I talked about new virus WannaCry, which infects the OS Microsoft Windows(XP, 7, 8, 10) and how to protect yourself from it. In particular, this is the installation of an update patch that closes a gap in the Microsoft Windows operating system (XP, 7, 8, 10), as well as updating anti-virus databases.
For a home user, there is enough information about WannaCry, since he only needs to download and install the update patch once and that’s it. But, if you are an IT specialist serving an organization with a different number of workstations, then the update installation process needs to be automated.
Of course, you can configure the operating system to automatically update and wait until it installs all the updates. But this process is quite long and requires a large number of reboots of the end workstation, which is not particularly convenient for the user. Automatic update in any case, it’s worth setting up, but first you need to first download and install the update patch that closes this security hole.
Moreover, some users write that this update may not be installed automatically. But it will not be installed for Windows XP, since this OS is no longer supported by Microsoft.
Therefore, we will forcefully install the MS17-010 update, and in order to do this as quickly as possible and on all computers at once, we will use group policies.
The network in which we will perform all further actions was created during the completion of the video course "" and the course on "
On May 12 at about 13:00 the virus began to spread Wana Decryptor. In almost a couple of hours, tens of thousands of computers around the world were infected. On currently More than 45,000 infected computers have been confirmed.
With more than 40 thousand hacks in 74 countries, Internet users around the world witnessed the largest cyber attack in history. The list of victims includes not only ordinary people, but also servers of banks, telecommunications companies and even law enforcement agencies.
Infection Wanna Cry The ransomware virus affected the computers of both ordinary users and work computers in various organizations, including the Russian Ministry of Internal Affairs. Unfortunately, at the moment there is no way to decrypt WNCRY files, but you can try to recover encrypted files using programs such as ShadowExplorer and PhotoRec.
Official patches from Microsoft to protect against the Wanna Cry virus:
- Windows 7 32bit/x64
- Windows 10 32bit/x64
- Windows XP 32 bit/x64 - no patch from WCry.
How to protect yourself from the Wanna Cry virus
You can protect yourself from the Wanna Cry virus by downloading a patch for your Windows versions.
How Wanna Cry spreads
Wanna Cry is distributed:
- via files
- mail messages.
As reported by Russian media, the work of departments of the Ministry of Internal Affairs in several regions of Russia has been disrupted due to a ransomware that has infected many computers and threatens to destroy all data. In addition, the communications operator Megafon was attacked.
We are talking about the WCry ransomware Trojan (WannaCry or WannaCryptor). He encrypts the information on the computer and demands a ransom of $300 or $600 in Bitcoin for decryption.
Also on forums and in social networks Ordinary users report infections:
WannaCry encryption epidemic: what to do to avoid infection. Step by step guide
On the evening of May 12, a large-scale WannaCryptor (WannaCry) ransomware attack was discovered, which encrypts all data on PCs and laptops running Windows. The program demands $300 in bitcoins (about 17,000 rubles) as a ransom for decryption.
The main blow fell on Russian users and companies. On this moment WannaCry managed to hit about 57,000 computers, including corporate networks Ministry of Internal Affairs, Russian Railways and Megafon. Sberbank and the Ministry of Health also reported attacks on their systems.
We tell you what you need to do right now to avoid infection.
1. The encryptor exploits a Microsoft vulnerability dated March 2017. To minimize the threat, you must urgently update your version of Windows:
Start - All Programs - Windows Update - Search for Updates - Download and Install
2. Even if the system was not updated and WannaCry got onto the computer, both corporate and home solutions ESET NOD32 successfully detect and block all its modifications.
5. To detect yet unknown threats, our products use behavioral and heuristic technologies. If a virus behaves like a virus, it is most likely a virus. So, cloud system ESET LiveGrid successfully repelled the attack since May 12, even before the signature databases were updated.
What is the correct name for the Wana Decryptor virus, WanaCrypt0r, Wanna Cry or Wana Decrypt0r?
Since the first discovery of the virus, many different messages about this ransomware virus have appeared on the network and it is often called different names. This happened for several reasons. Before the Wana Decrypt0r virus itself appeared, there was its first version Wanna Decrypt0r, the main difference being the method of distribution. This first variant was not as widely known as its younger brother, but due to this, in some news reports, the new ransomware virus is called by the name of its older brother, namely Wanna Cry, Wanna Decryptor.
But still the main name is Wana Decrypt0r, although most users instead of the number "0" type the letter "o", which leads us to the name Wana Decryptor or WanaDecryptor.
And the last name by which users often call this ransomware virus is WNCRY virus, that is, by the extension that is added to the name of the files that have been encrypted.
To minimize the risk of the Wanna Cru virus getting onto your computer, Kaspersky Lab specialists advise installing all possible updates on the current version of Windows. The fact is that the malware infects only those computers that run this software.
