Download the virus patch. WannaCry encryption epidemic: what to do to avoid infection

  1. May is here, meet WannaCry.
  2. Wanna is the name of the ransomware virus that began its activity, let’s say, on May 12, 2017, infecting the computers of users and companies in 90 countries. Microsoft has officially released patches for older operating systems that are no longer supported and are outdated. Full list and I will provide all the links at the end of the article.
    3. How does Wanna manifest itself?
  3. Like all ransomware viruses, it is difficult to notice during the encryption process unless you accidentally see that the files change and become with a different extension. For example, with this virus, encrypted files will look like this: file name.png.WNCRY
  4. Below is a map of how countries were infected by the virus during the first hours of infection and spread, a map from Sumantec.
  5. Next, as the virus manifests itself after it has encrypted the files, the user will be shown a message and can select the appropriate language. Which informs you that your files are infected and proceed to payment actions, let’s put it this way.
  6. The second window shows how much and how you should pay, transfer 300 bitcoins. And also a timer for counting down.
  7. Desktop background and other background pictures show the message:
  8. Encrypted files have a double extension, for example: file name.doc.WNCRY. Below is what it looks like:
  9. Also in each folder there is executable file@ for decryption after ransom (possibly but unlikely), and also Text Document@ in which there is something for the user to read (also possible, but unlikely).
    10. The virus encrypts files with the following extensions:
  10. I would like to note that among the extensions that WannaCry encrypts there is no 1C extension, which is used in Russia.
  11. I also ask you to pay attention to the most important thing in restoring your files after infection. It’s possible if you have system protection enabled, namely volume shadow copying, and the UAC user account control system is running, and it most likely works if you haven’t disabled it. Then the virus will offer to disable system protection so that it is not possible to restore encrypted files, namely those deleted after encryption. Of course, in this case, there is no way to disagree with the shutdown. It looks something like this:
    12. Bitcoin wallets scammers.
  12. The most interesting thing here is how the amount in the scammers’ wallet grows. Bitcoin wallet:
  17. Observe by logging in at least once a day how much the scammers’ profits have increased and you will be surprised, believe me! This is a regular Wallet Bitcoin service in which anyone can register a wallet, there is nothing to worry about if you look at the wallet replenishment statistics.
  18. WannaCry 1.0 was distributed using spam and websites. Version 2.0 is identical to the first version, but a worm was added to it, which spread independently by getting to the victim’s computers through a protocol.
    19. Microsoft Corporation in the fight against Wanna:
  19. Microsoft offers to install update packages for users of older operating systems:
    20. Windows Server 2003 SP2 x64
    Windows Server 2003 SP2 x86
    Windows XP SP2 x64
    Windows XP SP3 x86
    Windows XP Embedded SP3 x86
    Windows 8 x86
    Windows 8 x64
    Go to official blogs.technet.microsoft
    What does Kaspersky say?
  20. The official Kaspersky blog describes the process in more detail and there are several additions that you can find out, albeit in English.
    21. Securelist.
  21. Supplemented by the support kaspersky article dated May 15, 2017:
    22. .
  22. You can also view interactive map cyber threats and find out the spread of the virus in real time:
    23. Intel malwaretech map for WannaCry 2.0 virus:
  23. Another map, but specifically based on the WannaCry2.0 virus, the spread of the virus in real time (if the map does not work after the transition, refresh the page):
    24. Video Comodo Firewall 10 vs WannaCry Ransomware about protection technology:
    official site.
    596 variants of WannaCry
  24. An independent laboratory discovered 596 samples of WannaCrypt. List of SHA256 hashes:
    25. From the author:
  25. I’ll add on my own behalf since I use protection from Comodo is 10 and, in addition, but best antivirus it's yourself. As they say, God protects the best, and I have such protection because as I work, I have to perform various tasks in which there is room for virus attacks to leak, let’s call them that.
  26. Disable the SMB1 protocol for a while until you install security updates or if you don’t need it at all using the command line, run cmd as the system administrator and with using dism disable the protocol, command:

    27. dism /online /norestart /disable-feature /featurename:SMB1Protocol

  27. As well as other methods for enabling and disabling the SMBv1,2,3 protocol on the official Microsoft website.
  28. IN graphical interface To disable the protocol, you can do this: Control Panel> Add or Remove Programs (Uninstall or change a program)> Turn Windows components on or off> then see the picture below.

