Internet Windows Android
Expand
home

Updates against ransomware virus. WannaCry - how it spreads, treatment, protection against the virus

On April 12, 2017, information appeared about the rapid spread throughout the world of an encryption virus called WannaCry, which can be translated as “I want to cry.” Users have questions about updating Windows against the WannaCry virus.

The virus on the computer screen looks like this:

The bad WannaCry virus that encrypts everything

The virus encrypts all files on the computer and demands a ransom to a Bitcoin wallet in the amount of $300 or $600 to supposedly decrypt the computer. Computers in 150 countries around the world were infected, with Russia being the most affected.

Megafon, Russian Railways, the Ministry of Internal Affairs, the Ministry of Health and other companies are closely faced with this virus. Among the victims are ordinary Internet users.

Almost everyone is equal before the virus. The difference, perhaps, is that in companies the virus spreads throughout the local network within the organization and instantly infects the maximum possible number of computers.

The WannaCry virus encrypts files on computers using Windows. Microsoft released MS17-010 updates for various versions of Windows XP, Vista, 7, 8, 10 back in March 2017.

It turns out that those who have Windows automatically updated are not at risk for the virus, because they received the update in a timely manner and were able to avoid it. I don’t presume to say that this is actually the case.

Rice. 3. Message when installing update KB4012212

The KB4012212 update required a reboot of the laptop after installation, which I didn’t really like, because it’s unknown how this could end, but where should the user go? However, the reboot went fine. This means that we live peacefully until the next virus attack, and, alas, there is no doubt that such attacks will occur.


In any case, it is important to have a place to restore the operating system and your files from.

Windows 8 update from WannaCry

For a laptop with licensed Windows 8, update KB 4012598 was installed, because

It continues its oppressive march across the Internet, infecting computers and encrypting important data. How to protect yourself from ransomware, protect Windows from ransomware - have patches been released to decrypt and disinfect files?

New ransomware virus 2017 Wanna Cry continues to infect corporate and private PCs. U Damage from virus attack totals $1 billion. In 2 weeks, the ransomware virus infected at least 300 thousand computers, despite warnings and security measures.

Ransomware virus 2017, what is it?- as a rule, you can “pick up” on seemingly the most harmless sites, for example, bank servers with user access. Once on the victim’s hard drive, the ransomware “settles” in the system folder System32. From there the program immediately disables the antivirus and goes into "Autorun"" After every reboot, ransomware runs into the registry, starting his dirty work. The ransomware begins to download similar copies of programs like Ransom and Trojan. It also often happens ransomware self-replication. This process can be momentary, or it can take weeks until the victim notices something is wrong.

The ransomware often disguises itself as ordinary pictures or text files, but the essence is always the same - this is an executable file with the extension .exe, .drv, .xvd; Sometimes - libraries.dll. Most often, the file has a completely innocuous name, for example “ document. doc", or " picture.jpg", where the extension is written manually, and the true file type is hidden.

After encryption is complete, the user sees, instead of familiar files, a set of “random” characters in the name and inside, and the extension changes to a previously unknown one - .NO_MORE_RANSOM, .xdata and others.

Wanna Cry ransomware virus 2017 – how to protect yourself. I would like to immediately note that Wanna Cry is rather a collective term for all encryption and ransomware viruses, since recently it has infected computers most often. So, we'll talk about Protect yourself from Ransom Ware ransomware, of which there are a great many: Breaking.dad, NO_MORE_RANSOM, Xdata, XTBL, Wanna Cry.

How to protect Windows from ransomware.EternalBlue via SMB port protocol.

Protecting Windows from ransomware 2017 – basic rules:

  • Windows update, timely transition to a licensed OS (note: the XP version is not updated)
  • updating anti-virus databases and firewalls on demand
  • extreme care when downloading any files (cute “seals” can result in the loss of all data)
  • Backing up important information to removable media.

Ransomware virus 2017: how to disinfect and decrypt files.

Relying on antivirus software, you can forget about the decryptor for a while. In laboratories Kaspersky, Dr. Web, Avast! and other antiviruses for now no solution for treating infected files was found. At the moment, it is possible to remove the virus using an antivirus, but there are no algorithms to return everything “to normal” yet.

