New ransomware virus protection. About updating Windows from the WannaCry ransomware virus
The world of cybercrime is evolving from quantity to quality: new malware becomes smaller, but their complexity increases. State intelligence agencies have joined the hacker technology race, which was confirmed by the largest incident of 2016-2017 related to the leak of cyber weapons from the NSA. It took the hackers a matter of days to exploit the open access developed by intelligence agencies for fraudulent purposes. High-profile cybersecurity incidents have drawn attention to the issue of data protection, and the global information security market continues to grow at a rapid pace.
At the moment, the growth of cybercrime in general is not as significant as it was in 2007-2010. “During that period of time, the number of malicious programs created truly grew exponentially, hundreds and thousands of times higher than in previous years. In recent years, we have reached a plateau, and the annual figures over the past three years have been stable,” says Yuri Namestnikov, head of the Russian research center Kaspersky Lab. “At the same time, several interesting processes are observed at once, which together give a sense of the greater scope of the hackers’ actions,” notes the CNews interlocutor.
Among the trends of 2016-2017 First of all, it should be noted that there has been a significant increase in the number of “state-sponsored” attacks that are aimed at espionage or critical damage to infrastructure. In the area of traditional cybercrime, the most developed are complex targeted attacks against large companies and financial institutions, which are developed taking into account the unique landscape of a particular organization's IT infrastructure. In addition, ransomware programs that demand a ransom for decrypting data are very popular among attackers. “Taken together, these processes give a sense of the greater scope of hackers’ actions,” comments Yuri Namestnikov.
Leak from the NSA led to an epidemic
Of the events in the field of information security, the scandal associated with the interference of hackers in the US elections first of all attracted attention. The information security market is influenced not only by the economy, but also by the geopolitical situation in the world, says Ilya Chetvertnev, deputy technical director of the Informzashchita company: “A striking example was the recent US presidential election, which showed how hacking information systems may affect the country as a whole. Therefore, at present, the critical infrastructure of enterprises for the purpose of industrial espionage has been added to the classic targets of attacks.”
In addition, in 2016, hackers from the Shadow Brokers group stole secret hacking tools from the American NSA (National Security Agency). computer networks, while the source of the leak is still there. Some of the developments became publicly available, which led to sad consequences. In May 2017, an epidemic of the malicious worm WannaCry broke out, which was spread using the EternalBlue exploit developed by the NSA, which exploits a previously unknown vulnerability in the Windows OS. WannaCry encrypts data on the infected computer and demands a ransom in cryptocurrency. In total, hundreds of thousands of computers around the world were infected.
Lack of digital hygiene
According to Maxima Filippova, director of business development at Positive Technologies in Russia, after the publication of a new exploit, only 2-3 days pass before it is used by cybercriminals: “After the leak of the NSA archives, many people adopted the published techniques and tactics, and as a result they will be used more often and modified by attackers, including to more effectively “cover” their tracks.”
“Attackers are shifting their focus from vulnerabilities in applications to vulnerabilities in operating systems,” comments the technical director of the Security Code company. Dmitry Zryachikh. – Information about these vulnerabilities is obtained by intelligence agencies, and then leaks to the free market. Moreover, the problem remains even after the release of updates for the basic software: three months before the WannaCry epidemic, Microsoft released a patch that prevented infection, but despite this, WannaCry infected more than 500 thousand computers around the world.”
The problem is that many users ignore updates and do not install them on time. Director of the information security center "Jet Infosystems" Alexey Grishin notes negative impact human factor: “Companies often forget about basic security, the so-called digital hygiene: managing updates and vulnerabilities, antivirus protection, minimizing user rights, reasonable management of access rights, etc. In such conditions they can’t even save latest systems security."
In addition, modern companies do not always manage to correctly organize the access rights of certain users. “Uncontrolled access by privileged users (both internal and external: contractors, support services, auditors, etc.) can lead to serious consequences. Customers shared cases when their infrastructures were practically out of their control due to the omnipotence of contractors and the lack of proper organization of their work,” says Oleg Shaburov, Head of the Cybersecurity Department of the Softline group of companies.