A computer virus under the original name Wanna Crypt (I want to encrypt) and the appropriate abbreviated name WannaCry (I want to cry) blocked tens of thousands of computers around the world on May 12, 2017. The very next day the epidemic was stopped. However, the virus developers made changes to the code, and millions of computers running Windows system found themselves under attack again.

The virus encrypts files and demands a ransom of $300. Victims have already donated tens of thousands of dollars, but there is no information about decryption yet. In any case, it is better to prevent infection and possible consequences than to try to save information after an attack.

1. Install Windows updates

Download from https://technet.microsoft.com/library/security/MS17-010 and install the patch to protect against WannaCry. IN Microsoft They consider it so important that they even released a version for Windows XP (which was discontinued in 2014).

In addition, the vulnerability on which the WannaCry attacks are based was closed in a regular update Windows yet in March. Update Windows.

2. Back up important files

Save your work and personal files. You can copy them to an external HDD or a flash drive, upload to the cloud, upload to an FTP server, send by mail to yourself, a colleague or a friend. Just don’t overwrite recently saved “clean” files with their encrypted versions. Use other media. It's better to have two copies than none.

3. Close ports 139 and 445

It sounds like something out of a hacker movie, but it's not that difficult. And it is very useful because it will protect your computer from WannaCry. You need to do the following:

  • Open Windows Firewall(Firewall) – for example, through “Network Connections”;
  • Select the item " Extra options"(Advanced Settings);
  • Find “Rules for incoming connections” (Inbound rules) - in the middle of the screen, scroll down a little;
  • Next, starting from the main menu: “Action / New rule... / Port / Specified local ports – 139 / Block the connection”;
  • similarly for port 445.

4. Find a network administrator or Google it yourself

The main thing has already been done, you are relatively safe. You also need to block SMB v1, inspect the VPN settings, and check the system for viruses. In principle, it’s possible to do all this yourself. But it will be easier and more reliable to find specialists.

5. If you cannot complete at least steps 1-2, turn off the computer

If for some reason you were unable to install a patch from Microsoft, update Windows and save important files on external media, it is better to turn off your computer. Just turn off the power so that the virus has no chance to destroy your digital assets. As a last resort, at least turn off Internet access.

Wait for specialists to arrive, for the release of a decryptor, special versions of “one-click” antiviruses. This will not take much time, but will save years of work spent on creating all those files that are now at risk.

Today, perhaps, only people very far from the Internet are unaware of the mass infections of computers with the WannaCry (“I want to cry”) encryption Trojan that began on May 12, 2017. And I would divide the reaction of those who know into 2 opposite categories: indifference and panic. What does this mean?

And the fact that fragmentary information does not provide a complete understanding of the situation gives rise to speculation and leaves behind more questions than answers. In order to understand what is really happening, to whom and what it threatens, how to protect yourself from infection and how to decrypt files damaged by WannaCry, today’s article is devoted to it.

Is “devil” really that scary?

I don't understand what all the fuss is aboutWannaCry? There are many viruses, new ones appear constantly. What's special about this one?

WannaCry (other names WanaCrypt0r, Wana Decrypt0r 2.0, WannaCrypt, WNCRY, WCry) is not an ordinary cyber malware. The reason for his notoriety is the gigantic amounts of damage caused. According to Europol, it disrupted the work of more than 200,000 computers under Windows control in 150 countries around the world, and the damage suffered by their owners amounted to more than $1,000,000,000. And this is only in the first 4 days of distribution. Most of the victims are in Russia and Ukraine.

I know that viruses enter PCs through adult sites. I don’t visit such resources, so I’m not in danger.

Virus? I have a problem too. When viruses appear on my computer, I run the *** utility and after half an hour everything is fine. And if it doesn’t help, I reinstall Windows.

Virus is different from virus. WannaCry is a Trojan ransomware, a network worm that can spread through local networks and the Internet from one computer to another without human intervention.

Most malware, including ransomware, starts working only after the user “swallows the bait,” that is, clicks on a link, opens a file, etc. A To get infected with WannaCry, you don't need to do anything at all!

Once on a Windows computer, the malware encrypts the bulk of user files in a short time, after which it displays a message demanding a ransom of $300-600, which must be transferred to the specified wallet within 3 days. In case of delay, he threatens to make decryption of files impossible in 7 days.