Some try to use decryptors like the RectorDecryptor utility, but this won't help: an algorithm for decrypting new viruses has not yet been compiled. It is also absolutely unknown how the virus will behave if it is not removed after using such programs. Often this can result in the erasure of all files - as a warning to those who do not want to pay the attackers, the authors of the virus.

At the moment, the most effective way to recover lost data is to contact technical support. support from the vendor of the antivirus program you use. To do this, you should send a letter or use the feedback form on the manufacturer’s website. Be sure to add the encrypted file to the attachment and, if available, a copy of the original. This will help programmers in composing the algorithm. Unfortunately, for many, a virus attack comes as a complete surprise, and no copies are found, which greatly complicates the situation.

Cardiac methods of treating Windows from ransomware. Unfortunately, sometimes you have to resort to completely formatting the hard drive, which entails a complete change of OS. Many will think of restoring the system, but this is not an option - even a “rollback” will get rid of the virus, but the files will still remain encrypted.

Thank you for contacting Ideko.

We hope that you have provided sufficient contact information and our staff will be able to contact you as soon as possible.

Consent to the processing of personal data

The user, by registering on the site, gives his consent to Aydeko LLC, located at 620144, Ekaterinburg, st. Kulibina 2, office 500, to process your personal data under the following conditions:

  1. Consent is given to the processing of your personal data using automation tools.
  2. Consent is given to the processing of the following personal data:
    1. Contact phone numbers;
    2. E-mail address;
    3. Place of work and/or position held;
    4. City of stay or registration.
  3. The purpose of processing personal data is: providing access to website materials, access to the on-line webinar service or preparing documents for agreeing on options for the development of contractual relations, including commercial proposals, specifications, draft contracts or payment documents.
  4. During processing of personal data, the following actions will be performed: collection, systematization, accumulation, storage, clarification, use, blocking, destruction.
  5. The basis for the processing of personal data is Art. 24 of the Constitution of the Russian Federation; Article 6 of Federal Law No. 152-FZ “On Personal Data”; Charter of Aideko LLC, other federal laws and regulations.
  6. Transfer of personal data can be carried out to third parties only in the manner established by the legislation of the Russian Federation or upon receipt of additional consent of the User.
  7. This consent is valid until the reorganization or liquidation of Aydeko LLC. Consent may also be revoked by the User by sending a written application to the postal address of Aydeco LLC.
  8. Storage of personal data is carried out in accordance with Order of the Ministry of Culture of the Russian Federation dated August 25, 2010 No. 558 on approval of the “List of standard management documents generated in the process of activities of state bodies, local governments and organizations, indicating storage periods” and other regulatory legal acts in the field of archival files and archival storage.

License agreement

on granting rights to test use of the Software Complex “Internet Gateway Ideco ICS 6”

License of Ideco LLC for the right to use the computer program “Software complex “Internet gateway Ideco ICS 6” (hereinafter referred to as the “Program”):

  1. This license for the right to use the Program (hereinafter referred to as the “License”) is granted to the end user (hereinafter referred to as the “Licensee”) by the Licensor - Aydeko LLC and contains information about the restriction of rights to test use of the Program, including any of its components.
  2. If You do not agree to the terms of the License, You may not install, copy or otherwise use this Program or any of its components and must uninstall them.
  3. The Licensor grants the Licensee a non-exclusive right, which includes the use of the Program and its components in the following ways: the right to reproduce, limited to the right to install the launch, to the extent of use provided for by this License. The right to use the Program and its components is granted solely for the purpose of familiarization and testing for a period of 1 (one) month from the date specified in this license.
  4. The program is supplied as is, the Licensor has eliminated all known errors, and there remains a possibility that errors will be identified during further use.
  5. The Licensee is aware of the essential functionality of the Program for which use rights are granted, and the Licensee bears the risk that the Program will meet its expectations and needs, as well as the risk that the terms and scope of the rights granted will meet its expectations and needs.
  6. The licensor is not liable for any losses, damages, regardless of the reasons for their occurrence, (including, but not limited to, special, incidental or indirect damages, losses associated with lost profits, interruption of commercial or production activities, loss of business information, negligence, or any other damages) arising from the use or inability to use the Program and any of its components.
  7. Licensee may install and use one copy of the Program on one computer or server.
  8. The program includes copy protection technologies to prevent unauthorized copying. Illegal copying of the Program and any of its components, removal or modification of copy protection is prohibited.
  9. The Licensee may not modify or decompile the Program and any of its components, change the structure of program codes, program functions in order to create related products, distribute or facilitate the distribution of unlicensed copies of the Program and any of its components.
  10. Renting and transferring the Program and any of its components to third parties, as well as distributing the Program and any of its components on the Internet is not permitted.
  11. Upon expiration of the test period of using the Program, the Licensee is obliged to uninstall the Program and all its components (remove from the computer memory), delete all copies of the Program and its components, and notify the Licensor about this, or acquire the right to use the Program.

