• More than 200,000 computers have already been infected!

The main targets of the attack were aimed at the corporate sector, followed by telecommunications companies in Spain, Portugal, China and England.

• The biggest blow was dealt to Russian users and companies. Including Megafon, Russian Railways and, according to unconfirmed information, the Investigative Committee and the Ministry of Internal Affairs. Sberbank and the Ministry of Health also reported attacks on their systems.

For decrypting the data, the attackers demand a ransom of 300 to 600 dollars in bitcoins (about 17,000-34,000 rubles).

Break HDD or SSD drive to partitions in Windows 10

Interactive map of infection (CLICK ON THE MAP)
ransom window
Encrypts files of the following extensions

Despite the targeting of the virus to attack the corporate sector, the average user is also not immune from WannaCry penetration and possible loss of access to files.

• Instructions for protecting your computer and data in it from infection:

1. Install the Kaspersky System Watcher application, which has a built-in function to roll back changes caused by the actions of an encryptor that still managed to bypass protection tools.

2. Users of the antivirus program from Kaspersky Lab are advised to check that the System Monitoring function is enabled.

3. For users of ESET NOD32 antivirus for Windows 10, a function has been introduced to check for new available OS updates. In the event that you took care in advance and you had it turned on, then all the necessary new windows updates will be installed and your system will be fully protected from this WannaCryptor virus and other similar attacks.

4. Also, users of ESET NOD32 products have such a function in the program as the detection of still unknown threats. This method is based on the use of behavioral, heuristic technology.

If a virus behaves like a virus, it is most likely a virus.

Since May 12, the ESET LiveGrid cloud system technology has been very successful in repelling all the attacks of attacks of this virus, and all this happened even before the signature database update arrived.

5. ESET technologies provide security, including devices with previous Windows XP, Windows 8 and Windows Server 2003 systems ( we recommend to stop using these outdated systems). Due to the very high level of threat that has arisen for these OS, Microsoft has decided to release updates. Download them.

6. To minimize the threat of harm to your PC, you need to urgently update your Windows versions 10: Start - Settings - Update and security - Check for updates (in other cases: Start - All Programs - Windows Update - Search for updates - Download and install).

7. Install the official patch (MS17-010) from Microsoft, which fixes a bug in the SMB server through which a virus can penetrate. This server involved in this attack.

8. Check that all available security tools are running and in working order on your computer.

9. Perform a virus scan of the entire system. When a malicious attack named MEM:Trojan.Win64.EquationDrug.gen, reboot the system.

And once again I recommend that you check that the MS17-010 patches are installed.

Currently, specialists from Kaspersky Lab, ESET NOD32 and other antivirus products are actively working on writing a program for decrypting files, which will help users of infected PCs to restore access to files.

The WannaCry encryptor (Wana Decrypt0r) became the main IT news of the weekend. You can read about it in sufficient detail and. And in this note there will be only information about the Windows updates that need to be installed and the required detection measures.

So, the list of Windows updates that close the vulnerability, depending on the OS versions, plus links:

Windows 10 version 1511- KB4013198 (download)

Windows 10 version 1607 and Windows Server 2016- KB4013429 (download)

Windows 8.1 and Windows Server 2012 R2- KB4012213 (download) or KB4012216 (download)

The first patch is a collection of only security updates, the second is full package monthly fixes. The vulnerability exploited by WannaCry closes any of them. The same applies to other versions of the OS, where two patches will be indicated.

Windows Embedded 8 Standard and Windows Server 2012- KB4012214 (download) or KB4012217 (download)

Windows 7, Windows Embedded 7 Standard and Windows Server 2008 R2- KB4012212 (download) or KB4012215 (download)

Windows XP, Windows Vista, Windows 8, Windows Server 2003, Windows Server 2008, WES09 and POSReady 2009- KB4012598 (download)

As you can see, Microsoft has introduced patches for legacy systems that are no longer supported.

Antiviruses are already detecting Wana Decrypt0r, but the outlook for decrypting files is still disappointing. Quote from the official website of Kaspersky Lab:

If your files are encrypted, it is strictly forbidden to use those offered on the Internet or received in emails decryption tools. The files are encrypted with a strong algorithm and cannot be decrypted, and the utilities you download can cause even more harm to both your computer and computers throughout the organization, as they are potentially malicious and aimed at a new wave of the epidemic.

Most likely, the peak of infections is already over, although in the future, a couple more modified ransomware will probably appear. However, they will no longer be as news as WannaCry.

1. It's May, Meet WannaCry.
2. Wanna is the name of a ransomware virus that began its activity on May 12, 2017, infecting computers of users and companies in 90 countries. Microsoft has officially released patches for older operating systems that are no longer supported and are obsolete. Full list and all links will be given at the end of the article.

How does Wanna show up?

