Kaspersky Lab about the WannaCry ransomware

Kaspersky Lab specialists analyzed information about infections with a ransomware program called “WannaCry” that companies around the world encountered on May 12

Kaspersky Lab specialists analyzed information about infections with a ransomware program called “WannaCry” that companies around the world encountered on May 12. As the analysis showed, the attack occurred through the well-known network vulnerability Microsoft Security Bulletin MS17-010. Then a rootkit was installed on the infected system, using which the attackers launched an encryption program.

All Kaspersky Lab solutions detect this malware that was used in this attack with the following verdicts:

• Trojan-Ransom.Win32.Scatter.uf
• Trojan-Ransom.Win32.Scatter.tr
• Trojan-Ransom.Win32.Fury.fr
• Trojan-Ransom.Win32.Gen.djd
• Trojan-Ransom.Win32.Wanna.b
• Trojan-Ransom.Win32.Wanna.c
• Trojan-Ransom.Win32.Wanna.d
• Trojan-Ransom.Win32.Wanna.f
• Trojan-Ransom.Win32.Zapchast.i
• Trojan.Win64.EquationDrug.gen
• Trojan.Win32.Generic (to detect this malware, the System Monitoring component must be enabled)

To decrypt the data, the attackers demand a ransom of $600 in Bitcoin cryptocurrency. On this moment Kaspersky Lab has recorded about 45,000 attack attempts in 74 countries around the world. The largest number of infection attempts is observed in Russia.

If your files are encrypted, you should absolutely not use decryption tools offered on the Internet or received in emails. The files are encrypted with a strong encryption algorithm and cannot be decrypted, and the utilities you download can cause even more harm to both your computer and computers throughout the organization, since they are potentially malicious and are aimed at a new wave of the epidemic.

If you discover that your computer has been infected, you should turn it off and contact the information security for further instructions.

• Installofficial patch fromMicrosoft , which closes the vulnerability used in the attack (in particular, updates are already available for versionsWindowsXPAndWindows2003);
• Make sure that security solutions are enabled on all network nodes;
• If you are using a Kaspersky Lab security solution, make sure that its version includes the “System Monitoring” component and it is enabled;
• Run a critical area scanning task in your Kaspersky Lab security solution to detect possible infection as early as possible (otherwise detection will occur automatically within 24 hours);
• After detecting Trojan.Win64.EquationDrug.gen, reboot the system;
• In the future, to prevent such incidents, use threat reporting services to promptly receive data on the most dangerous targeted attacks and possible infections.

More detailed information about the “WannaCry” attacks can be found in the Kaspersky Lab report

Modern technologies allow hackers to constantly improve their methods of fraud against ordinary users. As a rule, virus software that penetrates the computer is used for these purposes. Encryption viruses are considered especially dangerous. The threat is that the virus spreads very quickly, encrypting files (the user simply will not be able to open a single document). And if it’s quite simple, then it’s much more difficult to decrypt the data.

What to do if a virus has encrypted files on your computer

Anyone can be attacked by ransomware; even users who have powerful anti-virus software are not immune. File encrypting Trojans come in a variety of codes that may be beyond the capabilities of an antivirus. Hackers even manage to attack large companies in a similar way that have not taken care of the necessary protection of their information. So, having picked up a ransomware program online, you need to take a number of measures.

The main signs of infection are slow computer operation and changes in document names (can be seen on the desktop).

1. Restart your computer to stop encryption. When turning on, do not confirm the launch of unknown programs.
2. Run your antivirus if it has not been attacked by ransomware.
3. In some cases, shadow copies will help to restore information. To find them, open the “Properties” of the encrypted document. This method works with encrypted data from the Vault extension, about which there is information on the portal.
4. Download the utility latest version to combat ransomware viruses. The most effective ones are offered by Kaspersky Lab.

Ransomware viruses in 2016: examples

When fighting any virus attack, it is important to understand that the code changes very often, supplemented by new antivirus protection. Of course, security programs need some time until the developer updates the databases. We have selected the most dangerous encryption viruses of recent times.

Ishtar Ransomware

Ishtar is a ransomware that extorts money from the user. The virus was noticed in the fall of 2016, infecting a huge number of computers of users from Russia and a number of other countries. Distributed via email, which contains attached documents (installers, documents, etc.). Data infected by the Ishtar encryptor is given the prefix “ISHTAR” in its name. The process creates a test document that indicates where to go to obtain the password. The attackers demand from 3,000 to 15,000 rubles for it.

