• More than 200,000 computers have already been infected!

The main targets of the attack were aimed at the corporate sector, followed by telecommunications companies in Spain, Portugal, China and England.

• The biggest blow was dealt to Russian users and companies. Including Megafon, Russian Railways and, according to unconfirmed information, the Investigative Committee and the Ministry of Internal Affairs. Sberbank and the Ministry of Health also reported attacks on their systems.

For data decryption, the attackers demand a ransom of 300 to 600 dollars in bitcoins (about 17,000-34,000 rubles).

Windows 10 version 1909 update

Interactive infection map (CLICK ON MAP)
Ransom window
Encrypts files with the following extensions

Despite the virus's targeting of the corporate sector, the average user is also not immune from WannaCry penetration and possible loss of access to files.

• Instructions for protecting your computer and data on it from infection:

1. Install the Kaspersky System Watcher application, which is equipped with a built-in function to roll back changes caused by the actions of an encryptor that managed to bypass security measures.

2. Users of antivirus software from Kaspersky Lab are recommended to check that the “System Monitor” function is enabled.

3. Users of the antivirus program from ESET NOD32 for Windows 10 have been introduced to check for new available OS updates. If you took care in advance and had it enabled, then all the necessary new Windows updates will be installed and your system will be completely protected from this WannaCryptor virus and other similar attacks.

4. Also, users of ESET NOD32 products have such a function in the program as detecting yet unknown threats. This method is based on the use of behavioral, heuristic technologies.

If a virus behaves like a virus, it is most likely a virus.

Since May 12, the technology of the ESET LiveGrid cloud system has very successfully repelled all attacks of this virus, and all this happened even before the signature database was updated.

5. ESET technologies provide security also for devices running legacy systems Windows XP, Windows 8 and Windows Server 2003 ( We recommend that you stop using these outdated systems). Due to a very high level of threat emerging for these OSs, Microsoft decided to release updates. Download them.

6. To minimize the threat of harm to your PC, you must urgently update your version of Windows 10: Start - Settings - Update and Security - Check for updates (in other cases: Start - All Programs - Windows Update - Search for Updates - Download and install).

7. Install the official patch (MS17-010) from Microsoft, which fixes the SMB server error through which the virus can penetrate. This server is involved in this attack.

8. Make sure that all available security tools are running and in working order on your computer.

9. Scan your entire system for viruses. Upon exposure of a malicious attack called MEM:Trojan.Win64.EquationDrug.gen, reboot the system.

And once again I recommend that you check that the MS17-010 patches are installed.

Currently, specialists from Kaspersky Lab, ESET NOD32 and other antivirus products are actively working on writing a file decryption program that will help users of infected PCs to restore access to files.

On May 1st and 2nd, 2017, a large-scale virus attack took place on computers running Windows OS. In Russia alone, about 30,000 computers were infected. Among the victims were not only ordinary users, but also many organizations and government agencies. According to reports from the network, the Constitutional Court of the Ministry of Internal Affairs of the Russian Federation and the Magathon network were partially infected. Also, a number of other, less well-known organizations suffered from the WannaCry attack, or as it is more often called – WCry. How the ransomware virus penetrated such protected devices is not yet known. Whether this was a consequence of an error by one of the users, or whether this is a general vulnerability of the Ministry’s network is not reported. The first information on the RuNet appeared on the Kaspersky website (in a form), where there was active discussion of the new virus.

What kind of virus is this?

After penetrating the computer, the virus unpacks, installing its own system encryption codes for user data, and in the background begins to encrypt all information on the computer with its own codes of the filename.wncry type. Here's what happens after your computer catches a virus:

• Immediately after entering the system, the virus begins to completely control the system, blocking the launch of any software, even without installation,
• Antiviruses and utilities that do not require installation, which are launched immediately after connecting the drive to the system, also do not give any result and simply do not start,
• All USB ports and drives stop functioning,
• The screen will be blocked by the Wana DecryptOr 2.0 banner, informing you that your computer is infected with a virus, all data on it is encrypted, and you need to pay the ransomware.

The owners of the virus offer the user to transfer an amount equivalent to $300 in bitcoins to their account. There is also information that if you do not pay the required amount within 3 days, the payment amount will be doubled. If payment is not received within a week, the virus will delete all user data from the computer. Judging by information from some of our users, this timing scheme is not the same for everyone, and there are devices on which the payment period for ransomware is 14 days.

How to protect yourself from the virus.

There is no need to panic; the virus is not new and cannot be protected from. This is an ordinary encryptor, the analogues of which we have already encountered several times. To avoid contracting a computer virus, be careful when using all software. We do not recommend updating any software, even built-in software, until it is precisely determined how the virus penetrates the system. We are inclined to believe that the virus enters the computer through vulnerabilities in some program. And vulnerabilities in programs most often appear after an unsuccessfully developed update, in which there is such a huge “hole” that allows viruses to get into the system. If you have the experience and capabilities, install a high-quality third-party firewall, and strengthen monitoring of the system and network activity for a while.

