thus, after the file is launched, the system is infected and, thanks to the previously found exploit, a virus is downloaded that encrypts user data.

However, this is not the only way in which Wanna Cry (the “over there” virus) can spread. There is no doubt that you can also download an infected file from torrent trackers or receive it in private messages on social networks.

How to protect yourself from the Wanna Cry virus?

How to protect yourself from the Wanna Cry virus?

• First of all, you need to install all available updates for your operating system. Specifically, Windows users who are running Windows XP, Windows 8, or Windows Server 2003 should immediately install the security update for this OS that was released by Microsoft.
• In addition, be extremely attentive to all letters that come to your email address. You should not lower your vigilance, even if the addressee is known to you. Never open files with the extensions .exe, .vbs and .scr. However, the file extension can be disguised as a regular video or document and look like avi.exe or doc.scr.
• It is advisable to enable the "Show file extensions" option in Windows settings. This will help you see the true file extension, even if criminals have tried to disguise it.
• Installation is unlikely to help you avoid infection. The fact is that the Wanna Cry virus exploits an OS vulnerability, so be sure to install all the updates for your Windows - and then you can install an antivirus.
• Be sure to save all important data to an external HDD or "cloud". Even if your computer is infected, you will only need to reinstall the OS to get rid of the virus on your PC.
• Be sure to use the latest databases for your antivirus. Avast, Dr.web, Kaspersky, Nod32 - all modern antiviruses constantly update their databases. The main thing is to make sure that the license of your antivirus is active and it is updated.
• Download and install free utility Kaspersky Anti-Ransomware from Kaspersky Lab. This software protects you from ransomware in real time. Besides, this utility can be used simultaneously with conventional antiviruses.

As I already wrote, Microsoft has released a patch that closes vulnerabilities in the OS and prevents the Wanna Cry virus from encrypting your data. This patch urgently needs to be installed on the following OS:

Windows XP, Windows 8 or Windows Server 2003, Windows Embedded

If you have a different version of Windows, simply install all available updates.

Removing the Wanna Cry virus from your computer is easy. To do this, just scan your computer with one of them (for example, Hitman Pro). However, in this case, your documents will still remain encrypted. Therefore, if you plan to pay the ransom, then remove the program @ [email protected] It's better to wait. If you don't need encrypted data, formatting is the easiest way hard drive and install the OS again. This will definitely destroy all traces of the virus.

Programs like “ransomware” (which includes Wanna Cry) usually encrypt your data with 128 or 256 bit keys. The key for each computer is unique, so at home it can take tens or hundreds of years to decrypt it. In fact, this makes it impossible for the average user to decrypt the data.

Of course, we would all like to have a Wanna Cry decryptor in our arsenal, but such a solution does not exist yet. For example, a similar one appeared several months ago, but there is still no decryptor available for it.

Therefore, if you have not yet been infected, then you should take care of yourself and take measures to protect yourself from the virus, which are described in the article. If you have already become a victim of infection, then you have several options:

• Pay the ransom. Minuses this decision– relatively high price for data; it is not a fact that all data will be decrypted
• Put the hard drive on a shelf and hope for a decryptor to appear. By the way, decryptors are developed by Kaspersky Lab and posted on the No Ransom website. There is no decryptor for Wanna Cry yet, but it may appear after some time. We will definitely update the article as such a solution becomes available.
• If you are a licensed user of Kaspersky Lab products, then you can submit a request to decrypt files that were encrypted by the Wanna Cry virus.
• Reinstall the OS. Disadvantages - all data will be lost
• Use one of the methods for data recovery after infection with the Wanna Cry virus (I will publish it on our website as a separate article within a couple of days). However, keep in mind that the chances of data recovery are extremely low.

How to cure the Wanna Cry virus?

