The Wanna Cry virus is a new type of hacker attack, a malicious ransomware program that has shocked PC and Internet users around the world. How does the Wanna Cry virus work, is it possible to protect yourself from it, and if so, how?

Wanna Cry virus, description– type of malware belonging to the category RansomWare, ransomware. When hitting HDD victims, Wanna Cry acts according to the script of its “colleagues”, such as TrojanRansom.Win32.zip, encrypting all personal data of all known extensions. When trying to view a file, the user sees on the screen a requirement to pay the nth amount of money, supposedly after which the attacker will send instructions for unlocking.

Often, extortion of money is carried out using SMS replenishment of a specially created account, but recently an anonymous payment service has been used for this. BitCoin.

Wanna Cry virus - how it works. Wanna Cry is a program called WanaCrypt0r 2.0, which exclusively attacks PCs running Windows. The program uses a “hole” in the system to penetrate - Microsoft Security Bulletin MS17-010, the existence of which was previously unknown. On this moment It is not known for certain how hackers discovered the MS17-010 vulnerability. There is a version about sabotage by anti-virus software manufacturers to maintain demand, but, of course, no one writes off the intelligence of the hackers themselves.

Sadly, the Wanna Cry virus is spread in the simplest way – through email. Once you open a spam email, the encryptor is launched and the encrypted files are then almost impossible to recover.

Wanna Cry virus - how to protect yourself, treatment. WanaCrypt0r 2.0 uses vulnerabilities in network Windows services. It is known that Microsoft has already released a “patch” - just run the update Windows Update before latest version. It is worth noting that only users who have purchased licensed version Windows - when you try to update a pirated version, the system simply does not will be tested. It is also necessary to remember that Windows XP is no longer updated, as, of course, are earlier versions.

You can protect yourself from Wanna Cry by following a few simple rules:

• update the system on time - all infected PCs were not updated
• use a licensed OS
• do not open suspicious emails
• do not click on dubious links left by untrustworthy users

According to media reports, antivirus software manufacturers will release updates to combat Wanna Cry, so updating your antivirus should not be put on hold.

The WannaCry virus thundered throughout the world on May 12, on this day a number of medical institutions in the UK announced that their networks had been infected, the Spanish telecommunications company and the Russian Ministry of Internal Affairs reported repelling a hacker attack.

WannaCry (the common people have already nicknamed it Wona's Edge) belongs to the category of ransomware viruses (cryptors), which, when it gets onto a PC, encrypts user files with a cryptographic algorithm, subsequently making it impossible to read these files.

Currently, the following popular file extensions are known to be subject to WannaCry encryption:

1. Popular files Microsoft Office(.xlsx, .xls, .docx, .doc).
2. Archive and media files (.mp4, .mkv, .mp3, .wav, .swf, .mpeg, .avi, .mov, .mp4, .3gp, .mkv, .flv, .wma, .mid, .djvu, .png, .jpg, .jpeg, .iso, .zip, .rar).

WannaCry - how the virus spreads

Earlier, we mentioned this method of spreading viruses in an article about, so nothing new.

On Mailbox the user receives a letter with a “harmless” attachment - it can be a picture, video, song, but instead of the standard extension for these formats, the attachment will have an executable file extension - exe. When such a file is opened and launched, the system is “infected” and, through a vulnerability, a virus is directly loaded into OS Windows, encrypting user data.

This may not be the only method of spreading WannaCry; you can become a victim by downloading “infected” files from in social networks, torrent trackers and other sites.

WannaCry – how to protect yourself from the ransomware virus

1. Install the patch for Microsoft Windows. On May 14, Microsoft released an emergency patch for the following versions - Vista, 7, 8.1, 10, Windows Server. You can install this patch simply by running a system update through the Windows Update service.

2. Using anti-virus software with up-to-date databases. Well-known security software developers, such as Kaspersky, Dr.Web, have already released an update for their products containing information about WannaCry, thereby protecting their users.