A global hacker attack has currently affected many computers in Russia and abroad, including the networks of large telecommunications companies, law enforcement agencies and medical institutions.

Our technology partners from Kaspersky Lab recorded 45 thousand hacking attempts in 74 countries yesterday, May 12.

About the virus

The ransomware program spreading online is called WannaCry (aka Wana Decryptor, WanaCrypt0r and Wana Decrypt0r). Unlike other programs of this type, this encryptor combines the functions of viruses, Trojans and network worms. As penetration mechanisms, it uses both email (this mechanism allows it to overcome protective firewalls) and the SMB protocol network vulnerability published on March 14 of this year: Microsoft Security Bulletin MS17-010. This vulnerability allows the virus to spread within an infected network and infect the maximum number of vulnerable devices.

Microsoft does not automatically distribute security updates for Windows XP and Windows 2003, so users using outdated software are most vulnerable.

When infecting a device, the virus encrypts all user data on the hard drive and demands a ransom for decrypting it.

Ideco ICS is based on the Linux kernel, all ports on external interfaces are closed by default, so it is protected from attacks that exploit network vulnerabilities similar to those exploited by this virus. NAT technology also reliably protects all network devices from connections from the outside. Among the options for spreading the virus: email, possibly infected websites and flash drives, and the virus can also be brought by employees along with laptops used on other networks. All mechanisms of virus spread have not yet been studied and can be supplemented by attackers to strengthen the attack in the near future.

Setting up Ideco ICS

Endpoint protection

  • Install a patch to close the vulnerability exploited by the virus: MS17-010.
  • Block the use of the SMBv1 protocol by running the following command on computers and Windows servers:
    dism /online /norestart /disable-feature /featurename:SMB1Protocol
  • Make sure that anti-virus software on all computers is installed, running and using the latest signature databases.
  • On computers with outdated Windows XP and Windows 2003 operating systems, you must install security patches manually by downloading them from direct links:
    kb4012598 for Windows XP SP3
    kb4012598 for Windows Server 2003 x86
    kb4012598 for Windows Server 2003 x64

If you are using Windows as an Internet gateway

We do not recommend using any version of Windows on servers connected directly to the Internet. Recently, information has been published about a large number of vulnerabilities, not all of which are closed by existing OS data security updates. Infection of an Internet gateway with a virus like WannaCry can lead to infection of all network hosts, loss of commercial information, and participation of the network as part of a botnet in attacks on other resources, which may include government ones.

Software that uses Windows as a platform also cannot provide the required level of security, because the system kernel will still be vulnerable. If you use software such as Kerio Winroute, we recommend migrating to more secure and modern solutions as soon as possible.

The Ideco ICS security gateway is convenient in that it can be used not only as a software and hardware complex, but also installed directly on an existing server or can be deployed as a virtual machine on a hypervisor.

The WannaCry virus is a fairly new piece of malware that only appeared in May 2017. When it enters a computer system, this network worm encrypts most of the files stored there. At the same time, for the ability to decrypt the necessary documents, the virus demands a certain amount of money as a kind of ransom.

The WannaCry ransomware virus affects computers regardless of their owner. Thus, equipment belonging to various structures, as well as representatives of the population and the business community, falls under this unique epidemic. Equipment is damaged including:

  • commercial companies;
  • government agencies;
  • individuals.

