(WannaCrypt, WCry, WanaCrypt0r 2.0, Wanna Decryptor) - malware, network worm and ransomware Money. The program encrypts almost all files stored on the computer and demands a ransom to decrypt them. A huge number of malware of this type have been registered over the years. last years, but WannaCry stands out against their background due to the scale of its spread and the techniques used.

This encryption virus began spreading at approximately 10 am, and already on the evening of May 12, the media began reporting numerous infections. Various publications write that a hacker attack was carried out on the largest holdings, including Sberbank.

User question. “My current personal laptop, running Windows 7 Home Premium, installs various patches automatically when I turn it off...

And the W10 tablet I have automatically installs new patches when it is turned on... Don’t corporate desktop PCs automatically update their OS when turned on or off?” Really - Why?

After some time, the full set of exploits was made publicly available along with training videos. Anyone can use it. Which is exactly what happened. The exploit kit includes the DoublePulsar tool. With port 445 open and not installed update MS 17-010, using the Remote code execution class vulnerability (the ability to infect a computer remotely (NSA EternalBlue exploit)), it is possible to intercept system calls and insert into memory malicious code. No need to receive any email- if you have a computer with Internet access, with running service SMBv1 and without installed patch MS17-010, then the attacker will find you himself (for example, by searching through addresses).

WannaCry Analysis

The WannaCry Trojan (aka WannaCrypt) encrypts files with certain extensions on your computer and demands a ransom of $300 in bitcoins. Three days are given for payment, then the amount doubles.

The American AES algorithm with a 128-bit key is used for encryption.

In test mode, encryption is performed using a second RSA key embedded in the Trojan. In this regard, decoding test files possible.

During the encryption process, several files are randomly selected. The Trojan offers to decrypt them for free, so that the victim can be convinced that they can decrypt the rest after paying the ransom.

But these selective files and the rest are encrypted with different keys. Therefore, there is no guarantee of decryption!

Signs of a WannaCry infection

Once on the computer, the Trojan runs as a system Windows service named mssecsvc2.0 (visible name - Microsoft Security Center (2.0) Service).

The worm is capable of accepting arguments command line. If at least one argument is specified, attempts to open the mssecsvc2.0 service and configure it to restart in case of an error.

After launch, it tries to rename the file C:\WINDOWS\tasksche.exe to C:\WINDOWS\qeriuwjhrf, saves it from the encoder Trojan resources to the file C:\WINDOWS\tasksche.exe and launches it with the /i parameter. During startup, the Trojan receives the IP address of the infected machine and tries to connect to TCP port 445 of each IP address within the subnet - it searches for machines in internal network and tries to infect them.

24 hours after its launch as system service the worm automatically exits.

To spread itself, the malware initializes Windows Sockets, CryptoAPI and launches several threads. One of them lists everything network interfaces on the infected PC and polls available nodes in local network, the rest generate random IP addresses. The worm tries to connect to these remote hosts using port 445. If it is available, it infects network hosts in a separate thread using a vulnerability in the SMB protocol.

Immediately after launching, the worm tries to send a request to remote server, whose domain is stored in the Trojan. If a response to this request is received, it terminates.

< nulldot>0x1000eff2, 34, 1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY

< nulldot>0x1000f024, 22, sqjolphimrr7jqw6.onion

< nulldot>0x1000f1b4, 12, 00000000.eky

< nulldot>0x1000f270, 12, 00000000.pky

< nulldot>0x1000f2a4, 12, 00000000.res

Protection against WannaCrypt and other ransomware

To protect against ransomware Wanna Cry and its future modifications it is necessary:

1. Disable unused services, including SMB v1.

• It is possible to disable SMBv1 using PowerShell:
  Set-SmbServerConfiguration -EnableSMB1Protocol $false
• Via the registry:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters, SMB1 parameter of type DWORD = 0
• You can also remove the service itself, which is responsible for SMBv1 (yes, a separate service from SMBv2 is personally responsible for it):
  sc.exe config lanmanworkstation depend=bowser/mrxsmb20/nsi
  sc.exe config mrxsmb10 start=disabled

1. Close unused items with firewall network ports, including ports 135, 137, 138, 139, 445 (SMB ports).

Figure 2. Example of blocking port 445 using a firewallWindows

Figure 3. Example of blocking port 445 using a firewallWindows

1. Use an antivirus or firewall to restrict application access to the Internet.

Figure 4. Example of restricting Internet access to an application using Windows Firewall

Yesterday, May 12, computers running operating Windows systems around the world were subjected to the largest attack in history Lately. We are talking about one belonging to the Ransomware class, that is, malicious ransomware that encrypts user files and demands a ransom to restore access to them. IN in this case we are talking about amounts from $300 to $600, which the victim must transfer to a specific wallet in bitcoins. The size of the ransom depends on the time that has passed since the infection - after a certain interval it increases.