The danger of the Ishtar virus is that today there is no decryptor that would help users. Antivirus software companies need time to decipher all the code. Now you can only isolate important information (if it is of particular importance) onto a separate medium, waiting for the release of a utility capable of decrypting documents. It is recommended to reinstall the operating system.

Neitrino

The Neitrino encryptor appeared on the Internet in 2015. The attack principle is similar to other viruses of a similar category. Changes the names of folders and files by adding "Neitrino" or "Neutrino". The virus is difficult to decrypt; not all representatives of antivirus companies undertake this, citing a very complex code. Some users may benefit from restoring a shadow copy. To do this, click right click mouse over the encrypted document, go to “Properties”, “Previous Versions” tab, click “Restore”. It would be a good idea to use a free utility from Kaspersky Lab.

Wallet or .wallet.

The Wallet encryption virus appeared at the end of 2016. During the infection process, it changes the name of the data to “Name..wallet” or something similar. Like most ransomware viruses, it enters the system through attachments in emails sent by attackers. Since the threat appeared very recently, antivirus programs do not notice it. After encryption, he creates a document in which the fraudster indicates the email for communication. Currently, antivirus software developers are working to decipher the code of the ransomware virus. [email protected]. Users who have been attacked can only wait. If the data is important, it is recommended to save it to an external drive by clearing the system.

Enigma

The Enigma ransomware virus began infecting the computers of Russian users at the end of April 2016. The AES-RSA encryption model is used, which is found in most ransomware viruses today. The virus penetrates the computer using a script that the user runs by opening files from a suspicious email. There is still no universal means to combat the Enigma ransomware. Users with an antivirus license can ask for help on the developer's official website. A small “loophole” was also found - Windows UAC. If the user clicks “No” in the window that appears during the virus infection process, he will be able to subsequently restore information using shadow copies.

Granit

A new ransomware virus, Granit, appeared on the Internet in the fall of 2016. Infection occurs according to the following scenario: the user launches the installer, which infects and encrypts all data on the PC, as well as connected drives. Fighting the virus is difficult. To remove you can use special utilities from Kaspersky, but the code has not yet been decrypted. Perhaps restoring previous versions of the data will help. In addition, a specialist who has extensive experience can decrypt, but the service is expensive.

Tyson

Was spotted recently. It is an extension of the already known ransomware no_more_ransom, which you can learn about on our website. It reaches personal computers from email. Many corporate PCs were attacked. The virus creates a text document with unlocking instructions, offering to pay a “ransom.” The Tyson ransomware appeared recently, so there is no unlocking key yet. The only way to restore information is to return previous versions if they were not deleted by a virus. You can, of course, take a risk by transferring money to the account specified by the attackers, but there is no guarantee that you will receive the password.

Spora

At the beginning of 2017, a number of users became victims of the new Spora ransomware. In terms of its operating principle, it is not very different from its counterparts, but it boasts a more professional design: the instructions for obtaining a password are better written, and the website looks more beautiful. The Spora ransomware virus was created in C language and uses a combination of RSA and AES to encrypt the victim’s data. As a rule, computers on which the 1C accounting program was actively used were attacked. The virus, hiding under the guise of a simple invoice in .pdf format, forces company employees to launch it. No treatment has been found yet.

1C.Drop.1

This 1C encryption virus appeared in the summer of 2016, disrupting the work of many accounting departments. It was designed specifically for computers that use software 1C. Once on the PC via a file in an email, it prompts the owner to update the program. Whatever button the user presses, the virus will begin encrypting files. Dr.Web specialists are working on decryption tools, but no solution has been found yet. This is due to the complex code, which may have several modifications. The only protection against 1C.Drop.1 is user vigilance and regular archiving of important documents.

da_vinci_code

A new ransomware with an unusual name. The virus appeared in the spring of 2016. It differs from its predecessors in its improved code and strong encryption mode. da_vinci_code infects the computer thanks to an executive application (usually attached to email), which the user launches independently. The da Vinci code copy the body to the system directory and registry, ensuring automatic launch when turning on Windows. Each victim's computer is assigned a unique ID (helps to obtain a password). It is almost impossible to decrypt the data. You can pay money to attackers, but no one guarantees that you will receive the password.

[email protected] / [email protected]

Two email addresses that were often accompanied by ransomware viruses in 2016. They serve to connect the victim with the attacker. Attached were addresses for a variety of types of viruses: da_vinci_code, no_more_ransom, and so on. It is highly recommended not to contact or transfer money to scammers. Users in most cases are left without passwords. Thus, showing that the attackers' ransomware works, generating income.