As you already understood from the article, curing the Wanna Cry virus is extremely simple. You install one of them, it scans your hard drive and it removes all viruses. But the problem is that all your data will remain encrypted. In addition to the previously given recommendations for removing and decrypting Wanna Cry, the following can be given:

1. You can refer to the Kaspersky Lab forum. In the thread, which is available at the link, several topics have been created about Wanna Cry. Representatives of the developer answer on the forum, so maybe they can tell you something useful too.
2. You should wait - the virus appeared not so long ago, maybe a decryptor will appear. For example, no more than six months ago, Kaspersky was able to defeat the CryptXXX encryptor. It is possible that after some time they will release a decryptor for Wanna Cry.
3. The cardinal solution is to format the hard drive, install the OS, and lose all the data. Are your photos from your last corporate party so important to you?)

As you can see from the presented infographics, most of the computers that were infected with Wanna Cry are located in Russia. However, this is not surprising - in our country the percentage of users of “pirated” OS is extremely high. Most often, such users have their automatic update, which made the infection possible.

As it became known, in Russia not only ordinary users were affected, but also state-owned enterprises and private companies. It is reported that among the victims were the Ministry of Internal Affairs, the Ministry of Emergency Situations and the Central Bank, as well as Megafon, Sberbank and Russian Railways.

In the UK, the hospital network was affected, making it impossible to carry out some operations.

It was easy to protect yourself from infection - back in March, Microsoft released a security update for Windows that closed “holes” in the OS. The virus operates through them. If you have not done this yet, be sure to install all updates for your OS, as well as a special patch for old ones Windows versions which I mentioned above.

Some operating room users Linux systems are wondering: can their computers be infected with the Wanna Cry virus? I can reassure them: computers running Linux this virus not scary. At the moment, no variations of the virus have been detected for this OS.

Conclusion

So, today we talked about the Wanna Cry virus. We learned what this virus is, how to protect yourself from infection, how to remove the virus and restore files, where to get the Wanna Cry decryptor. In addition, we found out where to download a patch for Windows that will protect you from infection. I hope you found this article helpful.

Today, perhaps, only people very far from the Internet are unaware of the mass infections of computers with the WannaCry (“I want to cry”) encryption Trojan that began on May 12, 2017. And I would divide the reaction of those who know into 2 opposite categories: indifference and panic. What does this mean?

And the fact that fragmentary information does not provide a complete understanding of the situation gives rise to speculation and leaves behind more questions than answers. In order to understand what is really happening, to whom and what it threatens, how to protect yourself from infection and how to decrypt files damaged by WannaCry, today’s article is devoted to it.

Is “devil” really that scary?

I don't understand what all the fuss is aboutWannaCry? There are many viruses, new ones appear constantly. What's special about this one?

WannaCry (other names WanaCrypt0r, Wana Decrypt0r 2.0, WannaCrypt, WNCRY, WCry) is not an ordinary cyber malware. The reason for his notoriety is the gigantic amounts of damage caused. According to Europol, it disrupted the work of more than 200,000 computers under Windows control in 150 countries around the world, and the damage suffered by their owners amounted to more than $1,000,000,000. And this is only in the first 4 days of distribution. Most of the victims are in Russia and Ukraine.

I know that viruses enter PCs through adult websites. I don’t visit such resources, so I’m not in danger.

Virus? I have a problem too. When viruses appear on my computer, I run the *** utility and after half an hour everything is fine. And if it doesn’t help, I reinstall Windows.

Virus is different from virus. WannaCry is a Trojan ransomware, a network worm that can spread through local networks and the Internet from one computer to another without human intervention.

Most malware, including ransomware, starts working only after the user “swallows the bait,” that is, clicks on a link, opens a file, etc. A To get infected with WannaCry, you don't need to do anything at all!

Once on a Windows computer, the malware encrypts the bulk of user files in a short time, after which it displays a message demanding a ransom of $300-600, which must be transferred to the specified wallet within 3 days. In case of delay, he threatens to make decryption of files impossible in 7 days.

At the same time, the malware looks for loopholes to penetrate other computers, and if it finds it, it infects the entire local network. It means that backups files stored on neighboring machines also become unusable.

