According to the first reports, the encrypting virus activated by attackers on Tuesday was classified as a member of the already known Petya family of ransomware, but it later turned out that this was a new family of malware with significantly different functionality. Kaspersky Lab dubbed new virus ExPetr.

“The analysis carried out by our experts showed that the victims initially had no chance of getting their files back. “Kaspersky Lab researchers analyzed the part of the malware code that is associated with file encryption and found that once the disk is encrypted, the creators of the virus no longer have the ability to decrypt it back,” the laboratory reports.

As the company notes, decryption requires a unique identifier for a specific Trojan installation. In previously known versions of similar encryptors Petya/Mischa/GoldenEye, the installation identifier contained the information necessary for decryption. In the case of ExPetr, this identifier does not exist. This means that the creators of the malware cannot obtain the information they need to decrypt files. In other words, victims of the ransomware have no way to get their data back, explains Kaspersky Lab.

The virus blocks computers and demands $300 in bitcoins, Group-IB told RIA Novosti. The attack began on Tuesday around 11:00. According to media reports, as of 6 p.m. Wednesday, the Bitcoin wallet that was specified for transferring funds to the extortionists had received nine transfers. Taking into account the commission for transfers, the victims transferred about 2.7 thousand dollars to the hackers.

Compared to WannaCry, this virus is considered more destructive, as it spreads using several methods - from using Windows Management Instrumentation, PsExec and EternalBlue exploit. In addition, the ransomware is embedded free utility Mimikatz.

The number of users attacked by the new “new Petya” encryption virus has reached 2 thousand, Kaspersky Lab, which is investigating the wave of computer infections, reported on Wednesday.

According to the antivirus company ESET, the attack began in Ukraine, which suffered more than other countries. According to the company’s rating of countries affected by the virus, Italy is in second place after Ukraine, and Israel is in third place. The top ten also included Serbia, Hungary, Romania, Poland, Argentina, the Czech Republic and Germany. Russia took 14th place in this list.

In addition, Avast told what exactly OS suffered the most from the virus.

Windows 7 was in first place - 78% of all infected computers. Next comes Windows XP (18%), Windows 10 (6%) and Windows 8.1 (2%).

Thus, WannaCry taught the global community virtually nothing - computers remained unprotected, systems were not updated, and Microsoft's efforts to issue patches even for outdated systems simply went to waste.

A wave of a new encryption virus, WannaCry (other names Wana Decrypt0r, Wana Decryptor, WanaCrypt0r), has swept across the world, which encrypts documents on a computer and extorts 300-600 USD for decoding them. How can you tell if your computer is infected? What should you do to avoid becoming a victim? And what to do to recover?

After installing the updates, you will need to reboot your computer.

How to recover from the Wana Decrypt0r ransomware virus?

When the antivirus utility detects a virus, it will either remove it immediately or ask you whether to treat it or not? The answer is to treat.

How to recover files encrypted by Wana Decryptor?

Nothing comforting this moment We can’t tell. No file decryption tool has yet been created. For now, all that remains is to wait until the decryptor is developed.

According to Brian Krebs, a computer security expert, at the moment the criminals have received only 26,000 USD, that is, only about 58 people agreed to pay the ransom to the extortionists. No one knows whether they restored their documents.

How to stop the spread of a virus online?

In the case of WannaCry, the solution to the problem may be to block port 445 on the Firewall ( firewall), through which infection occurs.

A new wave of ransomware attacks has swept across the world, with Russian media and Ukrainian companies among the victims. In Russia, Interfax suffered from the virus, but the attack affected only part of the agency, since its IT services managed to shut down part of the critical infrastructure, the Russian company Group-IB said in a statement. They called the virus BadRabbit.

Deputy director of the agency Yuri Pogorely reported about the unprecedented virus attack on Interfax on his Facebook page. Two Interfax employees confirmed to Vedomosti that the computers had been turned off. According to one of them, the visually locked screen looks like the result of actions known virus Petya. The virus that attacked Interfax warns that you should not try to decrypt files yourself, and demands to pay a ransom of 0.05 bitcoin ($285 at yesterday's rate), for which it invites you to a special site on the Tor network. The virus assigned a personal identification code to the encrypted computer.

In addition to Interfax, two more Russian media outlets suffered from the encryption virus, one of which is the St. Petersburg publication Fontanka, Group-IB knows.