Breaking Bad

It appeared at the beginning of 2015, but actively spread only a year later. The infection principle is identical to other ransomware: installing a file from an email, encrypting data. Conventional antivirus programs, as a rule, do not notice the Breaking Bad virus. Some code cannot bypass Windows UAC, leaving the user with the option to restore previous versions of documents. No company developing anti-virus software has yet presented a decryptor.

XTBL

A very common ransomware that has caused trouble for many users. Once on the PC, the virus changes the file extension to .xtbl in a matter of minutes. A document is created in which the attacker extorts money. Some variants of the XTBL virus cannot destroy files for system recovery, which allows you to get back important documents. The virus itself can be removed by many programs, but decrypting documents is very difficult. If you are the owner of a licensed antivirus, use technical support by attaching samples of infected data.

Kukaracha

The Cucaracha ransomware was discovered in December 2016. A virus with an interesting name hides user files using the RSA-2048 algorithm, which is highly resistant. Kaspersky Antivirus labeled it as Trojan-Ransom.Win32.Scatter.lb. Kukaracha can be removed from the computer so that other documents are not infected. However, infected ones are currently almost impossible to decrypt (a very powerful algorithm).

How does a ransomware virus work?

There are a huge number of ransomware, but they all work on a similar principle.

1. Hitting on Personal Computer. Typically, thanks to an attached file to an email. The installation is initiated by the user himself by opening the document.
2. File infection. Almost all types of files are encrypted (depending on the virus). A text document is created that contains contacts for communicating with the attackers.
3. All. The user cannot access any document.

Control agents from popular laboratories

The widespread use of ransomware, which is recognized as the most dangerous threat to user data, has become an impetus for many antivirus laboratories. Every popular company provides its users with programs that help them fight ransomware. In addition, many of them help with document decryption and system protection.

Kaspersky and ransomware viruses

One of the most famous anti-virus laboratories in Russia and the world offers today the most effective tools for combating ransomware viruses. The first obstacle for a ransomware virus will be Kaspersky Endpoint Security 10 s latest updates. The antivirus simply will not allow the threat to enter your computer (although it may not stop new versions). To decrypt information, the developer presents several free utilities: XoristDecryptor, RakhniDecryptor and Ransomware Decryptor. They help find the virus and select the password.

Dr. Web and ransomware

This laboratory recommends using their antivirus program, the main feature of which is file backup. The storage with copies of documents is also protected from unauthorized access by intruders. Owners of licensed product Dr. Web help function is available in technical support. True, even experienced specialists cannot always resist this type of threat.

ESET Nod 32 and ransomware

This company did not stand aside either, providing its users with good protection against viruses entering their computer. In addition, the laboratory recently released free utility with current databases - Eset Crysis Decryptor. The developers say that it will help in the fight against even the newest ransomware.

is a malicious program that, when activated, encrypts all personal files, such as documents, photos, etc. The number of such programs is very large and it is increasing every day. Only recently we have encountered dozens of ransomware variants: CryptoLocker, Crypt0l0cker, Alpha Crypt, TeslaCrypt, CoinVault, Bit Crypt, CTB-Locker, TorrentLocker, HydraCrypt, better_call_saul, crittt, .da_vinci_code, toste, fff, etc. The goal of such encryption viruses is to force users to buy, often for a large sum of money, the program and key necessary to decrypt their own files.

Of course, you can restore encrypted files simply by following the instructions that the creators of the virus leave on the infected computer. But most often, the cost of decryption is very significant, and you also need to know that some ransomware viruses encrypt files in such a way that it is simply impossible to decrypt them later. And of course, it's just annoying to pay to restore your own files.

Below we will talk in more detail about encryption viruses, how they penetrate the victim’s computer, as well as how to remove the encryption virus and restore files encrypted by it.

How does a ransomware virus penetrate a computer?

A ransomware virus is usually spread via email. The letter contains infected documents. Such letters are sent to a huge database of email addresses. The authors of this virus use misleading headers and contents of letters, trying to trick the user into opening a document attached to the letter. Some letters inform about the need to pay a bill, others offer to look at the latest price list, others offer to open a funny photo, etc. In any case, opening the attached file will result in your computer being infected with a ransomware virus.

What is a ransomware virus?