Ransomware Boom
WannaCry was not the only ransomware that gained popularity in 2016-2017. Previously, malicious utilities Petya and BadRabbit became widespread, which also encrypt data on a PC and demand a ransom in bitcoins for access to it. At the same time, attacks using BadRabbit were more targeted, affecting mainly computers at infrastructure facilities in Ukraine.
According to Kaspersky Lab, over the past year, 32% of Russian companies were attacked by ransomware, and 37% of them had significant amounts of data encrypted. 31% of companies lost all their valuable data or were unable to restore access to a significant part of it. And 15% of the companies surveyed chose to pay the ransom (although this does not guarantee the return of the files). “The main problem with encryptors and ransomware today is that victims often agree to pay the attackers because they see no other way to regain access to their valuable data,” comments Yuri Namestnikov.
Investments in information security are growing
The last one and a half to two years have been rich in incidents in the field of information security, which contributed to the growth of investments in the protection of information systems. According to IDC, by the end of 2017, global revenue from the supply of information security products will increase by 8.2% to $81.7 billion. Gartner analysts provide similar figures; they predict an increase of 7% to $86.4 billion by the end of the year. At the same time, the information security segment is developing faster than the IT market as a whole: according to Gartner, global spending on IT at the end of 2017 will increase by only 2.4%. The Russian market demonstrates similar dynamics: according to the CNews Security rating, at the end of 2016, domestic deliveries of information security increased by 8% in dollars and by 18%.
Volume of the global information security market in 2016 and forecast for 2017, in$ billion
It continues its oppressive march across the Internet, infecting computers and encrypting important data. How to protect yourself from ransomware, protect Windows from ransomware - have patches been released to decrypt and disinfect files?
New ransomware virus 2017 Wanna Cry continues to infect corporate and private PCs. U Damage from virus attack totals $1 billion. In 2 weeks, the ransomware virus infected at least 300 thousand computers, despite warnings and security measures.
Ransomware virus 2017, what is it?- as a rule, you can “pick up” on seemingly the most harmless sites, for example, bank servers with user access. Once on hard drive victims, the ransomware “settles” in the system folder System32. From there the program immediately disables the antivirus and goes into "Autorun"" After every reboot, ransomware runs into the registry, starting his dirty work. The ransomware begins to download similar copies of programs like Ransom and Trojan. It also often happens ransomware self-replication. This process can be momentary, or it can take weeks until the victim notices something is wrong.
The ransomware often disguises itself as ordinary pictures, text files , but the essence is always the same - this is an executable file with the extension .exe, .drv, .xvd; Sometimes - libraries.dll. Most often, the file has a completely innocuous name, for example “ document. doc", or " picture.jpg", where the extension is written manually, and the true file type is hidden.
After encryption is complete, the user sees, instead of familiar files, a set of “random” characters in the name and inside, and the extension changes to a hitherto unknown one - .NO_MORE_RANSOM, .xdata and others.
Wanna Cry ransomware virus 2017 – how to protect yourself. I would like to immediately note that Wanna Cry is rather a collective term for all encryption and ransomware viruses, since recently it has infected computers most often. So, we'll talk about Protect yourself from Ransom Ware ransomware, of which there are a great many: Breaking.dad, NO_MORE_RANSOM, Xdata, XTBL, Wanna Cry.
How to protect Windows from ransomware. – EternalBlue via SMB port protocol.
Protecting Windows from ransomware 2017 – basic rules:
- Windows update, timely transition to a licensed OS (note: the XP version is not updated)
- updating anti-virus databases and firewalls on demand
- extreme care when downloading any files (cute “seals” can result in the loss of all data)
- backup important information to removable media.
Ransomware virus 2017: how to disinfect and decrypt files.
Relying on antivirus software, you can forget about the decryptor for a while. In laboratories Kaspersky, Dr. Web, Avast! and other antiviruses for now no solution for treating infected files was found. At the moment, it is possible to remove the virus using an antivirus, but there are no algorithms to return everything “to normal” yet.
