Yesterday, May 12, computers running Windows operating systems around the world were subjected to the largest attack in recent memory. We are talking about one belonging to the Ransomware class, that is, malicious ransomware that encrypts user files and demands a ransom to restore access to them. In this case, we are talking about amounts from $300 to $600, which the victim must transfer to a specific wallet in bitcoins. The size of the ransom depends on the time that has passed since the infection - after a certain interval it increases.

According to « Kaspersky Lab » , WannaCry was most widespread in Russia

To avoid joining the ranks of those whose computers are infected, it is necessary to understand how the malware penetrates the system. According to Kaspersky Lab, the attack takes advantage of a vulnerability in the SMB protocol, which allows remote execution of program code. It is based on the EternalBlue exploit, created within the walls of the US National Security Agency (NSA) and made publicly available by hackers.

Microsoft introduced a fix for the EternalBlue issue in bulletin MS17-010 dated March 14, 2017, so the first and foremost measure to protect against WannaCry should be to install this security update for Windows. It is the fact that many users and system administrators have not yet done this that was the reason for such a large-scale attack, the damage from which has yet to be assessed. True, the update is designed for those versions of Windows for which support has not yet ceased. But Microsoft has also released patches for legacy operating systems such as Windows XP, Windows 8 and Windows Server 2003. You can download them from this page.

It is also recommended to be vigilant regarding mailings that arrive via email and other channels, use an updated antivirus in monitoring mode, and, if possible, check the system for threats. If MEM:Trojan.Win64.EquationDrug.gen activity is detected and eliminated, reboot the system and then make sure that MS17-010 is installed. Currently, eight names of the virus are known:

• Trojan-Ransom.Win32.Gen.djd;
• Trojan-Ransom.Win32.Scatter.tr;
• Trojan-Ransom.Win32.Wanna.b;
• Trojan-Ransom.Win32.Wanna.c;
• Trojan-Ransom.Win32.Wanna.d;
• Trojan-Ransom.Win32.Wanna.f;
• Trojan-Ransom.Win32.Zapchast.i;
• PDM:Trojan.Win32.Generic.

Virus « owns » many languages

We must not forget about regular backups of important data. Please note that WannaCry targets the following categories of files:

• the most common office documents (.ppt, .doc, .docx, .xlsx, .sxi).
• some less popular document types (.sxw, .odt, .hwp).
• archives and media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)
• email files (.eml, .msg, .ost, .pst, .edb).
• databases (.sql, .accdb, .mdb, .dbf, .odb, .myd).
• project files and source codes (.php, .java, .cpp, .pas, .asm).
• encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).
• graphic formats (.vsd, .odg, .raw, .nef, .svg, .psd).
• virtual machine files (.vmx, .vmdk, .vdi).

And in conclusion: if infection could not be avoided, you still cannot pay the attackers. Firstly, even if money is transferred to the specified Bitcoin wallet, no one guarantees the decryption of files. Secondly, you cannot be sure that an attack on the same computer will not be repeated, and that cybercriminals will not demand a large ransom amount. And finally, thirdly, paying for the unblocking “service” will reward those who conduct criminal activities on the Internet and serve as an incentive for them to carry out new attacks.