A ransomware virus is a malicious program that affects modern versions of operating systems Windows families, such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. These viruses try to use the strongest possible encryption modes, for example RSA-2048 with a key length of 2048 bits, which practically eliminates the possibility of selecting a key for independent decryption files.

When infecting a computer, the ransomware virus uses the system directory %APPDATA% to store its own files. For automatic start itself when you turn on the computer, the ransomware creates an entry in Windows registry: sections HKCU\Software\Microsoft\Windows\CurrentVersion\Run, HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce, HKCU\Software\Microsoft\Windows\CurrentVersion\Run, HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce.

Immediately after launch, the virus scans everything available drives, including network and cloud storage, to determine which files will be encrypted. A ransomware virus uses a filename extension as a way to identify a group of files that will be encrypted. Almost all types of files are encrypted, including such common ones as:

0, .1, .1st, .2bp, .3dm, .3ds, .sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata , .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, . mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta , .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, . apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, . js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2 , .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, . rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt, .wav, .wbc, .wbd, .wbk, .wbm, .wbmp, .wbz, .wcf , .wdb, .wdp, .webdoc, .webp, .wgz, .wire, .wm, .wma, .wmd, .wmf, .wmv, .wn, .wot, .wp, .wp4, .wp5, . wp6, .wp7, .wpa, .wpb, .wpd, .wpe, .wpg, .wpl, .wps, .wpt, .wpw, .wri, .ws, .wsc, .wsd, .wsh, .x, .x3d, .x3f, .xar, .xbdoc, .xbplate, .xdb, .xdl, .xld, .xlgc, .xll, .xls, .xlsm, .xlsx, .xmind, .xml, .xmmap, .xpm , .xwp, .xx, .xy3, .xyp, .xyw, .y, .yal, .ybk, .yml, .ysp, .z, .z3d, .zabw, .zdb, .zdc, .zi, . zif, .zip, .zw

Immediately after a file is encrypted, it receives a new extension, which can often be used to identify the name or type of ransomware. Some types of these malware can also change the names of encrypted files. The virus then creates text document with names like HELP_YOUR_FILES, README, which contains instructions for decrypting encrypted files.

During its operation, the encryption virus tries to block the ability to restore files using the SVC (shadow copy of files) system. For this purpose, the virus command mode calls the utility for administering shadow copies of files with a key that starts the procedure for completely deleting them. Thus, it is almost always impossible to restore files by using their shadow copies.

The ransomware virus actively uses intimidation tactics by giving the victim a link to a description of the encryption algorithm and displaying a threatening message on the Desktop. In this way, he tries to force the user of the infected computer, without hesitation, to send the computer ID to the email address of the virus’s author in order to try to get his files back. The response to such a message is most often the ransom amount and the e-wallet address.

Is my computer infected with a ransomware virus?

It is quite easy to determine whether a computer is infected with an encryption virus or not. Pay attention to the extensions of your personal files, such as documents, photos, music, etc. If the extension has changed or your personal files have disappeared, leaving behind many files with unknown names, then your computer is infected. In addition, a sign of infection is the presence of a file named HELP_YOUR_FILES or README in your directories. This file will contain instructions for decrypting the files.

If you suspect that you have opened an email infected with a ransomware virus, but there are no symptoms of infection yet, then do not turn off or restart your computer. Follow the steps described in this manual, section. I repeat once again, it is very important not to turn off the computer; in some types of ransomware, the file encryption process is activated the first time you turn on the computer after infection!

How to decrypt files encrypted with a ransomware virus?

If this disaster happens, then there is no need to panic! But you need to know that in most cases there is no free decryptor. This is due to the strong encryption algorithms used by such malware. This means that without a private key, it is almost impossible to decrypt files. Using the key selection method is also not an option, due to the large length of the key. Therefore, unfortunately, only paying the authors of the virus the entire requested amount is the only way to try to obtain the decryption key.

Of course, there is absolutely no guarantee that after payment the authors of the virus will contact you and provide the key necessary to decrypt your files. In addition, you need to understand that by paying money to virus developers, you yourself encourage them to create new viruses.

How to remove a ransomware virus?

Before you begin, you need to know that when you begin removing a virus and trying to self-recovery files, you block the ability to decrypt the files by paying the authors of the virus the amount they requested.

Kaspersky Virus Removal Tool And Malwarebytes Anti-malware can detect different types active ransomware viruses and will easily remove them from your computer, BUT they cannot restore encrypted files.

