As reported by Russian media, the work of departments of the Ministry of Internal Affairs in several regions of Russia has been disrupted due to a ransomware that has infected many computers and threatens to destroy all data. In addition, the communications operator Megafon was attacked.

We are talking about the WCry ransomware Trojan (WannaCry or WannaCryptor). He encrypts the information on the computer and demands a ransom of $300 or $600 in Bitcoin for decryption.

@[email protected], encrypted files, extension WNCRY. A utility and decryption instructions are required.

WannaCry encrypts files and documents with the following extensions by adding .WCRY to the end of the file name:

Lay6, .sqlite3, .sqlitedb, .accdb, .java, .class, .mpeg, .djvu, .tiff, .backup, .vmdk, .sldm, .sldx, .potm, .potx, .ppam, .ppsx, .ppsm, .pptm, .xltm, .xltx, .xlsb, .xlsm, .dotx, .dotm, .docm, .docb, .jpeg, .onetoc2, .vsdx, .pptx, .xlsx, .docx

WannaCry attack around the world

Attacks were recorded in more than 100 countries. Russia, Ukraine and India are experiencing the greatest problems. Reports of virus infection are coming from the UK, USA, China, Spain, and Italy. It is noted that the hacker attack affected hospitals and telecommunications companies around the world. An interactive map of the spread of the WannaCrypt threat is available on the Internet.

How does infection occur?

As users say, the virus gets onto their computers without any action on their part and spreads uncontrollably across networks. On the Kaspersky Lab forum they point out that even an enabled antivirus does not guarantee security.

It is reported that the WannaCry ransomware attack (Wana Decryptor) occurs through the Microsoft Security Bulletin MS17-010 vulnerability. Then a rootkit was installed on the infected system, using which the attackers launched an encryption program. All Kaspersky Lab solutions detect this rootkit as MEM:Trojan.Win64.EquationDrug.gen.

The infection supposedly occurred a few days earlier, but the virus only manifested itself after it had encrypted all the files on the computer.

How to remove WanaDecryptor

You will be able to remove the threat using an antivirus; most antivirus programs will already detect the threat. Common definitions:

Avast Win32:WanaCry-A , AVG Ransom_r.CFY, Avira TR/FileCoder.ibtft, BitDefender Trojan.Ransom.WannaCryptor.A, DrWeb Trojan.Encoder.11432, ESET-NOD32 Win32/Filecoder.WannaCryptor.D, Kaspersky Trojan-Ransom.Win32.Wanna.d, Malwarebytes Ransom.WanaCrypt0r, Microsoft Ransom:Win32/WannaCrypt, Panda Trj/RansomCrypt.F, Symantec Trojan.Gen.2, Ransom.Wannacry

If you have already launched the threat on your computer and your files have been encrypted, decrypting the files is almost impossible, since exploiting the vulnerability launches a network encryptor. However, several options for decryption tools are already available:

Note: If your files were encrypted and there is no backup copy, and existing decryption tools did not help, then it is recommended to save the encrypted files before cleaning the threat from your computer. They will be useful if a decryption tool that works for you is created in the future.

Microsoft: Install Windows updates

Microsoft said that users with the company's free antivirus and Windows System Update enabled will be protected from WannaCryptor attacks.

Updates dated March 14 fix the system vulnerability through which the ransomware Trojan is distributed. Today detection was added to the Microsoft Security Essentials/Windows Defender antivirus databases to protect against a new malware known as Ransom:Win32.WannaCrypt.

• Make sure your antivirus is turned on and the latest updates are installed.
• Install a free antivirus if your computer does not have any protection.
• Install the latest system updates using Windows Update:
  • For Windows 7, 8.1 From the Start menu, open Control Panel > Windows Update and click Search for Updates.
  • For Windows 10 Go to Settings > Update & Security and click "Check for updates"..
• If you install updates manually, install the official Microsoft patch MS17-010, which addresses the SMB server vulnerability used in the WanaDecryptor ransomware attack.
• If your antivirus has ransomware protection, turn it on. We also have a separate section on our website, Ransomware Protection, where you can download free tools.
• Perform an anti-virus scan of your system.

Experts note that the easiest way to protect yourself from an attack is to close port 445.

• Type sc stop lanmanserver and press Enter
• Enter for Windows 10: sc config lanmanserver start=disabled , for other versions of Windows: sc config lanmanserver start= disabled and press Enter
• Restart your computer
• At the command prompt, enter netstat -n -a | findstr "LISTENING" | findstr ":445" to make sure the port is disabled. If there are empty lines, the port is not listening.

If necessary, open the port back:

• Run Command Prompt (cmd.exe) as administrator
• Enter for Windows 10: sc config lanmanserver start=auto , for other versions of Windows: sc config lanmanserver start= auto and press Enter
• Restart your computer

Note: Port 445 is used by Windows for file sharing. Closing this port does not prevent the PC from connecting to other remote resources, but other PCs will not be able to connect to the system.