At the same time, the malware looks for loopholes to penetrate other computers, and if it finds it, it infects the entire local network. It means that backups files stored on neighboring machines also become unusable.

Removing a virus from a computer does not decrypt files! Reinstalling the operating system too. On the contrary, if infected with ransomware, both of these actions may deprive you of the ability to recover files even if you have a valid key.

So yes, “damn” is quite scary.

How WannaCry spreads

You're lying. A virus can only get onto my computer if I download it myself. And I'm vigilant.

Many malware programs can infect computers (and mobile devices, by the way, too) through vulnerabilities - errors in the code of operating system components and programs that open up the opportunity for cyber-attackers to use a remote machine for their own purposes. WannaCry, in particular, spreads through a 0-day vulnerability in the SMB protocol (zero-day vulnerabilities are errors that were not fixed at the time they were exploited by malware/spyware).

That is, to infect a computer with a ransomware worm, two conditions are sufficient:

  • Connections to a network where there are other infected machines (Internet).
  • The presence of the above-described loophole in the system.

Where did this infection even come from? Is this the work of Russian hackers?

According to some reports (I am not responsible for the authenticity), there is a gap in the SMB network protocol, which serves for legal remote access to files and printers in Windows OS, the Agency was the first to discover national security USA. Instead of reporting it to Microsoft so that they could fix the error, the NSA decided to use it themselves and developed an exploit for this (a program that exploits the vulnerability).

Visualization of the dynamics of WannaCry distribution on the website intel.malwaretech.com

Subsequently, this exploit (codenamed EternalBlue), which for some time served the NSA to penetrate computers without the knowledge of the owners, was stolen by hackers and formed the basis for the creation of the WannaCry ransomware. That is, thanks to the not entirely legal and ethical actions of the US government agency, virus writers learned about the vulnerability.

I disabled installation of updatesWindows. What for is it necessary when everything works without them.

The reason for such a rapid and widespread spread of the epidemic was the absence at that time of a “patch” - a Windows update that could close the Wanna Cry loophole. After all, it took time to develop it.

Today such a patch exists. Users who update the system automatically received it within the first hours of release. And those who believe that updates are not needed are still at risk of infection.

Who is at risk from the WannaCry attack and how to protect against it

As far as I know, more than 90% of computers infectedWannaCry, operated byWindows 7. I have “ten”, which means I’m not in danger.

Everyone is at risk from WannaCry infection OS, which use the SMB v1 network protocol. This:

  • Windows XP
  • Windows Vista
  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows RT 8.1
  • Windows 10 v 1511
  • Windows 10 v1607
  • Windows Server 2003
  • Windows Server 2008
  • Windows Server 2012
  • Windows Server 2016

Today, users of systems on which it is not installed (available for free download from the website technet.microsoft.com, to which the link is provided) are at risk of catching malware over the network. Patches for Windows XP, Windows Server 2003, Windows 8 and other unsupported operating systems can be downloaded. It also describes ways to check for the presence of a life-saving update.

If you don't know the OS version on your computer, press the Win+R key combination and run the winver command.

To enhance security, and if it is not possible to update the system now, Microsoft provides instructions for temporarily disabling the SMB protocol version 1. They are located and. Additionally, but not necessarily, you can close TCP port 445, which serves SMB, through the firewall.

I have the best antivirus in the world ***, with it I can do anything and I’m not afraid of anything.

The spread of WannaCry can occur not only by the above-described self-propelled gun, but also in the usual ways- through social media, email, infected and phishing web resources, etc. And there are such cases. If you download and run malware manually, then neither an antivirus nor patches that close vulnerabilities will save you from infection.

How the virus works, what it encrypts

Yes, let him encrypt what he wants. I have a friend who is a programmer, he will decipher everything for me. As a last resort, we will find the key using brute force.

Well, it encrypts a couple of files, so what? This will not prevent me from working on the computer.

Unfortunately, it will not decrypt, since there are no ways to crack the RSA-2048 encryption algorithm that Wanna Cry uses and will not appear in the foreseeable future. And it will encrypt not just a couple of files, but almost everything.

I will not provide a detailed description of the malware’s operation; anyone interested can read its analysis, for example, in. I will note only the most significant moments.

Files with the following extensions are encrypted: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks , .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, . xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z , .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, . djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl , .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, . ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds , .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der.

As you can see, here are documents, photos, video-audio, archives, mail, and files created in various programs... The malware tries to reach every directory on the system.