Removing a virus from a computer does not decrypt files! Reinstalling the operating system too. On the contrary, if infected with ransomware, both of these actions may deprive you of the ability to recover files even if you have a valid key.

So yes, “damn” is quite scary.

How WannaCry spreads

You're lying. A virus can only get onto my computer if I download it myself. And I'm vigilant.

Many malware programs can infect computers (and mobile devices, by the way, too) through vulnerabilities - errors in the code of operating system components and programs that open up the opportunity for cyber-attackers to use a remote machine for their own purposes. WannaCry, in particular, spreads through a 0-day vulnerability in the SMB protocol (zero-day vulnerabilities are errors that were not fixed at the time they were exploited by malware/spyware).

That is, to infect a computer with a ransomware worm, two conditions are sufficient:

• Connections to a network where there are other infected machines (Internet).
• The presence of the above-described loophole in the system.

Where did this infection even come from? Is this the work of Russian hackers?

According to some reports (I am not responsible for the authenticity), there is a gap in the SMB network protocol, which serves for legal remote access to files and printers in Windows OS, the US National Security Agency was the first to discover. Instead of reporting it to Microsoft so that they could fix the error, the NSA decided to use it themselves and developed an exploit for this (a program that exploits the vulnerability).

Visualization of the dynamics of WannaCry distribution on the website intel.malwaretech.com

Subsequently, this exploit (codenamed EternalBlue), which for some time served the NSA to penetrate computers without the knowledge of the owners, was stolen by hackers and formed the basis for the creation of the WannaCry ransomware. That is, thanks to the not entirely legal and ethical actions of the US government agency, virus writers learned about the vulnerability.

I disabled installation of updatesWindows. What for is it necessary when everything works without them.

The reason for such a rapid and large-scale spread of the epidemic is the lack of a “patch” at that time - Windows updates, capable of closing the Wanna Cry loophole. After all, it took time to develop it.

Today such a patch exists. Users who update the system automatically received it within the first hours of release. And those who believe that updates are not needed are still at risk of infection.

Who is at risk from the WannaCry attack and how to protect against it

As far as I know, more than 90% of computers infectedWannaCry, operated byWindows 7. I have “ten”, which means I’m not in danger.

All operating systems that use the SMB v1 network protocol are susceptible to WannaCry infection. This:

• Windows XP
• Windows Vista
• Windows 7
• Windows 8
• Windows 8.1
• Windows RT 8.1
• Windows 10 v 1511
• Windows 10 v1607
• Windows Server 2003
• Windows Server 2008
• Windows Server 2012
• Windows Server 2016

Today, users of systems that do not have the critical security update MS17-010(available for free download from the site technet.microsoft.com, to which the link is provided). Patches for Windows XP, Windows Server 2003, Windows 8 and other unsupported operating systems can be downloaded from this page support.microsoft.com. It also describes ways to check for the presence of a life-saving update.

If you don't know the OS version on your computer, press the Win+R key combination and run the winver command.

To enhance protection, and if it is not possible to update the system now, Microsoft provides instructions for temporarily disabling SMB protocol version 1. They are located and . Additionally, but not necessarily, you can close TCP port 445, which serves SMB, through the firewall.

I have the best antivirus in the world ***, with it I can do anything and I’m not afraid of anything.

The spread of WannaCry can occur not only by the self-propelled method described above, but also in the usual ways - through social networks, email, infected and phishing web resources, etc. And there are such cases. If you download and run a malicious program manually, neither an antivirus nor patches that close vulnerabilities will save you from infection.

How the virus works, what it encrypts

Yes, let him encrypt what he wants. I have a friend who is a programmer, he will decipher everything for me. As a last resort, we will find the key using brute force.

Well, it encrypts a couple of files, so what? This will not prevent me from working on the computer.

Unfortunately, it will not decrypt, since there are no ways to crack the RSA-2048 encryption algorithm that Wanna Cry uses and will not appear in the foreseeable future. And it will encrypt not just a couple of files, but almost everything.