According to « Kaspersky Lab » , WannaCry was most widespread in Russia

To avoid joining the ranks of those whose computers are infected, it is necessary to understand how the malware penetrates the system. According to Kaspersky Lab, the attack takes advantage of a vulnerability in the SMB protocol, which allows remote execution of program code. It is based on the EternalBlue exploit, created within the walls of the US National Security Agency (NSA) and posted by hackers on open access.

Microsoft introduced a fix for the EternalBlue issue in bulletin MS17-010 dated March 14, 2017, so the first and foremost measure to protect against WannaCry should be to install this security update for Windows. It is precisely the fact that many users and system administrators have not yet done so, and served as the reason for such a large-scale attack, the damage from which has yet to be assessed. True, the update is designed for those Windows versions, support for which has not yet ceased. But also for legacy operating systems such as Windows XP, Windows 8 and Windows Server 2003, Microsoft also released patches. You can download them from this page.

It is also recommended to be vigilant regarding mailings that arrive via email and other channels, use an updated antivirus in monitoring mode, and, if possible, check the system for threats. If MEM:Trojan.Win64.EquationDrug.gen activity is detected and eliminated, reboot the system and then make sure that MS17-010 is installed. Currently, eight names of the virus are known:

• Trojan-Ransom.Win32.Gen.djd;
• Trojan-Ransom.Win32.Scatter.tr;
• Trojan-Ransom.Win32.Wanna.b;
• Trojan-Ransom.Win32.Wanna.c;
• Trojan-Ransom.Win32.Wanna.d;
• Trojan-Ransom.Win32.Wanna.f;
• Trojan-Ransom.Win32.Zapchast.i;
• PDM:Trojan.Win32.Generic.

Virus « owns » many languages

We must not forget about regular backup important data. Please note that WannaCry targets the following categories of files:

• most common office documents(.ppt, .doc, .docx, .xlsx, .sxi).
• some less popular document types (.sxw, .odt, .hwp).
• archives and media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)
• files Email(.eml, .msg, .ost, .pst, .edb).
• databases (.sql, .accdb, .mdb, .dbf, .odb, .myd).
• project files and source codes(.php, .java, .cpp, .pas, .asm).
• encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).
• graphic formats (.vsd, .odg, .raw, .nef, .svg, .psd).
• files virtual machines(.vmx, .vmdk, .vdi).

And in conclusion: if infection could not be avoided, you still cannot pay the attackers. Firstly, even if money is transferred to the specified Bitcoin wallet, no one guarantees the decryption of files. Secondly, you cannot be sure that an attack on the same computer will not be repeated, and that cybercriminals will not demand a large ransom amount. And finally, thirdly, paying for the unblocking “service” will reward those who conduct criminal activities on the Internet and serve as an incentive for them to carry out new attacks.

WannaCrypt (which translates as “I want to cry”) is a computer virus that struck on May 12, 2017 a large number of computers running operating system Microsoft systems Windows. This vulnerability affects PCs running Windows operating systems from XP to Windows 10 and Server 2016. The virus affected computers of individuals, commercial organizations and government agencies around the world. WannaCrypt is used as a means of extorting funds.

Who is behind this or the origin of the virus

The exact origin of the virus has not been established at this time. But our editor was able to find the 3 most basic versions.

1. Russian hackers

Yes, friends, how can one not bypass such a resonant virus without everyone’s favorite “Russian hackers”. The recent warnings from the Shadow Brokers group to US President Donald Trump after his approved missile strikes in Syria may be related to the incident.

2. US intelligence agencies

On May 15, Russian President Vladimir Putin named the US intelligence services as the source of the virus and said that “Russia has absolutely nothing to do with it.” Microsoft management also stated that the primary source of this virus is US intelligence agencies.

3. Government of the DPRK

Representatives of the antivirus companies Symantec and Kaspersky Lab said that cybercriminals associated with Pyongyang from the group were involved in cyber attacks using the WanaCrypt0r 2.0 virus, which infected thousands of computers in 150 countries.

WannaCry encrypts most or even all files on your computer. Then software displays a specific message on the computer screen in which it demands a ransom of $300 to decrypt your files. Payment must occur on Bitcoin wallet. If the user does not pay the ransom within 3 days, the amount is doubled to $600. After 7 days, the virus will delete all encrypted files and all your data will be lost.

Symantec has published a list of all file types that Wanna Cry can encrypt. This list includes ALL popular file formats including .xlsx, .xls, .docx, .doc, .mp4, .mkv, .mp3, .wav, .swf, .mpeg, .avi, .mov, .mp4, . 3gp, .mkv, .flv, .wma, .mid, .djvu, .png, .jpg, .jpeg, .iso, .zip, .rar. etc.

Ways to protect yourself from the virus

Currently the only one effective method protection against a virus is to update the OS, in particular, to close the vulnerability that WannaCry exploits.

Protection method:

1. System update

Turn on automatic update systems at the Center Windows updates on your computer.

2. Backups

Do backup important information and use cloud platforms for storing it.

Install free utility for protection against ransomware Kaspersky Anti-Ransomware.

4. Port 445

Block all communications on port 445, as in terminal stations and on network equipment.