The WannaCry ransomware computer virus first made itself known quite recently: it happened on May 12 of this year. The first infection occurred in Spain, and then the malware rapidly spread throughout the world. The following countries were hit hardest by the first wave of the epidemic:

  • India;
  • Ukraine;
  • Russia.

In the relatively short time that the malware we are considering has existed, it has already become a problem on a global scale. In addition to the original version, new modifications with a similar operating principle began to appear in the summer. For example, another recently widespread virus, Petya, is nothing more than a similarity to WannaCry. Many information security specialists and ordinary users consider this version to be even more harmful to equipment.

Should we expect a new wave of infection and how to protect your computer?

To prevent possible infection of important files, you need to understand how the dangerous WannaCry virus spreads. First of all, computer equipment runs on a specific system, and some types fall into the main risk zone, while others, on the contrary, automatically protect the files stored there from malicious influence. It turns out that a malicious virus that demands a ransom only affects those computers that run on the Windows operating system.

However, as you know, this name unites a whole family of different operating systems. In this case, the question arises, the owners of which systems should be particularly concerned about the safety of their important documents during an attack by the WannaCry virus? According to the Russian BBC service, equipment running Windows 7 is most often affected by malware. We are talking exclusively about those devices on which Microsoft's recently released updates aimed at improving computer security were not installed in a timely manner.

What type of connection does the WannaCry virus use? Initially, the program finds out the computer's IP address to establish a remote connection to it. And by using a connection to Tor nodes, the network worm manages to remain anonymous.

According to experts, more than 500 thousand computers around the world have already been affected by the network worm. Is a new attack of the WannaCry virus possible and what does the latest news say about it? The second wave of infection was expected almost immediately after the appearance of this phenomenon. After this, new modified versions appeared, operating on a similar principle to the WannaCry virus. They became known throughout the world under the names “Petya” and “Misha”. Many experts are confident that such malware is constantly being improved, which means that repeated attacks are absolutely possible.

Prevention and treatment

Many users are concerned about the security of the equipment they use and therefore are interested in how to remove the WannaCry virus if it is infected. The first option that may come to the mind of an ordinary user is to make a payment. However, for the ability to decrypt, the ransomware does not demand the smallest amount - about $300. Subsequently, the initial ransom amount was doubled to $600. In addition, paying it does not at all guarantee the restoration of the original state of your system: after all, we are talking about attackers who certainly should not be trusted.

Experts consider this action completely meaningless: they argue that the very option of providing an individual key for a user who decides to make a payment was implemented by the malware developers with an error called a “race condition.” Ordinary users do not need to understand its features: it is much more important to understand its meaning, which means that the decryption key will most likely never be sent to you.

Thus, effective protection and treatment against the WannaCry virus must be different and include a whole range of measures that can help you secure your personal files and the information stored in them. Experts advise not to ignore released system updates, especially those that relate to security issues.

To avoid suffering from a malware attack, you need to learn in advance the basic ways to protect yourself from the WannaCry virus. First of all, you should make sure that your equipment has all the necessary updates that can eliminate possible system vulnerabilities. If you are knowledgeable about information security issues, then setting up incoming traffic scanning using a special IPS packet management system can help you. It is also recommended to use various systems to combat bots and viruses: for example, the Threat Emulation program as part of Check Point security gateways.

If infected, the question arises of how to remove the WannaCry virus. If you are not an information security specialist, then you can seek help from specialized forums where they can help you deal with your problem.

Do you know the best way to decrypt files encrypted by a popular virus like WannaCry? Is it possible to perform this operation without losing important data? On the forum of the famous Kaspersky Lab, in case of infection, they advise to act as follows:

  • execute a special script in the AVZ utility;
  • check the settings in the HijackThis system;
  • launch specialized software Farbar Recovery Scan Tool.

At the same time, Russian specialists did not offer special programs that would allow decrypting infected files. The only option they offered was to recommend trying to restore them from shadow copies. But the French utility WannaKiwi from Comae Technologies was created, which helps to disinfect important documents on your computer.

How to update your system from a security point of view?