I won’t give a detailed description of how the malware works; anyone interested can read its analysis, for example, on the blog of Microsoft expert Matt Suiche. I will note only the most significant moments.

Files with the following extensions are encrypted: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks , .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, . xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z , .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, . djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl , .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, . ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds , .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der.

As you can see, there are documents, photos, video-audio, archives, mail, and files created in various programs... The malware tries to reach every directory in the system.

Encrypted objects receive double extension with postscript WNCRY, for example, "Document1.doc.WNCRY".

After encryption, the virus copies an executable file to each folder @[email protected] – supposedly for decryption after ransom, as well as Text Document @[email protected] with a message for the user.

Next, he tries to destroy shadow copies and points Windows recovery. If the system is running UAC, the user must confirm this operation. If you reject the request, there is still a chance to restore data from copies.

WannaCry transmits the encryption keys of the affected system to command centers, located on the Tor network, and then deletes them from the computer. To search for other vulnerable machines, it scans the local network and arbitrary IP ranges on the Internet, and once found, penetrates everything it can reach.

Today, analysts know of several modifications of WannaCry with different distribution mechanisms, and we should expect new ones to appear in the near future.

What to do if WannaCry has already infected your computer

I see files changing extensions. What's happening? How to stop this?

Encryption is not a one-time process, although it does not take too long. If you managed to notice it before the ransomware message appears on your screen, you can save some of the files by immediately turning off the computer’s power. Not by shutting down the system, but by unplugging the plug from the socket!

When Windows boots in normal mode, encryption will continue, so it is important to prevent it. The next start of the computer must occur either in safe mode, in which viruses are not active, or from another bootable media.

My files are encrypted! The virus demands a ransom for them! What to do, how to decrypt?

Decrypting files after WannaCry is only possible if you have a secret key, which the attackers promise to provide as soon as the victim transfers the ransom amount to them. However, such promises are almost never fulfilled: why should malware distributors bother if they already got what they wanted?

IN in some cases The problem can be solved without ransom. To date, 2 WannaCry decryptors have been developed: WannaKey(by Adrien Guinet) and WanaKiwi(by Benjamin Delpy) The first one works only in Windows XP, and the second one, created on the basis of the first one, works in Windows XP, Vista and 7 x86, as well as in northern systems 2003, 2008 and 2008R2 x86.

The operating algorithm of both decryptors is based on searching for secret keys in the memory of the encryptor process. This means that only those who did not have time to restart the computer have a chance of decryption. And if not too much time has passed since encryption (the memory has not been overwritten by another process).

So if you Windows user XP-7 x86, the first thing to do after the ransom message appears is to disconnect the computer from local network and the Internet and run the WanaKiwi decryptor downloaded on another device. Before removing the key, do not perform any other actions on the computer!

You can read a description of the work of the WanaKiwi decryptor in another blog by Matt Suiche.

After decrypting the files, run an antivirus to remove the malware and install a patch that closes its distribution paths.

Today, WannaCry is recognized by almost all antivirus programs, with the exception of those that are not updated, so almost any will do.

How to live this life further

This self-propelled epidemic took the world by surprise. For all kinds of security services, it turned out to be as unexpected as the onset of winter on December 1 for utility workers. The reason is carelessness and randomness. The consequences are irreparable loss of data and damages. And for the creators of the malware, this is an incentive to continue in the same spirit.

According to analysts, WanaCry brought very good dividends to distributors, which means that attacks like this will be repeated. And those who are carried away now will not necessarily be carried away later. Of course, if you don't worry about it in advance.

So, so that you don't ever have to cry over encrypted files:

• Do not refuse to install operating system and application updates. This will protect you from 99% of threats that spread through unpatched vulnerabilities.
• Keep it on.
• Create backup copies of important files and store them on another physical medium, or better yet, on several. In corporate networks it is optimal to use distributed databases data storage, home users can use free cloud services like Yandex Disk, Google Drive, OneDrive, MEGASynk, etc. Don't keep these apps running when you're not using them.
• Choose reliable operating systems. Windows XP is not like that.
• Install a comprehensive class antivirus Internet Security and additional protection against ransomware, such as Kaspersky Endpoint Security. Or analogs from other developers.
• Increase your level of literacy in countering ransomware Trojans. For example, the antivirus vendor Dr.Web has prepared training courses for users and administrators of various systems. A lot of useful and, importantly, reliable information is contained in the blogs of other A/V developers.