5.1. Remove ransomware using Kaspersky Virus Removal Tool

By default, the program is configured to recover all file types, but to speed up the work, it is recommended to leave only the file types that you need to recover. When you have completed your selection, click OK.

At the bottom of the QPhotoRec program window, find the Browse button and click it. You need to select the directory where the recovered files will be saved. It is advisable to use a disk that does not contain encrypted files that require recovery (you can use a flash drive or external drive).

To start the procedure for searching and restoring original copies of encrypted files, click the Search button. This process takes quite a long time, so be patient.

When the search is complete, click the Quit button. Now open the folder you have chosen to save the recovered files.

The folder will contain directories named recup_dir.1, recup_dir.2, recup_dir.3, etc. How more files will be found by the program, the more catalogs there will be. To find the files you need, check all directories one by one. To make it easier to find the file you need among a large number of recovered ones, use the built-in system Windows search(by file content), and also do not forget about the function of sorting files in directories. You can select the date the file was modified as a sort option, since QPhotoRec attempts to restore this property when restoring a file.

How to prevent a ransomware virus from infecting your computer?

Most modern anti-virus programs already have a built-in protection system against the penetration and activation of encryption viruses. Therefore, if your computer does not have antivirus program, then be sure to install it. You can find out how to choose it by reading this.

Moreover, there are specialized protection programs. For example, this is CryptoPrevent, more details.

A few final words

By following these instructions, your computer will be cleared of the ransomware virus. If you have any questions or need help, please contact us.

For decades, cybercriminals have successfully exploited flaws and vulnerabilities on the World Wide Web. However, in recent years there has been a clear increase in the number of attacks, as well as an increase in their level - attackers are becoming more dangerous, and malware are spreading at rates never seen before.

Introduction

We're talking about ransomware, which took an incredible leap in 2017, causing damage to thousands of organizations around the world. For example, in Australia, ransomware attacks such as WannaCry and NotPetya even caused concern at the government level.

Summing up the “successes” of ransomware malware this year, we will look at the 10 most dangerous ones that caused the greatest damage to organizations. Let's hope that next year we will learn our lessons and prevent this type of problem from entering our networks.

NotPetya

This ransomware attack started with Ukrainian program accounting statements M.E.Doc, which replaced 1C, which was banned in Ukraine. In just a few days, NotPetya infected hundreds of thousands of computers in more than 100 countries. This malware is a variant of the older Petya ransomware, the only difference being that the NotPetya attacks used the same exploit as the WannaCry attacks.

As NotPetya spread, it affected several organizations in Australia, such as the Cadbury chocolate factory in Tasmania, which had to temporarily shut down their entire IT system. This ransomware also managed to infiltrate the world's largest container ship, company-owned Maersk, which reportedly lost up to $300 million in revenue.

WannaCry

This ransomware, terrible in its scale, has practically taken over the entire world. His attacks used the infamous EternalBlue exploit, which exploits a vulnerability in the protocol Microsoft Server Message Block (SMB).

WannaCry infected victims in 150 countries and more than 200,000 machines on the first day alone. We published this sensational malware.

Locky

Locky was the most popular ransomware in 2016, but continued to operate in 2017. New variants of Locky, dubbed Diablo and Lukitus, emerged this year using the same attack vector (phishing) to launch exploits.

It was Locky who was behind the email fraud scandal at Australia Post. According to the Australian Competition and Consumer Commission, citizens have lost more than $80,000 due to this scam.

CrySis

This instance was distinguished by its masterful use of the Remote Desktop Protocol (RDP). RDP is one of the most popular methods for distributing ransomware because it allows cybercriminals to compromise machines that control entire organizations.

CrySis victims were forced to pay between $455 and $1,022 to recover their files.

Nemucod

Nemucod is distributed using a phishing email that looks like an invoice for transport services. This ransomware downloads malicious files stored on hacked websites.

In terms of the use of phishing emails, Nemucod is second only to Locky.

Jaff

Jaff is similar to Locky and uses similar techniques. This ransomware is not notable for its original methods of spreading or encrypting files, but on the contrary, it combines the most successful practices.

The attackers behind it demanded up to $3,700 for access to encrypted files.

Spora

To spread this type of ransomware, cybercriminals hack legitimate websites by adding JavaScript code. Users who land on such a site will see a pop-up warning prompting them to update. Chrome browser to continue browsing the site. After downloading the so-called Chrome Font Pack, users became infected with Spora.