For Windows 10

Netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=135 name="Block_TCP-135" netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=445 name="Block_TCP-445" echo " Thx, Abu"

For Windows 7

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force

If there was zero reaction to the command, then so it should be. This is normal behavior. Indicates that the command has been applied

Treating your computer for a virus

1. Turn on safe mode Windows

In Windows 7, this can be done when the system restarts after pressing the F8 key.

2. Remove unwanted applications.

You can uninstall unwanted applications yourself through Uninstall Programs.

3. Recover encrypted files.

To restore files, you can use various decryptors and utilities.

Conclusion

So, today we talked about the Wanna Cry virus. We learned what this virus is, how to protect yourself from infection, and how to remove the virus. Undoubtedly, this virus will go down in history and be remembered by many. Although the virus infection is subsiding, the scale of everything is simply amazing. I hope that this article turned out to be useful for you.

This cyber attack has already been called the largest in history. More than 70 countries, tens of thousands of infected computers. The ransomware virus called Wanna Cry (“I want to cry”) spares no one. Hospitals are under attack railways, government agencies.

In Russia, the attack was the most massive. The messages that are now coming in resemble reports from the computer fronts. From the latest: Russian Railways stated that the virus tried to penetrate their IT system, it has already been localized and they are trying to destroy it. The Central Bank, the Ministry of Internal Affairs, the Ministry of Emergency Situations, and communication companies also spoke about hacking attempts.

This is what the virus looks like, paralyzing tens of thousands of computers around the world. A clear interface and text translated into dozens of languages ​​- “you only have three days to pay.” A malicious program that encrypts files requires, according to various sources, from 300 to 600 dollars to unlock them. Only in cyber currency. Blackmail is literally on the verge of life and death.

“I was completely ready for the operation, they had even put in an IV, and then the surgeon comes and says that they have problems with the equipment due to a cyber attack,” says Patrick Ward.

Vaccines from computer virus neither was found in the forty British clinics that were the first to be attacked, nor in the largest Spanish telecommunications company, Telefonica. Traces, as experts say, of one of the largest hacker attacks in world history, even on station displays in Germany. In one of the seven control centers of the German railway carrier Deutsche Bahn, the control system has failed. The consequences could be catastrophic.

In total, 74 countries have already become victims of cyber attacks. The only countries left untouched are Africa and several states in Asia and Latin America. Is it really just for now?

“This is all done to make money for organized crime. There is no political agenda or ulterior motive. Pure blackmail,” says IT company antivirus expert Ben Rapp.

The British media, however, immediately found a political motive. And they blamed Russian hackers for everything, although without any evidence, linking the cyber attack with an American airstrike in Syria. Allegedly, the ransomware virus became Moscow’s revenge. At the same time, according to the same British media, Russia suffered the most in this attack. And it’s absolutely hard to argue with this. More than a thousand computers were attacked in the Ministry of Internal Affairs alone. However, to no avail.

We repelled attacks at the Ministry of Emergency Situations and the Ministry of Health, at Sberbank and Megafon.” Mobile operator I even suspended the work of the call center for some time.

“The presidential decree on the creation of the Russian segment of the Network is closed internet around government officials. The defense industry has been behind this shield for a long time. Most likely, I think, suffered simple computers ordinary employees. It is unlikely that it was access to the databases that was affected - they, as a rule, are on other operating systems and are, as a rule, located at providers,” said Adviser to the Russian President on Internet Development German Klimenko.

The program, according to antivirus developers, infects the computer if the user has opened a suspicious letter and has not yet updated Windows. This is clearly seen in the example of seriously affected China - the inhabitants of the Middle Kingdom, as you know, have a special love for pirated operating systems. But is it worth paying, thoughtlessly clicking the mouse, they are wondering all over the world

"If a company does not have backup copy, they may lose access to data. That is, for example, if a database of hospital patients along with medical histories is stored in a single copy on this server where the virus has entered, then the hospital will no longer restore this data in any way,” says cybersecurity expert Ilya Skachkov.

So far, as bloggers have found out, in electronic wallet scammers no more than four thousand dollars. A trifle, considering the list of victims - the costs of hacking their hard drives are clearly not comparable. The British edition of the Financial Times suggested that the ransomware virus is nothing more than a malicious program of the US National Security Agency modified by attackers. Once upon a time it was created in order to penetrate closed American systems. This was also confirmed by his former employee Edward Snowden.

From Snowden's Twitter: "Wow, the NSA's decision to create attack tools against US software is now putting the lives of hospital patients at risk."

WikiLeaks, however, has also repeatedly warned that, due to a manic desire to monitor the whole world, American intelligence services are spreading malware. But even if this is not the case, it raises questions about how NSA programs end up in the hands of attackers. Another thing is interesting. Another American intelligence agency, the Department of Homeland Security, is proposing to save the world from the virus.

Be that as it may, the true scale of this attack remains to be assessed. Infection of computers around the world continues. There is only one “vaccine” here - caution and forethought. It is important not to open suspicious attachments. At the same time, experts warn: there will be more to come. The frequency and scale of cyber attacks will only increase.