Wanna Cry virus: How it spreads
Previously, we mentioned this method of spreading viruses in an article about safe behavior on the Internet, so nothing new.
Wanna Cry is distributed as follows: On Mailbox the user receives a letter with a “harmless” attachment - it can be a picture, video, song, but instead of the standard extension for these formats, the attachment will have an executable file extension - exe. When such a file is opened and launched, the system is “infected” and, through a vulnerability, a virus is directly loaded into OS Windows, encrypting user data, therussiantimes.com reports.
Wanna Cry virus: description of the virus
Wanna Cry (the common people have already nicknamed it Wona region) belongs to the category of ransomware viruses (cryptors), which, when it gets on a PC, encrypts user files with a crypto-resistant algorithm, subsequently reading these files becomes impossible.
At the moment, the following popular file extensions are known to be subject to Wanna Cry encryption:
Popular files Microsoft Office(.xlsx, reports therussiantimes.com.xls, .docx, .doc).
Archive and media files (.mp4, .mkv, .mp3, .wav, .swf, .mpeg, .avi, .mov, .mp4, .3gp, .mkv, .flv, .wma, .mid, .djvu, .png, .jpg, .jpeg, .iso, .zip, .rar).
WannaCry is a program called WanaCrypt0r 2.0, which exclusively attacks PCs running Windows OS. The program exploits a “hole” in the system - Microsoft Security Bulletin MS17-010, the existence of which was previously unknown. The program requires a ransom of $300 to $600 for decryption. By the way, currently, according to The Guardian, more than 42 thousand dollars have already been transferred to the hackers’ accounts.
Sources:
Worldwide from May 12th. This ransomware penetrates OS computers when downloading a file from the Internet. When a computer receives such a virus, WannaCry encrypts various files - photos, music, movies, text documents, presentations, archivers, etc. The attackers extort $300 for decryption. How to fight this ransomware virus?
Michael Stern, CC BY-SA 2.0, part from original.
Kaspersky Lab says that the computers that were most vulnerable to attack were those that did not have software updates installed and had pirated software.
1 How does the Wanna Cry virus work?
WannaCry is a program called WanaCrypt0r 2.0, which exclusively attacks PCs running Windows OS. The program exploits a “hole” in the system - Microsoft Security Bulletin MS17−010, the existence of which was previously unknown.
2 How does the WannaCry virus spread?
The WannaCry virus spreads through email. After opening an attachment in a spam email, the encryptor is launched and the encrypted files are then almost impossible to recover.
3 What should you pay attention to to avoid infecting your computer with the WannaCry virus?
Pay close attention to what they send you by email. Do not open files with these extensions: .exe, .vbs And .scr. Fraudsters can use several extensions to disguise a malicious file as a video, photo or document (for example, avi.exe or doc.scr), writes ru24.top.
Ilya Sachkov, CEO of the company for the prevention and investigation of cybercrimes Group-IB, advises: “In the case of WannaCry, the solution to the problem may be to block port 445 on the Firewall through which the infection occurs.” To detect potentially malicious files, you need to enable the “Show file extensions” option in Windows settings.
4 What has Microsoft done to protect Windows from the WannaCry virus?
Microsoft has already released a “patch” - just run Windows update Update until latest version. It is worth noting that only users who have purchased a licensed version of Windows will be able to protect their computer and data - if they try to update a pirated version, the system will simply not pass the test. It is also necessary to remember that Windows XP is no longer updated, as, of course, are earlier versions, reports Rorki.ru.
5 The simplest ways to protect yourself from the WannaCry virus
To avoid catching the WannaCry virus on your computer, you need to follow a few simple safety rules:
- update the system on time - all infected PCs were not updated,
- use a licensed OS,
- do not open dubious emails,
- do not click on dubious links left by untrustworthy users.
6 What should you do if you caught the WannaCry virus on your computer?
If you suspect that your computer is infected with the WannaCry virus, you must disconnect your device from the Internet or Wi-Fi - this will prevent the virus from spreading, advise Group-IB. Expert recommendations: never pay a ransom to scammers, since there is no guarantee that the attackers will send the decryption key,
It continues its oppressive march across the Internet, infecting computers and encrypting important data. How to protect yourself from ransomware, protect Windows from ransomware - have patches been released to decrypt and disinfect files?
New ransomware virus 2017 Wanna Cry continues to infect corporate and private PCs. U Damage from virus attack totals $1 billion. In 2 weeks, the ransomware virus infected at least 300 thousand computers, despite warnings and security measures.