Some people try to use decryptors like RectorDecryptor utilities , but this won't help: an algorithm for decrypting new viruses has not yet been compiled. It is also absolutely unknown how the virus will behave if it is not removed after using such programs. Often this can result in the erasure of all files - as a warning to those who do not want to pay the attackers, the authors of the virus.
At the moment, the most effective way to recover lost data is to contact technical support. supplier support antivirus program which you are using. To do this, send a letter or use the form to feedback on the manufacturer's website. Be sure to add the encrypted file to the attachment and, if available, a copy of the original. This will help programmers in composing the algorithm. Unfortunately, for many, a virus attack comes as a complete surprise, and no copies are found, which greatly complicates the situation.
Cardiac methods of treating Windows from ransomware. Unfortunately, sometimes you have to resort to completely formatting the hard drive, which entails a complete change of OS. Many will think of restoring the system, but this is not an option - even a “rollback” will get rid of the virus, but the files will still remain encrypted.
Is there protection against ransomware today? No. No matter how sad it may sound, it is true. There is no real protection and, apparently, there will not be. But don’t worry, there are a number of simple rules that, if followed, will help reduce the risk of infection of your computer. Before I give a list of recommendations, I want to say in advance that in this article I am not advertising any antiviruses, but simply describing my own experience, since this malware has already been caught twice in the office. After these cases, we came up with a list of recommendations.
So, the first thing you should do is make sure that you have an up-to-date antivirus with the latest databases on board. My colleagues and I conducted experiments with various products from antivirus companies, and based on the results obtained, I can safely say that the distribution kit from Kaspersky Lab showed the best results. We worked with Kaspesky Endpoint Security for Business Standard. The number of detections by the ransomware was more than 40%. Therefore, feel free to install an antivirus, and do not disdain such programs.
The second point is to prohibit the launch of programs from the %AppData% folder. Again, it is not a fact that the ransomware works from this folder, but as a preventive measure it justifies itself, reducing the number of possible attack vectors. The malware can also be launched from:
- %TEMP%
- %LOCALAPPDATA%
- %USERPROFILE%
- %WinDir%
- %SystemRoot%
The most important point and the red thread running through the entire article is the point about what is necessary and extremely important to do backups. While at home you can safely use a free cloud for data storage, not everyone has this opportunity at work. If you are a system administrator, create and run a backup. If you are not part of the IT department, check with your system administrator about availability backup critical data. You can also duplicate them in the cloud. Fortunately, there are a lot of free options: Yandex Disk, Mail cloud, DropBox, Google Disk and so on.
It is practically impossible to protect yourself from ransomware using technical means. Therefore, the first line of defense in this case is the user himself. Only knowledge and care can help avoid infection. Most importantly, never click on links or open attachments in emails from senders you do not know. Otherwise, you most likely risk losing your data.
Check the return address in the letter, as well as the attachment, very carefully. If you are expecting a letter with an attachment from a friend or work partner, when you receive such a letter, make sure that the letter is from exactly the person you are expecting. It may take some time, but the time spent on checking can ultimately save you a day of data recovery.
If you have the slightest suspicion of a compromising letter, immediately contact your IT service. Believe me, they will only thank you for this.
Some types of ransomware use command servers on the Tor network. Before encryption begins, they download the virus body from these servers. The Tor network has a number of exit nodes to the “big” Internet, which are called nodes. There are public nodes, and there are hidden ones. As part of preventive measures, you can block known output nodes on your router, if it allows, in order to make the virus’s operation as difficult as possible. A list of such addresses can be found on the Internet; now there are about seven thousand of them.
Of course, everything described above does not provide any guarantee that you will not be included in the list of victims, but these recommendations will help reduce the risk of infection. Until real protection against ransomware has been developed, our main weapon is attentiveness and caution.
On April 12, 2017, information appeared about the rapid spread of a ransomware virus called WannaCry throughout the world, which can be translated as “I want to cry.” Users have questions about updating Windows against the WannaCry virus.