3. Like all viruses, ransomware is difficult to notice during the encryption process if you yourself did not accidentally see that the files change and become with a different extension. For example, with this virus, encrypted files will look like this: filename.png.WNCRY
4. Below is a map of virus infection of countries in the first hours of infection and spread, a map from Sumantec.
5. Further, as the virus shows after it has encrypted the files, the user will be shown a message and can select the appropriate language. Which reports that your files are infected and go to the payment steps, let's say so.
6. The second window shows how much and how you have to pay, transfer 300 bitcoins. As well as a countdown timer.
7. The desktop background and other background pictures show the message:
8. Encrypted files have a double extension, for example: filename.doc.WNCRY. Below is what it looks like:
9. Also in each folder there is an executable file @ [email protected] for decryption after the ransom (possibly but hardly), as well as Text Document @[email protected] in which there is something to read to the user (also possible, but hardly).

The virus encrypts files with the following extensions:

10. I want to note that among the extensions that WannaCry encrypts, there is no 1C extension that is used in Russia.
11. I also ask you to pay attention to the most important thing in restoring your files after infection. It is possible if you have system protection enabled, namely volume shadow copying and the uac user account control system is working, and it works most likely if you did not disable it. Then the virus will offer to disable system protection so that it is not possible to restore encrypted files, namely those deleted after encryption. Of course, in this case, there is no way to disagree with the disconnection. Looks like this:

Bitcoin wallets are scammers.

12. The most interesting thing here is how the amount on the wallet of scammers grows. bitcoin wallet:
17. watch by visiting at least once a day how much the profit of scammers has grown and you will be surprised, believe me! This is a regular Wallet Bitcoin service in which anyone can register a wallet for themselves, there is nothing to worry about if you look at the wallet replenishment statistics.
18. WannaCry 1.0 was distributed via spam and websites. Version 2.0 is identical to the first version, but a worm was added to it, which propagated on its own, getting onto the victim's computers through a protocol.

Microsoft in the fight against Wanna:

19. Microsoft suggests installing service packs for users of older operating systems:

Windows Server 2003 SP2 x64

Windows Server 2003 SP2 x86

Windows XP SP2 x64

Windows XP SP3 x86

Windows XP Embedded SP3 x86

Windows 8 x86

Windows 8 x64

Go to official blogs.technet.microsoft

What does Kaspersky say?

20. On the official Kaspersky blog, the process is described in more detail and there are several additions that you can learn, though in English.

securelist.

21. Supplemented with the kaspersky support article dated May 15, 2017:

.

22. You can also view an interactive map of cyber threats and find out the spread of the virus in real time:

Intel malwaretech card for WannaCry 2.0 virus:

23. Another map, but specifically for the WannaCry2.0 virus, the spread of the virus in real time (if the map did not work after the transition, refresh the page):

Comodo Firewall 10 vs WannaCry Ransomware video about protection technology:

official site.

596 WannaCry variants

24. An independent laboratory discovered 596 samples of WannaCrypt. List of SHA256 hashes:

From the author:

25. I’ll add on my own since I use protection against Comodo is 10 and in addition, but the best antivirus is you yourself. As they say, God saves the safe, and I have such protection because as I work, I have to perform various tasks in which there is a place for virus attacks to leak, let's call them that.
26. Disable the SMB1 protocol for a while until you install security updates, or if you don’t need it at all using the command line, run cmd as the system administrator and disable the protocol using dism, command:

dism /online /norestart /disable-feature /featurename:SMB1Protocol

27. As well as other methods of enabling and disabling the SMBv1,2,3 protocol on the official Microsoft website.
28. In the graphical interface for disabling the protocol, you can do this: Control Panel> Add or Remove Programs (Uninstall or change a program)> Enable or disable Windows components> more picture below.

Good afternoon, dear readers and guests of the blog, as you remember, in May 2017, a large-scale wave of infection of computers with operating Windows system, a new ransomware virus called WannaCry, as a result of which it was able to infect and encrypt data on more than 500,000 computers, just think about this figure. The worst thing is this variety viruses, is practically not caught by modern antivirus solutions, which makes it even more threatening, below I will tell you a method on how to protect your data from its influence and how to protect yourself from ransomware for a minute, I think you will be interested.

What is an encoder virus

An encryptor virus is a type of Trojan program whose task is to infect a user's workstation, identify files of the required format on it (for example, photos, audio recordings, video files), then encrypt them with a change in file type, as a result of which the user will no longer be able to open them , without special program decoder. It looks like this.

Encrypted file formats

The most common file formats after encryption are:

• no_more_ransom
• vault

Consequences of the ransomware virus

I will describe the most common case in which the encoder virus is involved. Imagine an ordinary user in any abstract organization, in 90 percent of cases the user has the Internet behind his workplace, since with the help of it he brings profit to the company, he surfs the Internet space. A person is not a robot and can be distracted from work by browsing sites that are interesting to him, or sites that his friend advised him. As a result of this activity, he can infect his computer with a file encryptor without knowing it and find out about it when it's too late. the virus has done its job.

The virus at the time of its work tries to process all the files to which it has access, and here it begins that important documents in the department folder, to which the user has access, suddenly turn into digital garbage, local files and much more. It is clear that there should be backups file balls, but what about local files that can make up all the work of a person, as a result, the company loses money for simple work, and the system administrator goes out of his comfort zone and spends his time decrypting files.

The same can happen to an ordinary person, but the consequences here are local and relate personally to him and his family, it is very sad to see cases when a virus encrypted all files, including family photo archives and people did not have a backup copy, well, it is not customary for ordinary people users to do it.