Helping the victims

On Friday, May 12, a regular client, a designer, contacted us with a laptop on which his layouts, sources, and other graphic files were stored. His computers were infected with the WannaCryptor virus. A number of “experiments” were conducted that yielded results! Here's what helped us:

• We disassembled the computer, removed the hard drive with data,
• Connected the drive to the iMac,
• By searching through decryptors, we found several that helped extract some of the data from drive D.
• Afterwards, the customer decided to reinstall the system and delete the remaining data,
• Just in case, we made a system image on our storage device, as soon as a solution to the problem appears, we will save the remaining data.

Dear friends, if you have become a victim of this virus, please contact us, we will try to help. We carry out experiments free of charge) And here we tell you in detail how. Let's fight evil together!

Facebook

Twitter

VK

Odnoklassniki

Telegram

Natural science

WannaCry ransomware virus: what to do?

A wave of a new encryption virus, WannaCry (other names Wana Decrypt0r, Wana Decryptor, WanaCrypt0r), has swept across the world, which encrypts documents on a computer and extorts 300-600 USD for decoding them. How can you tell if your computer is infected? What should you do to avoid becoming a victim? And what to do to recover?

Is your computer infected with the Wana Decryptor ransomware virus?

According to Jacob Krustek () from Avast, over 100 thousand computers have already been infected. 57% of them are in Russia (isn’t that a strange selectivity?). reports the registration of more than 45 thousand infections. Not only servers are infected, but also computers of ordinary people on which the operating systems Windows XP, Windows Vista, Windows 7, Windows 8 and Windows 10 are installed. All encrypted documents have the prefix WNCRY in their name.

Protection against the virus was found back in March, when Microsoft published a “patch,” but, judging by the outbreak of the epidemic, many users, including system administrators, ignored the computer security update. And what happened happened - Megafon, Russian Railways, the Ministry of Internal Affairs and other organizations are working on treating their infected computers.

Given the global scale of the epidemic, on May 12, Microsoft published a protection update for long-unsupported products – Windows XP and Windows Vista.

You can check whether your computer is infected using an antivirus utility, for example, Kaspersky or (also recommended on the Kaspersky support forum).

How to avoid becoming a victim of the Wana Decryptor ransomware virus?

The first thing you must do is close the hole. To do this, download

On May 12, it became known about an encryption virus that was spreading at record speed: in one weekend it infected more than 200 thousand computers in 150 countries. After this, the spread of the virus was stopped, but within a day several more versions of the virus appeared and its spread continues. Therefore, we are publishing answers to some questions that will tell you in general terms what kind of virus this is, where it came from and will help you protect your computer.

Kuzmich Pavel Alekseevich, Director of the Laboratory of Computer Forensics at ITMO University.

Does the virus infect computers and other devices of individual users?
Yes, the virus can also infect users’ computers. Most likely, employees of those organizations where the infection was detected used computers to receive mail and “surf” the Internet and, not being convinced of the safety of the received letters and the sites they opened, downloaded malicious software onto them. This method of fraud cannot be called new: the problem of so-called encryption viruses has been relevant for several years, and the price of $300 can be considered quite “humane.” So, a year and a half ago, one organization contacted our laboratory, from which the attackers demanded $700 in the same bitcoins for decrypting only one file with clients.

What can you do to avoid being exposed to the virus?
First, be careful where you go on the Internet. Secondly, carefully watch your mail and, before opening any files in the letters, make sure that it is not a fraudulent letter. Very often, viruses are distributed in files attached to letters supposedly from Rostelecom, where an employee allegedly sends an invoice for payment. Often the same fraudulent letters began to arrive on behalf of Sberbank, as well as bailiffs. In order to avoid becoming a victim of attackers, you should carefully look at where the link in the letter leads, as well as what extension the file attached to the letter has. Well, it’s also important to at least sometimes make backup copies of important documents onto separate removable media.

Does this mean that all the databases of the attacked organizations are now blocked? Will attackers be able to use them for their own purposes? Will personal data from these databases be affected?
I think that it is, of course, not worth talking about blocking work: most likely, this is a problem of individual workplaces. However, the fact that employees of various departments use work computers not only for working on the Internet is somewhat alarming. It is quite possible that in this way the confidential information of their clients could be compromised - in the case of commercial organizations, as well as large volumes of personal data - in the case of government departments. It is hoped that such information was not processed on these computers.

Will the situation affect MegaFon subscribers? Is it dangerous to use mobile Internet now?
Most likely not, since the infrastructure elements of the network are certainly protected from this type of attack. Moreover, with a high degree of probability we can say that this virus is designed for vulnerabilities in the operating system manufactured by Microsoft, and the overwhelming majority of network equipment is controlled either by its own operating system or operating systems of the Linux family.

What happens when a virus enters a system? How can you tell if your computer is infected?
Most often, infection and the active phase of the virus - data encryption - manifests itself in the form of a significant decrease in computer performance. This is a consequence of the fact that encryption is an extremely resource-intensive process. This can also be noticed when files with an unknown extension appear, but usually at this stage it is too late to take any action.