And most importantly: even if you have suffered, do not transfer money to the attackers for decryption. The probability that you will be deceived is 99%. Moreover, if no one pays, the extortion business will become meaningless. Otherwise, the spread of such an infection will only grow.

(WannaCrypt, WCry, WanaCrypt0r 2.0, Wanna Decryptor) - malware, network worm and ransomware. The program encrypts almost all files stored on the computer and demands a ransom to decrypt them. A huge number of malware of this type have been registered in recent years, but WannaCry stands out among them due to the scale of its distribution and the techniques used.

This ransomware virus began spreading at approximately 10 am, and already on the evening of May 12, the media began reporting numerous infections. Various publications write that it was committed hacker attack to the largest holdings, including Sberbank.

User question. “My current personal laptop, running Windows 7 Home Premium, installs various patches automatically when I turn it off...

And the W10 tablet I have automatically installs new patches when it is turned on... Don’t corporate desktop PCs automatically update their OS when turned on or off?” Really - Why?

After some time, the full set of exploits was made publicly available along with training videos. Anyone can use it. Which is exactly what happened. The exploit kit includes the DoublePulsar tool. With port 445 open and not installed update MS 17-010, using the Remote code execution class vulnerability (the ability to infect a computer remotely (NSA EternalBlue exploit)), it is possible to intercept system calls and insert into memory malicious code. There is no need to receive any email - if you have a computer with Internet access, with the SMBv1 service running and without the MS17-010 patch installed, then the attacker will find you himself (for example, by brute-forcing addresses).

WannaCry Analysis

The WannaCry Trojan (aka WannaCrypt) encrypts files with certain extensions on your computer and demands a ransom of $300 in bitcoins. Three days are given for payment, then the amount doubles.

The American AES algorithm with a 128-bit key is used for encryption.

In test mode, encryption is performed using a second RSA key hardwired into the Trojan. In this regard, decryption of test files is possible.

During the encryption process, several files are randomly selected. The Trojan offers to decrypt them for free, so that the victim can be convinced that they can decrypt the rest after paying the ransom.

But these selective files and the rest are encrypted with different keys. Therefore, there is no guarantee of decryption!

Signs of a WannaCry infection

Once on the computer, the Trojan runs as a system Windows service named mssecsvc2.0 (visible name - Microsoft Security Center (2.0) Service).

The worm is capable of accepting arguments command line. If at least one argument is specified, attempts to open the mssecsvc2.0 service and configure it to restart in case of an error.

After launch, it tries to rename the file C:\WINDOWS\tasksche.exe to C:\WINDOWS\qeriuwjhrf, saves it from the encoder Trojan resources to the file C:\WINDOWS\tasksche.exe and launches it with the /i parameter. When launched, the Trojan receives the IP address of the infected machine and tries to connect to TCP port 445 of each IP address within the subnet - it searches for machines on the internal network and tries to infect them.

The worm automatically shuts down 24 hours after it starts as a system service.

To spread itself, the malware initializes Windows Sockets, CryptoAPI and launches several threads. One of them lists all network interfaces on the infected PC and polls available hosts on the local network, the rest generate random IP addresses. The worm tries to connect to these remote hosts using port 445. If it is available, it infects network hosts in a separate thread using a vulnerability in the SMB protocol.

Immediately after launching, the worm tries to send a request to a remote server whose domain is stored in the Trojan. If a response to this request is received, it exits.