Cerber

One of the many attack vectors that Cerber uses is called RaaS (Ransomware-as-a-Service). According to this scheme, attackers offer to pay for the distribution of the Trojan, promising a percentage of the money received. Thanks to this “service,” cybercriminals send out ransomware and then provide other attackers with the tools to distribute it.

Cryptomix

This is one of the few ransomware that does not have a specific type of payment portal available within the dark web. Affected users must wait for cybercriminals to send them e-mail instructions.

Users from 29 countries were victims of Cryptomix; they were forced to pay up to $3,000.

Jigsaw

Another malware from the list that began its activity in 2016. Jigsaw inserts an image of the clown from the Saw film series into spam emails. As soon as the user clicks on the image, the ransomware not only encrypts, but also deletes the files if the user is too late in paying the $150 ransom.

conclusions

As we see, modern threats are using increasingly sophisticated exploits against well-protected networks. While increased awareness among employees can help manage the impact of infections, businesses need to go beyond basic cybersecurity standards to protect themselves. Defending against today's threats requires proactive approaches that leverage real-time analytics powered by a learning engine that includes understanding threat behavior and context.

It continues its oppressive march across the Internet, infecting computers and encrypting important data. How to protect yourself from ransomware, protect Windows from ransomware - have patches been released to decrypt and disinfect files?

New ransomware virus 2017 Wanna Cry continues to infect corporate and private PCs. U Damage from virus attack totals $1 billion. In 2 weeks, the ransomware virus infected at least 300 thousand computers, despite warnings and security measures.

Ransomware virus 2017, what is it?- as a rule, you can “pick up” on seemingly the most harmless sites, for example, bank servers with user access. Once on HDD victims, the ransomware “settles” in system folder System32. From there the program immediately disables the antivirus and goes into "Autorun"" After every reboot, ransomware runs into the registry, starting his dirty work. The ransomware begins to download similar copies of programs like Ransom and Trojan. It also often happens ransomware self-replication. This process can be momentary, or it can take weeks until the victim notices something is wrong.

The ransomware often disguises itself as ordinary pictures, text files , but the essence is always the same - this is an executable file with the extension .exe, .drv, .xvd; Sometimes - libraries.dll. Most often, the file has a completely harmless name, for example “ document. doc", or " picture.jpg", where the extension is written manually, and the true file type is hidden.

After encryption is complete, the user sees, instead of familiar files, a set of “random” characters in the name and inside, and the extension changes to a previously unknown one - .NO_MORE_RANSOM, .xdata and others.

Wanna Cry ransomware virus 2017 – how to protect yourself. I would like to immediately note that Wanna Cry is rather a collective term for all encryption and ransomware viruses, since recently it has infected computers most often. So, we'll talk about Protect yourself from Ransom Ware ransomware, of which there are a great many: Breaking.dad, NO_MORE_RANSOM, Xdata, XTBL, Wanna Cry.

How to protect Windows from ransomware. – EternalBlue via SMB protocol ports.

Protecting Windows from ransomware 2017 – basic rules:

• Windows update, timely transition to a licensed OS (note: the XP version is not updated)
• updating anti-virus databases and firewalls on demand
• extreme care when downloading any files (cute “seals” can result in the loss of all data)
• backup important information to removable media.

Ransomware virus 2017: how to disinfect and decrypt files.

Relying on antivirus software, you can forget about the decryptor for a while. In laboratories Kaspersky, Dr. Web, Avast! and other antiviruses for now no solution for treating infected files was found. At the moment, it is possible to remove the virus using an antivirus, but there are no algorithms to return everything “to normal” yet.

Some try to use decryptors like the RectorDecryptor utility, but this won't help: an algorithm for decrypting new viruses has not yet been compiled. It is also absolutely unknown how the virus will behave if it is not removed after using such programs. Often this can result in the erasure of all files - as a warning to those who do not want to pay the attackers, the authors of the virus.

At the moment the most effective way getting back lost data means contacting technical support. support from the vendor of the antivirus program you use. To do this, send a letter or use the form to feedback on the manufacturer's website. Be sure to add the encrypted file to the attachment and, if available, a copy of the original. This will help programmers in composing the algorithm. Unfortunately, for many, a virus attack comes as a complete surprise, and no copies are found, which greatly complicates the situation.

Cardiac methods of treating Windows from ransomware. Unfortunately, sometimes you have to resort to completely formatting the hard drive, which entails a complete change of OS. Many will think of restoring the system, but this is not an option - even a “rollback” will get rid of the virus, but the files will still remain encrypted.