3. Save important data to a separate medium. If your computer does not support it yet, you can save the most important files to a separate medium (flash drive, disk). With this approach, even if you become a victim, you will save the most valuable files from encryption.

At the moment these are all known effective ways protection against WannaCry.

WannaCry decryptor, where to download and is it possible to remove the virus?

Ransomware viruses belong to the category of the most “nasty” viruses, because... in most cases, user files are encrypted with a 128bit or 256bit key. The worst thing is that in each case the key is unique and decrypting each one requires enormous computing power, which makes it almost impossible to treat “ordinary” users.

But what if you become a victim of WannaCry and need a decryptor?

1. Contact the Kaspersky Lab support forum - https://forum.kaspersky.com/ with a description of the problem. The forum is staffed by both company representatives and volunteers who actively help solve problems.

2. As in the case of the well-known CryptXXX encryptor, a universal solution was found for decrypting files that have been encrypted. No more than a week has passed since WannaCry was discovered, and specialists from antivirus laboratories have not yet managed to find such a solution for it.

3. The cardinal solution will be - complete removal OS from a computer followed by clean install new. In this situation, all user files and data are completely lost, along with the removal of WannaCry.

A wave of a new virus has swept across the world - WannaCry ransomware(other names Wana Decrypt0r, Wana Decryptor, WanaCrypt0r), which encrypts documents on a computer and extorts 300-600 USD for decoding them. How can you tell if your computer is infected? What should you do to avoid becoming a victim? And what to do to recover?

After installing the updates, you will need to reboot your computer.

How to recover from the Wana Decrypt0r ransomware virus?

When antivirus utility, detects a virus, she will either remove it immediately, or ask you whether to treat it or not? The answer is to treat.

How to recover files encrypted by Wana Decryptor?

We cannot report anything reassuring at the moment. No file decryption tool has yet been created. For now, all that remains is to wait until the decryptor is developed.

According to Brian Krebs, a computer security expert, at the moment the criminals have received only 26,000 USD, that is, only about 58 people agreed to pay the ransom to the extortionists. No one knows whether they restored their documents.

How to stop the spread of a virus online?

In the case of WannaCry, the solution to the problem may be to block port 445 on the Firewall, through which the infection occurs.

Thank you for contacting Ideco.

We hope that you have indicated enough contact information, and our staff will be able to contact you as soon as possible.

Consent to the processing of personal data

The user, by registering on the site, gives his consent to Aydeko LLC, located at 620144, Ekaterinburg, st. Kulibina 2, office 500, to process your personal data under the following conditions:

1. Consent is given to the processing of your personal data using automation tools.
2. Consent is given to the processing of the following personal data:
   1. Contact phone numbers;
   2. Address Email;
   3. Place of work and/or position held;
   4. City of stay or registration.
3. The purpose of processing personal data is: providing access to website materials, access to the on-line webinar service or preparing documents for agreeing on options for the development of contractual relations, including commercial proposals, specifications, draft contracts or payment documents.
4. During processing of personal data, the following actions will be performed: collection, systematization, accumulation, storage, clarification, use, blocking, destruction.
5. The basis for the processing of personal data is Art. 24 of the Constitution Russian Federation; Article 6 of Federal Law No. 152-FZ “On Personal Data”; Charter of Aydeko LLC, others federal laws and regulations.
6. Transfer of personal data can be carried out to third parties only in the manner established by the legislation of the Russian Federation or upon receipt of additional consent of the User.
7. This consent is valid until the reorganization or liquidation of Aydeco LLC. Consent may also be revoked by the User by sending a written application to mailing address LLC "Ideco"
8. Storage of personal data is carried out in accordance with Order of the Ministry of Culture of the Russian Federation dated August 25, 2010 No. 558 on approval of the “List of standard management documents generated in the process of activities of state bodies, local governments and organizations, indicating storage periods” and other regulatory legal acts in the field of archival files and archival storage.