Fontanka editor-in-chief Alexander Gorshkov told Vedomosti that Fontanka servers were attacked by unknown attackers. But Gorshkov assures that there is no question of an attack by a ransomware virus on Fontanka: the computers of the editorial staff are functioning, and the server responsible for the operation of the site was hacked.

Interfax divisions in the UK, Azerbaijan, Belarus and Ukraine, as well as the Interfax-religion website, continue to operate, Pogorely told Vedomosti. It is not clear why the damage did not affect other divisions; perhaps this is due to the topology of the Interfax network, where the servers are located geographically, and the operating system that is installed on them, he says.

Ukrainian Interfax reported on Tuesday afternoon about a hacker attack on international Airport Odessa. The airport apologized to passengers on its website “for the forced increase in service time,” but judging by its online scoreboard, it still continued to send and receive planes on Tuesday.

The Kyiv metro also reported about the cyber attack on its Facebook account – there were problems with paying for fares bank cards. Front News reported that the metro was attacked by an encryption virus.

Group-IB concludes that there is a new epidemic. In recent months, two waves of ransomware attacks have already swept across the world: on May 12, the WannaCry virus appeared, and on June 27, the Petya virus (also known as NotPetya and ExPetr). They penetrated computers with the Windows operating system that did not have updates installed, encrypted the contents of hard drives and demanded $300 for decryption. As it turned out later, Petya did not even think about decrypting the victims’ computers. The first attack affected hundreds of thousands of computers in more than 150 countries, the second affected 12,500 computers in 65 countries. Russians also became victims of the attacks. Megaphone », Evraz , « Gazprom" And " Rosneft" Invitro medical centers also suffered from the virus, as they did not accept tests from patients for several days.

Petya managed to collect only $18,000 in almost a month and a half. But the damage was incomparably greater. One of its victims, the Danish logistics giant Moller-Maersk, estimated the lost revenue from the cyber attack at $200–300 million.

Among Moller-Maersk's divisions, the main blow fell on Maersk Line, which is engaged in sea transportation of containers (in 2016, Maersk Line earned a total of $20.7 billion, the division employs 31,900 people).

Businesses quickly recovered from the attack, but companies and regulators remained wary. Thus, in August, the Federal network company UES (manages the all-Russian electrical grid), and a few days later Russian banks received a similar warning from FinCERT (the Central Bank structure dealing with cybersecurity).

The new encryption virus attack was also noticed by Kaspersky Lab, according to which most of the victims of the attack are in Russia, but there are infections in Ukraine, Turkey and Germany. All signs indicate that this is a targeted attack on corporate networks, says Vyacheslav Zakorzhevsky, head of the anti-virus research department at Kaspersky Lab: methods similar to ExPetr tools are used, but no connection with this virus can be traced.

And according to the antivirus company Eset, the ransomware is still a relative of Petya. The attack used the Diskcoder.D malware, a new modification of the encryptor.

Pogorely said that Symantec antivirus was installed on Interfax computers. Symantec representatives did not respond to Vedomosti's request yesterday.

Facebook

Twitter

VK

Odnoklassniki

Telegram

Natural science

WannaCry ransomware virus: what to do?

A wave of a new encryption virus, WannaCry (other names Wana Decrypt0r, Wana Decryptor, WanaCrypt0r), has swept across the world, which encrypts documents on a computer and extorts 300-600 USD for decoding them. How can you tell if your computer is infected? What should you do to avoid becoming a victim? And what to do to recover?

Is your computer infected with the Wana Decryptor ransomware virus?

According to Jacob Krustek () from Avast, over 100 thousand computers have already been infected. 57% of them are in Russia (isn’t that a strange selectivity?). reports the registration of more than 45 thousand infections. Not only servers are infected, but also the computers of ordinary people on which operating systems are installed. Windows systems XP, Windows Vista, Windows 7, Windows 8 and Windows 10. All encrypted documents have the prefix WNCRY in their name.

Protection against the virus was found back in March, when Microsoft published a “patch”, but, judging by the outbreak of the epidemic, many users, including system administrators, ignored the computer security update. And what happened happened - Megafon, Russian Railways, the Ministry of Internal Affairs and other organizations are working on treating their infected computers.

Given the global scale of the epidemic, on May 12, Microsoft published a protection update for long-unsupported products – Windows XP and Windows Vista.

You can check whether your computer is infected using an antivirus utility, for example, Kaspersky or (also recommended on the Kaspersky support forum).

How to avoid becoming a victim of the Wana Decryptor ransomware virus?

The first thing you must do is close the hole. To do this, download