With cloud services, everything is not so simple, if you store everything there and do not use a thick client in your Windows operating system, it's one thing, there in 99% you are not in danger, but if you use, for example, "Yandex disk" or "mail Cloud" synchronizing files from your computer to it, then getting infected and having received that all files are encrypted, the program will send them straight to the cloud and you will also lose everything.

As a result, you see a picture similar to this one, where you are informed that all files are encrypted and you need to send money, now this is done in bitcoins so as not to figure out the attackers. After payment, you supposedly should be sent a decoder and you will restore everything.

Never send money to scammers

Remember that not a single modern antivirus can currently provide windows protection against ransomware, for one simple reason that this Trojan does nothing suspicious from its point of view, it essentially behaves like a user, it reads files, writes, unlike viruses, it does not try to change system files or add registry keys, which is why its detection is so difficult, there is no line that distinguishes it from the user

Sources of ransomware trojans

Let's try to identify the main sources of penetration of the encoder to your computer.

1. E-mail > very often people receive strange or fake emails with links or infected attachments, by clicking on which the victim begins to arrange a sleepless night. I told you how to protect e-mail, I advise you to read it.
2. Across software- you downloaded a program from an unknown source or a fake site, it contains an encoder virus, and when you install the software, you enter it into your operating system.
3. Through flash drives - people still very often go to each other and carry a bunch of viruses through flash drives, I advise you to read "Protecting flash drives from viruses"
4. Through ip cameras and network devices that have access to the Internet - very often due to crooked settings on a router or ip camera connected to a local network, hackers infect computers on the same network.

How to protect your PC from a ransomware virus

Proper use of a computer protects against ransomware, namely:

• Do not open mail you do not know and do not follow incomprehensible links, no matter how they get to you, be it mail or any of the messengers
• Install updates of the Windows or Linux operating system as quickly as possible, they are not released as often, about once a month. If we talk about Microsoft, then this is the second Tuesday of every month, but in the case of file encryptors, updates may be abnormal.
• Do not connect unknown flash drives to your computer, ask your friends to send a better link to the cloud.
• Make sure that if your computer does not need to be available in local network for other computers, then turn off access to it.
• Restrict access rights to files and folders
• Installing an antivirus solution
• Do not install incomprehensible programs hacked by someone unknown

Everything is clear with the first three points, but I will dwell on the remaining two in more detail.

Disable network access to your computer

When people ask me how protection against ransomware is organized in windows, the first thing I recommend is that people turn off the "Microsoft Networks File and Printer Sharing Service", which allows other computers to access resources this computer using Microsoft networks. It's just as relevant from the curious system administrators that work with your ISP.

Disable this service and protect yourself from ransomware in a local or provider network, as follows. Press the key combination WIN + R and in the window that opens, execute, enter the command ncpa.cpl. I will show this on my test computer with the Windows 10 Creators Update operating system.

Choose the right network interface and right click on it, context menu select "Properties"

We find the item "File and printer sharing for Microsoft networks" and uncheck it, then save it, all this will help protect the computer from the ransomware virus on the local network, your workstation simply will not be available.

Restriction of access rights

Protection against the ransomware virus in windows can be implemented in such an interesting way, I will tell you how I did it for myself. And so the main problem in the fight against ransomware is that antiviruses simply cannot fight them in real time, well, they cannot protect you at the moment, so let's be smarter. If the encryptor virus does not have write permissions, then it will not be able to do anything with your data. To give an example, I have a photo folder, it is stored locally on the computer, plus there are two backups on different hard drives. On my local computer, I made read-only rights to it, for that account under which I sit at the computer. If the virus got there, then he simply wouldn’t have enough rights, as you can see, everything is simple.

How to implement all this in order to protect yourself from file encryptors and save everything, we do the following.

• Select the folders you need. Try to use exactly folders, it is easier to assign rights with them. And ideally, create a folder called read-only, and already put all the files and folders you need in it. What's good, by assigning rights to the top folder, they will automatically be applied to other folders in it. Once you copy everything necessary files and folders in it, go to the next paragraph
• Right click on the folder and select "Properties" from the menu

• Go to the "Security" tab and click the "Edit" button

• We are trying to delete access groups, if you get a window with a warning that "It is impossible to delete a group because this object inherits permissions from its parent", then close it.

• Click the "Advanced" button. In the item that opens, click "disable inheritance"

• When asked "What do you want to do with the current inherited permissions" select "Remove all inherited permissions from this object"

• As a result, in the "Permissions" field, everything will be deleted.

• We save the changes. Note that now only the owner of the folder can change permissions.

• Now on the Security tab, click on Edit

• Next, click "Add - Advanced"

• We need to add the "Everyone" group, to do this, click "Search" and select the desired group.

• To protect Windows from ransomware, you must have permissions set for the "Everyone" group, as in the picture.

• That's it, no encoder virus threatens you for your files in this directory.

I hope that Microsoft and other antivirus solutions will be able to improve their products and protect computers from ransomware to their malicious work, but until this happens, follow the rules that I described to you and always backup important data.