Ransomware virus 2017, what is it?- as a rule, you can “pick up” on seemingly the most harmless sites, for example, bank servers with user access. Once on HDD victims, the ransomware “settles” in system folder System32. From there the program immediately disables the antivirus and goes into "Autorun"" After every reboot, ransomware runs into the registry, starting his dirty work. The ransomware begins to download similar copies of programs like Ransom and Trojan. It also often happens ransomware self-replication. This process can be momentary, or it can take weeks until the victim notices something is wrong.
The ransomware often disguises itself as ordinary pictures, text files , but the essence is always the same - this is an executable file with the extension .exe, .drv, .xvd; Sometimes - libraries.dll. Most often, the file has a completely innocuous name, for example “ document. doc", or " picture.jpg", where the extension is written manually, and the true file type is hidden.
After encryption is complete, the user sees, instead of familiar files, a set of “random” characters in the name and inside, and the extension changes to a previously unknown one - .NO_MORE_RANSOM, .xdata and others.
Wanna Cry ransomware virus 2017 – how to protect yourself. I would like to immediately note that Wanna Cry is rather a collective term for all encrypting viruses and ransomware, since Lately infected computers most often. So, we'll talk about Protect yourself from Ransom Ware ransomware, of which there are a great many: Breaking.dad, NO_MORE_RANSOM, Xdata, XTBL, Wanna Cry.
How to protect Windows from ransomware. – EternalBlue via SMB port protocol.
Protecting Windows from ransomware 2017 – basic rules:
- Windows update, timely transition to a licensed OS (note: the XP version is not updated)
- updating anti-virus databases and firewalls on demand
- extreme care when downloading any files (cute “seals” can result in the loss of all data)
- backup important information to removable media.
Ransomware virus 2017: how to disinfect and decrypt files.
Relying on antivirus software, you can forget about the decryptor for a while. In laboratories Kaspersky, Dr. Web, Avast! and other antiviruses for now no solution for treating infected files was found. At the moment, it is possible to remove the virus using an antivirus, but there are no algorithms to return everything “to normal” yet.
Some try to use decryptors like the RectorDecryptor utility, but this won't help: an algorithm for decrypting new viruses has not yet been compiled. It is also absolutely unknown how the virus will behave if it is not removed after using such programs. Often this can result in the erasure of all files - as a warning to those who do not want to pay the attackers, the authors of the virus.
At the moment the most effective way getting back lost data means contacting technical support. supplier support antivirus program which you are using. To do this, send a letter or use the form to feedback on the manufacturer's website. Be sure to add the encrypted file to the attachment and, if available, a copy of the original. This will help programmers in composing the algorithm. Unfortunately, for many, a virus attack comes as a complete surprise, and no copies are found, which greatly complicates the situation.
Cardiac methods of treating Windows from ransomware. Unfortunately, sometimes you have to resort to completely formatting the hard drive, which entails a complete change of OS. Many will think of restoring the system, but this is not an option - even a “rollback” will get rid of the virus, but the files will still remain encrypted.
Thank you for contacting Ideco.
We hope that you have indicated enough contact information, and our staff will be able to contact you as soon as possible.
Consent to the processing of personal data
The user, by registering on the site, gives his consent to Aydeko LLC, located at 620144, Ekaterinburg, st. Kulibina 2, office 500, to process your personal data under the following conditions:
- Consent is given to the processing of your personal data using automation tools.
- Consent is given to the processing of the following personal data:
- Contact phone numbers;
- E-mail address;
- Place of work and/or position held;
- City of stay or registration.
- The purpose of processing personal data is: providing access to website materials, access to the on-line webinar service or preparing documents for agreeing on options for the development of contractual relations, including commercial proposals, specifications, draft contracts or payment documents.
- During processing of personal data, the following actions will be performed: collection, systematization, accumulation, storage, clarification, use, blocking, destruction.
- The basis for the processing of personal data is Art. 24 of the Constitution Russian Federation; Article 6 of Federal Law No. 152-FZ “On Personal Data”; Charter of Aideko LLC, other federal laws and regulations.
- Transfer of personal data can be carried out to third parties only in the manner established by the legislation of the Russian Federation or upon receipt of additional consent of the User.
- This consent is valid until the reorganization or liquidation of Aydeco LLC. Consent may also be revoked by the User by sending a written application to the postal address of Aydeco LLC.
- Storage of personal data is carried out in accordance with Order of the Ministry of Culture of the Russian Federation dated August 25, 2010 No. 558 on approval of the “List of standard management documents generated in the process of activities of state bodies, local governments and organizations, indicating storage periods” and other regulatory legal acts in the field of archival files and archival storage.
License agreement
on granting rights to test use of the Software Complex “Internet Gateway Ideco ICS 6”
License of Ideco LLC for the right to use the computer program “Software complex “Internet gateway Ideco ICS 6” (hereinafter referred to as the “Program”):
- This license for the right to use the Program (hereinafter referred to as the “License”) is granted to the end user (hereinafter referred to as the “Licensee”) by the Licensor - Aydeko LLC and contains information about the restriction of rights to test use of the Program, including any of its components.