License agreement

on granting rights to test use of the Software Complex “Internet Gateway Ideco ICS 6”

License of LLC "Ideko" for the right to use the computer program " Software package"Internet gateway Ideco ICS 6" (hereinafter referred to as the "Program"):

1. This license for the right to use the Program (hereinafter referred to as the “License”) is granted to the end user (hereinafter referred to as the “Licensee”) by the Licensor - Aydeko LLC and contains information about the restriction of rights to test use of the Program, including any of its components.
2. If you do not agree to the terms of the License, you may not install, copy or otherwise use this Program and any of its components and must remove them.
3. The Licensor grants the Licensee a non-exclusive right, which includes the use of the Program and its components in the following ways: the right to reproduce, limited to the right to install the launch, to the extent of use provided for by this License. The right to use the Program and its components is granted solely for the purpose of familiarization and testing for a period of 1 (one) month from the date specified in this license.
4. The program is supplied as is, the Licensor has eliminated all errors known to him, there remains a possibility of errors being identified during further use.
5. The Licensee is aware of the essential functionality of the Program for which use rights are granted, and the Licensee bears the risk that the Program will meet its expectations and needs, as well as the risk that the terms and scope of the rights granted will meet its expectations and needs.
6. The licensor is not liable for any losses, damages, regardless of the reasons for their occurrence, (including, but not limited to, special, incidental or indirect damages, losses associated with lost profits, interruption of commercial or production activities, loss of business information, negligence, or any other damages) arising from the use or inability to use the Program and any of its components.
7. Licensee may install and use one copy of the Program on one computer or server.
8. The program includes copy protection technologies to prevent unauthorized copying. Illegal copying of the Program and any of its components, removal or modification of copy protection is prohibited.
9. The Licensee may not modify or decompile the Program and any of its components, change the structure of program codes, program functions in order to create related products, distribute or facilitate the distribution of unlicensed copies of the Program and any of its components.
10. Renting and transferring the Program and any of its components to third parties, as well as distributing the Program and any of its components on the Internet is not permitted.
11. At the expiration of test period use of the Program, the Licensee is obliged to uninstall the Program and all its components (remove from computer memory), delete all copies of the Program and its components, and notify the Licensor about this, or acquire the right to use the Program.

Global hacker attack has currently affected many computers in Russia and abroad, including the networks of large telecommunications companies, law enforcement agencies and medical institutions.

Our technology partners from Kaspersky Lab recorded 45 thousand hacking attempts in 74 countries yesterday, May 12.

About the virus

The ransomware program spreading online is called WannaCry (aka Wana Decryptor, WanaCrypt0r and Wana Decrypt0r). Unlike other programs of this type, this encryptor combines the functions of virus, Trojan software and network worms. As penetration mechanisms, it uses email (this mechanism allows it to overcome protective firewalls), as well as the network vulnerability of the SMB protocol published on March 14 of this year: Microsoft Security Bulletin MS17-010. This vulnerability allows the virus to spread within an infected network and infect the maximum number of vulnerable devices.

Microsoft does not automatically distribute security updates for Windows XP and Windows 2003, so users using outdated software are most vulnerable.

When infecting a device, the virus encrypts all user data on the hard drive and demands a ransom for decrypting it.

Ideco ICS is based on the Linux kernel, all ports are on external interfaces are closed by default, so it is protected from attacks that exploit network vulnerabilities similar to those exploited by this virus. NAT technology also reliably protects everything network devices from external connections. Among the options for spreading the virus: email, possibly infected websites and flash drives, and the virus can also be brought by employees along with laptops used on other networks. All mechanisms of virus spread have not yet been studied and can be supplemented by attackers to strengthen the attack in the near future.