Information security specialists say that timely updating of Windows 7 can reliably protect equipment from the WannaCry virus. The network worm exploited a vulnerability known as MS17-010. Timely installation of official updates can eliminate this vulnerability, reliably protecting your equipment.

If you have been affected by the WannaCry virus, then you should install a patch from Microsoft on your computer. For the Windows 7 system, on the official website you can find the update number 3212646. For the Windows 8 system, option 3205401 is suitable. For the Windows 10 version, you can also find the following versions there:

  • 3210720;
  • 3210721;

Patches are also available for older versions of Windows, namely for Vista (32 and 64-bit) under number 3177186 and for XP under number 4012598.

How to properly install an update against a virus called WannaCry? This is usually very simple: you just need to download the required file and then follow the instructions contained in the installation wizard. In fact, all you have to do is click the “Next” and “Finish” buttons. After installation, it is best to reboot the system before using it further. For specialists, there is also a way to install updates automatically, rather than manually, by setting up group policies for your system, as well as using special filters.

Good afternoon, dear readers and guests of the blog, as you remember in May 2017, a large-scale wave of infection of computers with the Windows operating system began with a new ransomware virus called WannaCry, as a result of which it was able to infect and encrypt data on more than 500,000 computers , just think about this figure. The worst thing is that this type of virus is practically not caught by modern antivirus solutions, which makes it even more threatening. Below I will tell you a method on how to protect your data from its influence and how to protect yourself from ransomware in a minute, I think you will find it interesting.

What is a ransomware virus?

A ransomware virus is a type of Trojan program whose task is to infect the user’s workstation, identify files of the required format on it (for example, photos, audio recordings, video files), then encrypt them and change the file type, as a result of which the user will no longer be able to open them , without a special decoder program. It looks like this.

Encrypted file formats

The most common file formats after encryption are:

  • no_more_ransom
  • vault

Consequences of a ransomware virus

I will describe the most common case in which an encoder virus is involved. Let's imagine an ordinary user in any abstract organization, in 90 percent of cases the user has the Internet at his workplace, since with the help of it he brings profit to the company, he surfs the Internet space. A person is not a robot and can be distracted from work by looking at sites that interest him, or sites that were recommended to him by his friend. As a result of this activity, he can infect his computer with a file encryptor without knowing it and find out about it when it is already too late. The virus has done its job.

The virus, at the time of its operation, tries to process all the files to which it has access, and this is where it begins that important documents in the department folder to which the user has access suddenly turn into digital garbage, local files and much more. It is clear that there should be backup copies of file shares, but what about local files, which can constitute a person’s entire work; as a result, the company loses money for idle work, and the system administrator leaves his comfort zone and spends his time decrypting files.

The same may happen to an ordinary person, but the consequences here are local and concern him and his family personally. It’s very sad to see cases where a virus has encrypted all files, including family photo archives, and people have no backup copy, well, it’s not common among ordinary people users to do it.

With cloud services, everything is not so simple, if you store everything there and do not use a thick client in your Windows operating system, it’s one thing, 99% of the time nothing threatens you there, but if you use, for example, Yandex disk or "mail Cloud" synchronizing files from your computer to it, then if you get infected and receive that all the files are encrypted, the program will send them directly to the cloud and you will also lose everything.

As a result, you see a picture like this, where you are told that all files are encrypted and you need to send money, now this is done in bitcoins so as not to identify the attackers. After payment, they should supposedly send you a decryptor and you will restore everything.

Never send money to criminals

Remember that not a single modern antivirus today can provide Windows protection against ransomware, for one simple reason that this Trojan does not do anything suspicious from its point of view, it essentially behaves like a user, it reads files, writes, unlike viruses, it does not try to change system files or add registry keys, which is why its detection is so difficult, there is no line distinguishing it from the user

Sources of ransomware trojans

Let's try to highlight the main sources of the encryptor's penetration into your computer.