< nulldot>0x1000eff2, 34, 1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY

< nulldot>0x1000f024, 22, sqjolphimrr7jqw6.onion

< nulldot>0x1000f1b4, 12, 00000000.eky

< nulldot>0x1000f270, 12, 00000000.pky

< nulldot>0x1000f2a4, 12, 00000000.res

Protection against WannaCrypt and other ransomware

To protect against WannaCry ransomware and its future modifications it is necessary:

1. Disable unused services, including SMB v1.

• It is possible to disable SMBv1 using PowerShell:
  Set-SmbServerConfiguration -EnableSMB1Protocol $false
• Via the registry:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters, SMB1 parameter of type DWORD = 0
• You can also remove the service itself, which is responsible for SMBv1 (yes, a separate service from SMBv2 is personally responsible for it):
  sc.exe config lanmanworkstation depend=bowser/mrxsmb20/nsi
  sc.exe config mrxsmb10 start=disabled

1. Use a firewall to close unused network ports, including ports 135, 137, 138, 139, 445 (SMB ports).

Figure 2. Example of blocking port 445 using a firewallWindows

Figure 3. Example of blocking port 445 using a firewallWindows

1. Use an antivirus or firewall to restrict application access to the Internet.

Figure 4. Example of restricting Internet access to an application using Windows Firewall

WannaCry special program, which locks all data on the system and leaves the user with only two files: instructions on what to do next, and the Wanna Decryptor program itself - a tool for unlocking data.

Most companies involved in computer security, have ransom decryption tools that can bypass the software. For ordinary mortals, the method of “treatment” is still unknown.

WannaCry Decryptor ( or WinCry, WannaCry, .wcry, WCrypt, WNCRY, WanaCrypt0r 2.0), is already being called the “virus of 2017.” And not at all without reason. In just the first 24 hours from the moment it began spreading, this ransomware infected more than 45,000 computers. Some researchers believe that at the moment (May 15) more than a million computers and servers have already been infected. Let us remind you that the virus began to spread on May 12. The first to be affected were users from Russia, Ukraine, India and Taiwan. At the moment, the virus is spreading at high speed in Europe, the USA and China.

Information was encrypted on computers and servers of government agencies (in particular the Russian Ministry of Internal Affairs), hospitals, transnational corporations, universities and schools.

Wana Decryptor (Wanna Cry or Wana Decrypt0r) paralyzed the work of hundreds of companies and government agencies around the world

Essentially, WinCry (WannaCry) is an exploit of the EternalBlue family, which uses a rather old vulnerability in the Windows operating system (Windows XP, Windows Vista, Windows 7, Windows 8 and Windows 10) and silently loads itself into the system. Then, using decryption-resistant algorithms, it encrypts user data (documents, photos, videos, spreadsheets, databases) and demands a ransom for decrypting the data. The scheme is not new, we constantly write about new types of file encryptors - but the distribution method is new. And this led to an epidemic.

How the virus works

The malware scans the Internet for hosts looking for computers with open TCP port 445, which is responsible for servicing the SMBv1 protocol. Having detected such a computer, the program makes several attempts to exploit the EternalBlue vulnerability on it and, if successful, installs the DoublePulsar backdoor, through which the executable code of the WannaCry program is downloaded and launched. With each exploitation attempt, the malware checks for the presence of DoublePulsar on the target computer and, if detected, downloads directly through this backdoor.

By the way, these paths are not tracked by modern antivirus programs, which made the infection so widespread. And this is a huge cobblestone in the garden of anti-virus software developers. How could this be allowed to happen? What are you taking money for?

Once launched, the malware acts like a classic ransomware: it generates a unique RSA-2048 asymmetric key pair for each infected computer. Then, WannaCry begins to scan the system in search of user files of certain types, leaving those critical for its further functioning untouched. Each selected file is encrypted using the AES-128-CBC algorithm with a key unique (random) for each of them, which in turn is encrypted with the public RSA key of the infected system and is stored in the header of the encrypted file. In this case, the extension is added to each encrypted file .wncry. The RSA key pair of the infected system is encrypted public key attackers and is sent to their control servers located in the Tor network, after which all keys are deleted from the memory of the infected machine. After completing the encryption process, the program displays a window asking you to transfer a certain amount of Bitcoin (equivalent to $300) to the specified wallet within three days. If the ransom is not received on time, its amount will be automatically doubled. On the seventh day, if WannaCry is not removed from the infected system, the encrypted files are destroyed. The message is displayed in the language corresponding to the one installed on the computer. In total, the program supports 28 languages. In parallel with encryption, the program scans arbitrary Internet and local network addresses for subsequent infection of new computers.