Setting up Ideco ICS

Endpoint protection

• Install a patch to close the vulnerability exploited by the virus: MS17-010.
• Block the use of the SMBv1 protocol by running the following command on computers and Windows servers:
  dism /online /norestart /disable-feature /featurename:SMB1Protocol
• Make sure that anti-virus software on all computers is installed, running and using the latest signature databases.
• On computers with outdated Windows XP and Windows 2003 operating systems, you must install security patches manually by downloading them from direct links:
  kb4012598 for Windows XP SP3
  kb4012598 for Windows Server 2003 x86
  kb4012598 for Windows Server 2003 x64

If you are using Windows as an Internet gateway

We do not recommend using any Windows versions on servers connected directly to the Internet. Recently, information has been published about a large number of vulnerabilities, not all of which are closed by existing OS data security updates. Infection of an Internet gateway directly by a virus like WannaCry can lead to infection of all network hosts, loss of commercial information, as well as the participation of the network, as part of a botnet, in attacks on other resources, which may include government ones.

Software that uses Windows as a platform also cannot provide the required level of security, because the system kernel will still be vulnerable. If you use software such as Kerio Winroute, we recommend migrating to more secure and modern solutions as soon as possible.

The Ideco ICS security gateway is convenient in that it can be used not only as a software and hardware complex, but also installed directly on an existing server or can be deployed as virtual machine on the hypervisor.

Yesterday, May 12, computers running operating systems Windows around the world have suffered the biggest attack in recent memory. We are talking about one belonging to the Ransomware class, that is, malicious ransomware that encrypts user files and demands a ransom to restore access to them. In this case, we are talking about amounts from $300 to $600, which the victim must transfer to a specific wallet in bitcoins. The size of the ransom depends on the time that has passed since the infection - after a certain interval it increases.

According to « Kaspersky Lab » , WannaCry was most widespread in Russia

To avoid joining the ranks of those whose computers are infected, it is necessary to understand how the malware penetrates the system. According to Kaspersky Lab, the attack occurs using a vulnerability in the SMB protocol, which allows you to remotely launch program code. It is based on the EternalBlue exploit, created within the walls of the US National Security Agency (NSA) and made publicly available by hackers.

Microsoft introduced a fix for the EternalBlue issue in bulletin MS17-010 dated March 14, 2017, so the first and foremost measure to protect against WannaCry should be to install this security update for Windows. It is precisely the fact that many users and system administrators have not yet done so, and served as the reason for such a large-scale attack, the damage from which has yet to be assessed. True, the update is designed for those versions of Windows for which support has not yet ceased. But Microsoft has also released patches for legacy operating systems such as Windows XP, Windows 8 and Windows Server 2003. You can download them from this page.

It is also recommended to be vigilant regarding mailings that arrive via email and other channels, use an updated antivirus in monitoring mode, and, if possible, check the system for threats. If MEM:Trojan.Win64.EquationDrug.gen activity is detected and eliminated, reboot the system and then make sure that MS17-010 is installed. Currently, eight names of the virus are known:

• Trojan-Ransom.Win32.Gen.djd;
• Trojan-Ransom.Win32.Scatter.tr;
• Trojan-Ransom.Win32.Wanna.b;
• Trojan-Ransom.Win32.Wanna.c;
• Trojan-Ransom.Win32.Wanna.d;
• Trojan-Ransom.Win32.Wanna.f;
• Trojan-Ransom.Win32.Zapchast.i;
• PDM:Trojan.Win32.Generic.

Virus « owns » many languages

We must not forget about regular backup important data. Please note that WannaCry targets the following categories of files:

• the most common office documents (.ppt, .doc, .docx, .xlsx, .sxi).
• some less popular types documents (.sxw, .odt, .hwp).
• archives and media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)
• email files (.eml, .msg, .ost, .pst, .edb).
• databases (.sql, .accdb, .mdb, .dbf, .odb, .myd).
• project files and source codes(.php, .java, .cpp, .pas, .asm).
• encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).