Encrypted objects receive double extension with postscript WNCRY, for example, "Document1.doc.WNCRY".

After encryption, the virus copies an executable file to each folder @[email protected] – supposedly for decryption after ransom, as well as a text document @[email protected] with a message for the user.

Next, he tries to destroy shadow copies and points Windows recovery. If the system is running UAC, the user must confirm this operation. If you reject the request, there is still a chance to restore data from copies.

WannaCry transmits the encryption keys of the affected system to command centers located on the Tor network, after which it deletes them from the computer. To search for other vulnerable machines, it scans the local network and arbitrary IP ranges on the Internet, and once found, penetrates everything it can reach.

Today, analysts know of several modifications of WannaCry with different distribution mechanisms, and we should expect new ones to appear in the near future.

What to do if WannaCry has already infected your computer

I see files changing extensions. What's happening? How to stop this?

Encryption is not a one-time process, although it does not take too long. If you managed to notice it before the ransomware message appears on your screen, you can save some of the files by immediately turning off the computer’s power. Not by shutting down the system, but by unplugging the plug from the socket!

At loading Windows in normal mode, encryption will continue, so it is important to prevent it. The next computer startup should occur either in safe mode, in which viruses are not active, or from another bootable media.

My files are encrypted! The virus demands a ransom for them! What to do, how to decrypt?

Decrypting files after WannaCry is only possible if you have a secret key, which the attackers promise to provide as soon as the victim transfers the ransom amount to them. However, such promises are almost never fulfilled: why should malware distributors bother if they already got what they wanted?

In some cases, the problem can be solved without ransom. To date, 2 WannaCry decryptors have been developed: and . The first one works only in Windows XP, and the second one, created on the basis of the first one, works in Windows XP, Vista and 7 x86, as well as in northern systems 2003, 2008 and 2008R2 x86.

The operating algorithm of both decryptors is based on searching for secret keys in the memory of the encryptor process. This means that only those who did not have time to restart the computer have a chance of decryption. And if not too much time has passed since encryption (the memory has not been overwritten by another process).

So if you Windows user XP-7 x86, the first thing to do after the ransom message appears is to disconnect the computer from local network and the Internet and run the WanaKiwi decryptor downloaded on another device. Before removing the key, do not perform any other actions on the computer!

You can read the description of the work of the WanaKiwi decryptor in another one.

After decrypting the files, run an antivirus to remove the malware and install a patch that closes its distribution paths.

Today WannaCry is recognized by almost everyone antivirus programs, with the exception of those that are not updated, so almost any will do.

How to live this life further

This self-propelled epidemic took the world by surprise. For all kinds of security services, it turned out to be as unexpected as the onset of winter on December 1 for utility workers. The reason is carelessness and randomness. The consequences are irreparable loss of data and damages. And for the creators of the malware, this is an incentive to continue in the same spirit.

According to analysts, WanaCry brought very good dividends to distributors, which means that attacks like this will be repeated. And those who are carried away now will not necessarily be carried away later. Of course, if you don't worry about it in advance.

So, so that you don't ever have to cry over encrypted files:

  • Do not refuse to install operating system and application updates. This will protect you from 99% of threats that spread through unpatched vulnerabilities.
  • Keep it on.
  • Create backups important files and store them on another physical medium, or better yet, on several. IN corporate networks make optimal use of distributed data storage databases; home users can use free cloud services like Yandex Drive, Google Drive, OneDrive, MEGASynk, etc. Do not keep these applications running when you are not using them.
  • Choose reliable operating systems. Windows XP is not like that.
  • Install a comprehensive class antivirus Internet Security and additional protection against ransomware, for example, . Or analogs from other developers.
  • Increase your level of literacy in countering ransomware Trojans. For example, the antivirus vendor Dr.Web has prepared for users and administrators various systems. A lot of useful and, importantly, reliable information is contained in the blogs of other A/V developers.

And most importantly: even if you have suffered, do not transfer money to the attackers for decryption. The probability that you will be deceived is 99%. Moreover, if no one pays, the extortion business will become meaningless. Otherwise, the spread of such an infection will only grow.

Also on the site:

WannaCry epidemic: answers to FAQ and debunking user misconceptions updated: May 27, 2017 by: Johnny Mnemonic

HOW TO PROTECT YOURSELF FROM THE NEW WannaCry VIRUS May 13th, 2017

HOW TO PROTECT YOURSELF FROM THE NEW WannaCry VIRUS

A massive attack is underway using Wana decrypt0r 2.0 (WannaCry)
A hell of a lot of people around the world have already suffered, from ordinary users to large companies, so this post is important for EVERYONE. Repost this post.