- If you do not agree to the terms of the License, you may not install, copy or otherwise use this Program and any of its components and must remove them.
- The Licensor grants the Licensee a non-exclusive right, which includes the use of the Program and its components in the following ways: the right to reproduce, limited to the right to install the launch, to the extent of use provided for by this License. The right to use the Program and its components is granted solely for the purpose of familiarization and testing for a period of 1 (one) month from the date specified in this license.
- The program is supplied as is, the Licensor has eliminated all known errors, and there remains a possibility that errors will be identified during further use.
- The Licensee is aware of the essential functionality of the Program for which use rights are granted, and the Licensee bears the risk that the Program will meet its expectations and needs, as well as the risk that the terms and scope of the rights granted will meet its expectations and needs.
- The licensor is not liable for any losses, damages, regardless of the reasons for their occurrence, (including, but not limited to, special, incidental or indirect damages, losses associated with lost profits, interruption of commercial or production activities, loss of business information, negligence, or any other damages) arising from the use or inability to use the Program and any of its components.
- Licensee may install and use one copy of the Program on one computer or server.
- The program includes copy protection technologies to prevent unauthorized copying. Illegal copying of the Program and any of its components, removal or modification of copy protection is prohibited.
- The Licensee may not modify or decompile the Program and any of its components, change the structure of program codes, program functions in order to create related products, distribute or facilitate the distribution of unlicensed copies of the Program and any of its components.
- Renting and transferring the Program and any of its components to third parties, as well as distributing the Program and any of its components on the Internet is not permitted.
- Upon expiration of the test period for using the Program, the Licensee is obliged to uninstall the Program and all its components (remove from the computer’s memory), delete all copies of the Program and its components, and notify the Licensor about this, or acquire the right to use the Program.
Global hacker attack has currently affected many computers in Russia and abroad, including the networks of large telecommunications companies, law enforcement agencies and medical institutions.
Our technology partners from Kaspersky Lab recorded 45 thousand hacking attempts in 74 countries yesterday, May 12.
About the virus
The ransomware program spreading online is called WannaCry (aka Wana Decryptor, WanaCrypt0r and Wana Decrypt0r). Unlike other programs of this type, this ransomware combines the functions of virus, Trojan software and network worms. As penetration mechanisms, it uses both email (this mechanism allows it to overcome protective firewalls) and a network vulnerability published on March 14 this year SMB protocol: Microsoft Security Bulletin MS17-010. This vulnerability allows the virus to spread within an infected network and infect maximum number vulnerable devices.
Microsoft does not automatically distribute security updates for Windows XP and Windows 2003, so users using outdated software are most vulnerable.
When infecting a device, the virus encrypts all user data on the hard drive and demands a ransom for decrypting it.
Ideco ICS is based on the Linux kernel, all ports are on external interfaces are closed by default, so it is protected from attacks that exploit network vulnerabilities like those exploited this virus. NAT technology also reliably protects everything network devices from external connections. Variants of the spread of the virus include: Email, possibly infected websites and flash drives; the virus can also be brought by employees along with laptops used on other networks. All mechanisms of virus spread have not yet been studied and can be supplemented by attackers to strengthen the attack in the near future.
Setting up Ideco ICS
Endpoint protection
- Install a patch to close the vulnerability exploited by the virus: MS17-010.
- Block the use of the SMBv1 protocol by running the following command on computers and Windows servers:
dism /online /norestart /disable-feature /featurename:SMB1Protocol - Make sure that anti-virus software on all computers is installed, running and using the latest signature databases.
- On computers with outdated Windows XP and Windows 2003 operating systems, you must install security patches manually by downloading them from direct links:
kb4012598 for Windows XP SP3
kb4012598 for Windows Server 2003 x86
kb4012598 for Windows Server 2003 x64
If you are using Windows as an Internet gateway
We do not recommend using any version of Windows on servers connected directly to the Internet. Recently, information has been published about a large number of vulnerabilities, not all of which are closed by existing OS data security updates. Infection with similar WannaCry virus the Internet gateway itself can lead to infection of all network hosts, loss of commercial information, as well as participation of the network, as part of a botnet, in attacks on other resources, which may include government ones.
Software that uses Windows as a platform also cannot provide the required level of security, because the system kernel will still be vulnerable. If you use software such as Kerio Winroute, we recommend migrating to more secure and modern solutions as soon as possible.
The Ideco ICS security gateway is convenient in that it can be used not only as a software and hardware complex, but also installed directly on an existing server or can be deployed as virtual machine on the hypervisor.
Loading...