According to research by Symantec, the attackers' algorithm for tracking individual payments to each victim and sending them the decryption key is implemented with a race condition error. This makes ransom payments pointless, since individual keys will not be sent in any case, and the files will remain encrypted. However, there is a reliable method to decrypt user files less than 200 MB in size, as well as some chances to recover larger files. In addition, on outdated Windows systems XP and Windows Server 2003, due to the peculiarities of the implementation of the algorithm for calculating pseudo-random numbers in the system, it is even possible to recover private RSA keys and decrypt all affected files if the computer has not been rebooted since the infection. Later, a group of French cybersecurity experts from Comae Technologies expanded this feature to Windows 7 and put it into practice, publishing it in open access utility WanaKiwi, which allows you to decrypt files without ransom.

The code of early versions of the program included a self-destruction mechanism, the so-called Kill Switch - the program checked the availability of two specific Internet domains and, if they were present, was completely removed from the computer. This was first discovered by Marcus Hutchins on May 12, 2017. (English) Russian , a 22-year-old virus analyst for the British company Kryptos Logic, who writes on Twitter under the nickname @MalwareTechBlog, and registered one of the domains in his name. Thus, he managed to temporarily partially block the distribution of this modification malware. On May 14, the second domain was registered. In subsequent versions of the virus this mechanism self-shutdown was removed, but this was not done in the source code, but by editing the executable file, which suggests the origin this fix not from the authors of the original WannaCry, but from third-party attackers. As a result, the encryption mechanism was damaged and this version The worm can only spread itself by finding vulnerable computers, but is not capable of causing direct harm to them.

The high rate of spread of WannaCry, unique for ransomware, is ensured by the use of a vulnerability published in February 2017 network protocol SMB operating system Microsoft Windows described in bulletin MS17-010. If in the classic scheme the ransomware got onto the computer thanks to the actions of the user himself via email or web link, then in the case of WannaCry the user’s participation is completely excluded. The time between detection of a vulnerable computer and its complete infection is about 3 minutes.

The development company has confirmed the presence of a vulnerability in absolutely all user and server products that have an implementation of the SMBv1 protocol - starting with Windows XP/Windows Server 2003 and ending with Windows 10/Windows Server 2016. On March 14, 2017, Microsoft released a series of updates designed to neutralize the vulnerability in all supported OS. Following the spread of WannaCry, the company took the unprecedented step of also releasing updates for end-of-support products (Windows XP, Windows Server 2003 and Windows 8) on May 13th.

Spread of the WannaCry virus

The virus can spread in various ways:

• Through a single computer network;
• Via mail;
• Via browser.

Personally, I don’t quite understand why the network connection is not scanned by the antivirus. The same method of infection as through visiting a website or browser proves the helplessness of developers and that the requested funds for licensed software to protect a PC are not justified in any way.

Symptoms of infection and treatment of the virus

After successful installation on the user's PC, WannaCry tries to spread across the local network to other PCs like a worm. Encrypted files receive the system extension .WCRY and become completely unreadable and it is not possible to decrypt them yourself. After full encryption, Wcry changes the desktop wallpaper and leaves “instructions” for decrypting files in the folders with encrypted data.

At first, the hackers extorted $300 for decryption keys, but then raised this figure to $600.

How to prevent your PC from being infected by the WannaCry Decryptor ransomware?

Download the operating system update from the Microsoft website.

What to do Is your PC infected?