  1. Email > very often people receive strange or fake emails with links or infected attachments, upon clicking on which the victim begins to have a sleepless night. I told you how to protect email, I advise you to read it.
  2. Through software - you downloaded a program from an unknown source or a fake site, it contains an encoder virus, and when you install the software, you add it to your operating system.
  3. Through flash drives - people still very often visit each other and transfer a bunch of viruses through flash drives, I advise you to read “Protecting a flash drive from viruses”
  4. Through IP cameras and network devices with Internet access - very often, due to incorrect settings on a router or IP camera connected to a local network, hackers infect computers on the same network.

How to protect your PC from ransomware

Proper use of your computer protects you from ransomware, namely:

  • Do not open mail you do not know and do not follow unknown links, no matter how they reach you, be it mail or any of the messengers
  • Install updates to the Windows or Linux operating system as quickly as possible; they are released not so often, about once a month. If we talk about Microsoft, then this is the second Tuesday of every month, but in the case of file encryptors, updates may be abnormal.
  • Do not connect unknown flash drives to your computer; ask your friends to send them a link to the cloud.
  • Make sure that if your computer does not need to be accessible on the local network to other computers, then turn off access to it.
  • Limit access rights to files and folders
  • Installing an antivirus solution
  • Do not install incomprehensible programs hacked by someone unknown

Everything is clear with the first three points, but I will dwell on the remaining two in more detail.

Disable network access to your computer

When people ask me how to protect against ransomware in Windows, the first thing I recommend is that people disable the “Microsoft Networks File and Printer Sharing Service,” which allows other computers to access the resources of this computer using Microsoft networks. This is also relevant from curious system administrators working for your provider.

Disable this service and protect yourself from ransomware in a local or provider network, as follows. Press the key combination WIN+R and in the window that opens, execute, enter the command ncpa.cpl. I'll show this on my test computer running Windows 10 Creators Update.

Select the desired network interface and right-click on it, select “Properties” from the context menu

We find the item “File and printer sharing for Microsoft networks” and uncheck it, then save, all this will help protect your computer from a ransomware virus on the local network; your workstation will simply not be accessible.

Restricting access rights

Protection against ransomware virus in Windows can be implemented in this interesting way, I will tell you how I did it for myself. And so the main problem in the fight against encryptors is that antiviruses simply cannot fight them in real time, well, they cannot protect you at the moment, so we will be more cunning. If the encryptor virus does not have write rights, then it will not be able to do anything with your data. Let me give you an example, I have a photo folder, it is stored locally on the computer, plus there are two backup copies on different hard drives. On my local computer, I created read-only rights to it for the account under which I am using the computer. If the virus had gotten in, it simply wouldn’t have had enough rights, as you can see, everything is simple.

How to implement all this in order to protect yourself from file encryptors and protect everything, we do the following.

  • Select the folders you need. Try to use folders; they make it easier to assign rights. Ideally, create a folder called read-only, and place all the files and folders you need in it. The good thing is that by assigning rights to the top folder, they will automatically be applied to other folders in it. Once you have copied all the necessary files and folders into it, proceed to the next step
  • Right-click on the folder from the menu and select "Properties"

  • Go to the "Security" tab and click the "Edit" button

  • We try to delete access groups, if we receive a warning window that “The group cannot be deleted because this object inherits permissions from its parent,” then close it.

  • Click the "Advanced" button. In the item that opens, click "disable inheritance"

  • When asked "What do you want to do with the current inherited permissions" select "Remove all inherited permissions from this object"

  • As a result, everything in the "Permissions" field will be deleted.

  • Save the changes. Please note that now only the owner of the folder can change permissions.

  • Now on the "Security" tab, click "Edit"

  • Next, click "Add - Advanced"

  • We need to add the group "Everyone", to do this, click "Search" and select the desired group.

  • To protect Windows from ransomware, you must have permissions set for the “Everyone” group, as in the picture.

  • Now no encryptor virus will threaten you for your files in this directory.

I hope that Microsoft and other antivirus solutions will be able to improve their products and protect computers from ransomware before their malicious work, but until this happens, follow the rules that I described to you and always make backup copies of important data.

Did not find an answer to your question? Look at here
Periphery equipmentPeriphery equipment
Export data to FirefoxExport data to Firefox
chmod command - Usage examples What does this term mean?chmod command - Usage examples What does this term mean?