The virus on the computer screen looks like this:
The bad WannaCry virus that encrypts everything
The virus encrypts all files on the computer and demands a ransom to a Bitcoin wallet in the amount of $300 or $600 to supposedly decrypt the computer. Computers in 150 countries around the world were infected, with Russia being the most affected.
Megafon, Russian Railways, the Ministry of Internal Affairs, the Ministry of Health and other companies are closely faced with this virus. Among the victims are ordinary Internet users.
Almost everyone is equal before the virus. The difference, perhaps, is that in companies the virus spreads throughout local network within an organization and instantly infects as many computers as possible.
The WannaCry virus encrypts files on computers using Windows. Microsoft released MS17-010 updates for various versions of Windows XP, Vista, 7, 8, 10 back in March 2017.
It turns out that those who are determined automatic update Windows are not at risk for the virus because they received the update in a timely manner and were able to avoid it. I don’t presume to say that this is actually the case.
Rice. 3. Message when installing update KB4012212
The KB4012212 update required a reboot of the laptop after installation, which I didn’t really like, because it’s unknown how this could end, but where should the user go? However, the reboot went fine. This means that we live peacefully until the next virus attack, and, alas, there is no doubt that such attacks will occur.
In any case, it is important to have somewhere to restore from operating system and your files.
Windows 8 update from WannaCry
For laptop with licensed Windows 8 update KB 4012598 was installed, because
-
More than 200,000 computers have already been infected!
The main targets of the attack were aimed at the corporate sector, followed by telecommunications companies in Spain, Portugal, China and England.
-
The biggest blow was dealt to Russian users and companies. Including Megafon, Russian Railways and, according to unconfirmed information, the Investigative Committee and the Ministry of Internal Affairs. Sberbank and the Ministry of Health also reported attacks on their systems.
For data decryption, the attackers demand a ransom of 300 to 600 dollars in bitcoins (about 17,000-34,000 rubles).
How to install official Windows ISO image 10 without use Media Creation Tool
Interactive infection map (CLICK ON MAP) 
Ransom window 
Encrypts files with the following extensions
Despite the virus's targeting of the corporate sector, the average user is also not immune from WannaCry penetration and possible loss of access to files.
-
Instructions for protecting your computer and data on it from infection:
1. Install the Kaspersky System Watcher application, which is equipped with a built-in function to roll back changes caused by the actions of an encryptor that managed to bypass security measures.
2. Users of antivirus software from Kaspersky Lab are recommended to check that the “System Monitor” function is enabled.
3. Users of the antivirus program from ESET NOD32 for Windows 10 have been introduced to check for new available OS updates. If you took care in advance and had it enabled, then all the necessary new Windows updates will be installed and your system will be completely protected from this virus WannaCryptor and other similar attacks.
4. Also, users of ESET NOD32 products have such a function in the program as detecting yet unknown threats. This method based on the use of behavioral, heuristic technologies.
If a virus behaves like a virus, it is most likely a virus.
Since May 12, the technology of the ESET LiveGrid cloud system has very successfully repelled all attacks of this virus, and all this happened even before the signature database was updated.
5. ESET technologies provide security, including for devices with older Windows systems XP, Windows 8 and Windows Server 2003 (We recommend that you stop using these outdated systems). Due to the very high level of threat that has arisen for this OS, Microsoft decided to release updates. Download them.
6. To minimize the threat of harm to your PC, you must urgently update your Windows versions 10: Start - Settings - Update and Security - Check for updates (in other cases: Start - All Programs - Windows Update - Search for updates - Download and install).
7. Install the official patch (MS17-010) from Microsoft, which fixes the SMB server error through which the virus can penetrate. This server involved in this attack.
8. Make sure that all available security tools are running and in working order on your computer.
9. Scan your entire system for viruses. Upon exposure of a malicious attack called MEM:Trojan.Win64.EquationDrug.gen, reboot the system.
And once again I recommend that you check that the MS17-010 patches are installed.
Currently, specialists from Kaspersky Lab, ESET NOD32 and other anti-virus products are actively working on writing a file decryption program that will help users of infected PCs to restore access to files.