Use the instructions below to try to recover at least some of the information on the infected PC. Update your antivirus and install the operating system patch. A decryptor for this virus does not yet exist in nature. We strongly do not recommend paying a ransom to attackers - there is no guarantee, not even the slightest, that they will decrypt your data after receiving the ransom.

Remove WannaCry ransomware using an automatic cleaner

Exclusively effective method working with malware in general and ransomware in particular. The use of a proven protective complex guarantees thorough detection of any viral components, their complete removal with one click. Please note that we are talking about two different processes: uninstalling the infection and restoring files on your PC. However, the threat certainly needs to be removed, since there is information about the introduction of other computer Trojans using it.

1. Download the WannaCry virus removal program. After starting the software, click the button Start Computer Scan(Start scanning). Download the ransomware removal program WannaCry .
2. The installed software will provide a report on the threats detected during scanning. To remove all detected threats, select the option Fix Threats(Eliminate threats). The malware in question will be completely removed.

Restore access to encrypted files

As noted, the no_more_ransom ransomware locks files using a strong encryption algorithm so that encrypted data cannot be restored with a swipe magic wand- if you do not take into account the payment of an unheard-of ransom amount. But some methods can really be a lifesaver that will help you recover important data. Below you can familiarize yourself with them.

Automatic file recovery program (decryptor)

A very unusual circumstance is known. This infection erases the original files in unencrypted form. The encryption process for extortion purposes thus targets copies of them. This makes it possible for software such as Data Recovery Pro restore erased objects, even if the reliability of their removal is guaranteed. It is highly recommended to resort to the file recovery procedure; its effectiveness is beyond doubt.

Shadow copies of volumes

The approach is based on Windows procedure Reserve copy files, which is repeated at each recovery point. Important condition work this method: System Restore must be activated before infection occurs. However, any changes to the file made after the restore point will not appear in the restored version of the file.

Backup

This is the best among all non-ransom methods. If the procedure for backing up data to an external server was used before the ransomware attack on your computer, to restore encrypted files you simply need to enter the appropriate interface, select necessary files and start the data recovery mechanism from the backup. Before performing the operation, you must make sure that the ransomware is completely removed.

Check for possible residual components of the WannaCry ransomware

Manual cleaning risks missing individual pieces of ransomware that could escape removal as hidden operating system objects or registry items. To eliminate the risk of partial retention of individual malicious elements, scan your computer using a reliable security software package that specializes in malicious software.

Decoding

But there is no information from those who paid for decryption, just as there is no information about the hackers’ intention to calm the souls of the people and decrypt the information after payment ((((

But on the hub there was information about the principle of operation of the Decrypt button, as well as the fact that attackers do not have a way to identify users who sent bitcoins, which means that no one will restore anything to the victims:

“The cryptor creates two types of files: first, some part is encrypted using 128-bit AES, and the generated decryption key is appended directly to the encrypted file. Files encrypted in this way are given the extension .wncyr and it is these that are then decrypted when you click on Decrypt. The bulk of the encrypted stuff gets the extension .wncry and the key is no longer there.
In this case, the encryption does not take place in the file itself, but first a file is created on the disk where the encrypted content is placed, and then the original file is deleted. Accordingly, for some time there is a chance to recover part of the data using various undelete utilities.
To combat such utilities, the cryptor constantly writes all kinds of garbage to the disk, so that disk space is consumed quite quickly.
But why there is still no information about payment and mechanisms for verifying it is truly surprising. Perhaps the rather decent amount ($300) that is required for such a check has an impact.”

The creators of the WannaCry virus bypassed temporary protection in the form of a meaningless domain

The creators of the WannaCry ransomware virus, which affected computers in more than 70 countries, have released a new version of it. It lacks code for accessing a meaningless domain, which was used to prevent the spread of the original virus, Motherboard writes. The publication has received confirmation of the appearance new version virus from two specialists who studied new cases of computer infection. One of them is Costin Raiu, head of the international research team at Kaspersky Lab.

Experts did not specify whether any other changes appeared in WannaCry.