Will it be possible to recover locked data?
Often it is impossible to restore. Previously, the key was the same for all infected people, but after the virus was caught and decrypted, and standard codes became widely known (they can be found on the forums of anti-virus software manufacturers), attackers began to encrypt information with a new key each time. By the way, viruses use a complex version of the cipher: most often it is asymmetric encryption, and breaking such a cipher is very difficult, extremely time-consuming and resource-consuming, which actually becomes impossible.

How long will the virus spread across the Internet?
I think that until its authors distribute it. And this will happen until the distributors are caught by law enforcement agencies or until users stop opening emails with viruses and begin to be more attentive to their actions on the Internet.

Grigory Sablin, virus analyst, expert in the field of information security at ITMO University, winner of international competitions in protecting computer information (caution: programmer vocabulary!).

Attackers are exploiting a vulnerability in the SMB protocol MS17_010 - the patch is already on Microsoft servers. Those who have not updated may be subject to distribution. But, we can say, these users themselves are to blame - they used pirated software or did not update Windows. I myself am interested in how the situation will develop: there was a similar story with the MS08_67 bug, then it was used by the Kido worm, and then many people also became infected. What can I recommend now: you need to either turn off the computer or update Windows. You can expect that many antivirus companies will compete for the right to release a decryption utility. If they manage to do this, it will be a brilliant PR move, as well as an opportunity to earn good money. It is not a fact that it will be possible to restore all locked files. This virus can penetrate anywhere due to the fact that many computers are not yet updated. By the way, this exploit was taken from an archive that was “leaked” from the US National Security Agency (NSA), that is, this is an example of how intelligence services can act in any emergency situation.

According to the press service of ITMO University

It continues its oppressive march across the Internet, infecting computers and encrypting important data. How to protect yourself from ransomware, protect Windows from ransomware - have patches been released to decrypt and disinfect files?

New ransomware virus 2017 Wanna Cry continues to infect corporate and private PCs. U Damage from virus attack totals $1 billion. In 2 weeks, the ransomware virus infected at least 300 thousand computers, despite warnings and security measures.

Ransomware virus 2017, what is it?- as a rule, you can “pick up” on seemingly the most harmless sites, for example, bank servers with user access. Once on the victim’s hard drive, the ransomware “settles” in the system folder System32. From there the program immediately disables the antivirus and goes into "Autorun"" After every reboot, ransomware runs into the registry, starting his dirty work. The ransomware begins to download similar copies of programs like Ransom and Trojan. It also often happens ransomware self-replication. This process can be momentary, or it can take weeks until the victim notices something is wrong.

The ransomware often disguises itself as ordinary pictures or text files, but the essence is always the same - this is an executable file with the extension .exe, .drv, .xvd; Sometimes - libraries.dll. Most often, the file has a completely innocuous name, for example “ document. doc", or " picture.jpg", where the extension is written manually, and the true file type is hidden.

After encryption is complete, the user sees, instead of familiar files, a set of “random” characters in the name and inside, and the extension changes to a previously unknown one - .NO_MORE_RANSOM, .xdata and others.

Wanna Cry ransomware virus 2017 – how to protect yourself. I would like to immediately note that Wanna Cry is rather a collective term for all encryption and ransomware viruses, since recently it has infected computers most often. So, we'll talk about Protect yourself from Ransom Ware ransomware, of which there are a great many: Breaking.dad, NO_MORE_RANSOM, Xdata, XTBL, Wanna Cry.

How to protect Windows from ransomware. – EternalBlue via SMB port protocol.

Protecting Windows from ransomware 2017 – basic rules:

• Windows update, timely transition to a licensed OS (note: the XP version is not updated)
• updating anti-virus databases and firewalls on demand
• extreme care when downloading any files (cute “seals” can result in the loss of all data)
• Backing up important information to removable media.

Ransomware virus 2017: how to disinfect and decrypt files.

Relying on antivirus software, you can forget about the decryptor for a while. In laboratories Kaspersky, Dr. Web, Avast! and other antiviruses for now no solution for treating infected files was found. At the moment, it is possible to remove the virus using an antivirus, but there are no algorithms to return everything “to normal” yet.

Some try to use decryptors like the RectorDecryptor utility, but this won't help: an algorithm for decrypting new viruses has not yet been compiled. It is also absolutely unknown how the virus will behave if it is not removed after using such programs. Often this can result in the erasure of all files - as a warning to those who do not want to pay the attackers, the authors of the virus.

At the moment, the most effective way to recover lost data is to contact technical support. support from the vendor of the antivirus program you use. To do this, you should send a letter or use the feedback form on the manufacturer’s website. Be sure to add the encrypted file to the attachment and, if available, a copy of the original. This will help programmers in composing the algorithm. Unfortunately, for many, a virus attack comes as a complete surprise, and no copies are found, which greatly complicates the situation.

Cardiac methods of treating Windows from ransomware. Unfortunately, sometimes you have to resort to completely formatting the hard drive, which entails a complete change of OS. Many will think of restoring the system, but this is not an option - even a “rollback” will get rid of the virus, but the files will still remain encrypted.