The virus spreads through port 445. Computers directly connected to the Internet (without NAT/firewall) are at risk; there are also cases of infection of end computers via UPnP (the user goes to an infected site/downloads a virus, it forwards port 445 to this computer, infects the computer, then spreads using the same method via local network).

HOW to PROTECT YOURSELF as a simple user:

The first thing you need to do is download the patches from the Microsoft website that close the hole:
Link to Microsoft updates (MS17-010) for vulnerabilities exploited by Wana Decrypt0r
● All versions of Windows https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

The vulnerability can also be closed by completely disabling SMBv1 support. To do this, just run the following command in the command line (cmd) running as Administrator:

dism /online /norestart /disable-feature /featurename:SMB1Protocol

Link to the Kaspersky forum with the necessary information:
https://forum.kasperskyclub.ru/index.php?s=c4c52a4d7a471462090727ce73e65b24&showtopic=55543&page=1

What to do if I am already infected:

(Some information taken from third party sites)
Method for Windows Vista, 7, 8, 8.1, 10 and Windows Server 2008/2012/2016.
1. Download patch MS17-010 for the desired Windows
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
2. Disconnect from the Internet.
3. Open command line(cmd) as administrator.
3.1 Start => In the search, type cmd => Click right click mouse => Run as administrator
4. Enter this command into the command line:
netsh advfirewall firewall addrule dir=in action= blockprotocol=tcp localport=445 name="Block_TCP-445"
4.1 Press Enter => It should show OK.
5. Enter safe mode
5.1 During boot and the BIOS window appears, press F8, then select “Safe Mode” from the list
6. Find and delete the virus folder
6.1 To do this, right-click on any virus shortcut, select “File location”, and delete the root folder.
7. Restart your computer.
8. Enter normal mode and start installing patch MS17-010
8.1 During installation, connect to the Internet.
That's all. Everything worked for me and my friends.
Please do not delete encrypted files (i.e. with the .wncry extension), because people from Kaspersky release different decryptors on this page: http://support.kaspersky.com/viruses/utility; maybe decryptor.wncry will be released soon
Personally, I used Shadow Explorer and recovered some files.

There are interesting details about this incident on the Internet:

A set of FuzzBunch exploits has appeared, which the Shadow Brokers group of hackers stole from the Equation Group, hackers from the National Agency. US security. Microsoft has quietly covered the holes with MS 17-010, perhaps the most important update in the last ten years.

Make backups that are not available via the network or the Internet in simple ways!

On April 12, 2017, information appeared about the rapid spread throughout the world of an encryption virus called WannaCry, which can be translated as “I want to cry.” Users have questions about Windows update from the WannaCry virus.

The virus on the computer screen looks like this:

The bad WannaCry virus that encrypts everything

The virus encrypts all files on the computer and demands a ransom to a Bitcoin wallet in the amount of $300 or $600 to supposedly decrypt the computer. Computers in 150 countries around the world were infected, with Russia being the most affected.

Megafon, Russian Railways, the Ministry of Internal Affairs, the Ministry of Health and other companies are closely faced with this virus. Among the victims are ordinary users Internet.

Almost everyone is equal before the virus. The difference, perhaps, is that in companies the virus spreads throughout the local network within the organization and instantly infects the maximum possible number of computers.

The WannaCry virus encrypts files on computers using Windows. Microsoft released MS17-010 updates for various Windows versions XP, Vista, 7, 8, 10.

It turns out that those who are determined automatic update Windows are not at risk for the virus because they received the update in a timely manner and were able to avoid it. I don’t presume to say that this is actually the case.

Rice. 3. Message when installing update KB4012212

The KB4012212 update required a reboot of the laptop after installation, which I didn’t really like, because it’s unknown how this could end, but where should the user go? However, the reboot went fine. This means that we live peacefully until the next virus attack, and, alas, there is no doubt that such attacks will occur.

Some viruses win, others appear again. This struggle will obviously be endless.

Video “I want to cry”: the ransomware virus infected 75 thousand systems in 99 countries

Receive current articles by computer literacy straight to yours Mailbox .
Already more 3,000 subscribers

.