- 12 May 2017, 19:43 Computer systems of the Ministry of Internal Affairs and Megafon were subject to a virus attack
Internal computer system The Russian Ministry of Internal Affairs was struck by the virus, Varlamov.ru reports, citing several sources familiar with the situation.
Mediazona's source in the Ministry of Internal Affairs confirmed the fact of infection of departmental computers. According to him, we are talking about departments in several regions.
Previously, information about a possible virus infection appeared on the Pikabu website and the Kaspersky forum. According to some users, this is a virus WCry(also known as WannaCry or WannaCryptor) – it encrypts the user’s files, changes their extension and requires you to buy a special decryptor for bitcoins; otherwise the files will be deleted.
According to users on the Kaspersky forum, the virus first appeared in February 2017, but “has been updated and now looks different than previous versions.”
The Kaspersky press service was unable to promptly comment on the incident, but promised to release a statement in the near future.
Company employee Avast Jakub Kroustek reported on Twitter that at least 36 thousand computers in Russia, Ukraine and Taiwan are infected.
Varlamov’s website notes that information also appeared about the infection of computers in public hospitals in several regions of the UK and an attack on a Spanish telecommunications company Telefonica. In both cases, the virus also asks for payment.
The company noted that in March the update already provided additional protection against such viruses.
"Users of our free antivirus and updated Windows versions protected. We are working with users to provide additional assistance," the company added.
Earlier, Kaspersky Lab reported to Mediazone that the WannaCrypt virus exploits a Windows network vulnerability that was closed by Microsoft specialists back in March.
The Ministry of Internal Affairs confirmed hacker attacks on its computers
The Ministry of Internal Affairs confirmed hacker attacks on its computers, RIA Novosti reports.
According to the press secretary of the Ministry of Internal Affairs Irina Volk, the department information technology, Communications and Information Protection of the Ministry recorded a virus attack on the computers of the Ministry of Internal Affairs with the Windows operating system.
“Thanks to timely measures taken, about a thousand infected computers were blocked, which is less than 1%,” Volk said, adding that the server resources of the Ministry of Internal Affairs were not infected because they work on other operating systems.
“At the moment, the virus has been localized, technical work to destroy it and update anti-virus protection tools,” said the ministry’s press secretary.
More than six thousand dollars were transferred to the Bitcoin wallets of the hackers who spread the WannaCry virus.
At least 3.5 bitcoins were transferred to the hackers who spread the WannaCry ransomware virus, Meduza writes. According to the rate of $1,740 per bitcoin at 10:00 p.m. Moscow time, this amount is $6,090.
Meduza came to this conclusion based on the history of transactions on Bitcoin wallets to which the virus demanded money be transferred. The wallet addresses were published in a Kaspersky Lab report.
Three wallets carried out 20 transactions on May 12. Basically, 0.16-0.17 bitcoins were transferred to them, which equals approximately $300. The hackers demanded to pay this amount in a pop-up window on infected computers.
Avast counted 75 thousand attacks in 99 countries
IT company Avast reported that the virus WanaCrypt0r 2.0 infected 75 thousand computers in 99 countries, according to the organization’s website.
Mostly computers are infected in Russia, Ukraine and Taiwan.
13 hours ago, a blog entry by computer security specialist Brian Krebs appeared about the transfer of bitcoins to hackers totaling $26,000.
Europol: 200 thousand computers in 150 countries were attacked by a virus
Virus infection WannaCry in three days, more than 200 thousand computers in 150 countries were already exposed, he said in an interview with the British TV channel ITV Europol Director of European Policing Rob Wainwright. His words are quoted Sky News.
“The spread of the virus around the world is unprecedented. The latest estimates are that there are 200,000 victims in at least 150 countries, including businesses, including large corporations,” Wainwright said.
He suggested that the number of infected computers would likely increase significantly when people returned to work on their computers on Monday. At the same time, Wainwright noted that so far people have transferred “surprisingly little” money to the spreaders of the virus.
In China, the virus attacked the computers of 29 thousand institutions
Virus WannaCry attacked the computers of more than 29 thousand institutions, the number of affected computers is in the hundreds of thousands, the Xinhua agency cites data from the Computer Threat Assessment Center Qihoo 360.
According to researchers, computers in more than 4,340 universities and other educational institutions were attacked. Infections were also observed on computers at railway stations, postal organizations, hospitals, shopping centers and government agencies.
“There was no significant damage for us, for our institutions - neither for banking, nor for the healthcare system, nor for others,” he said.
“As for the source of these threats, in my opinion, Microsoft management directly stated this, they said that the primary source of this virus is the intelligence services of the United States, Russia has absolutely nothing to do with it. It’s strange for me to hear something different under these conditions,” the president added.
Putin also called for discussing the problem of cybersecurity “at a serious political level” with other countries. He stressed that it is necessary to “develop a system of protection against such manifestations.”
The virus WannaCry clones appeared
The virus WannaCry two modifications have appeared, Vedomosti writes with reference to Kaspersky Lab. The company believes that both clones were created not by the authors of the original ransomware virus, but by other hackers who are trying to take advantage of the situation.
The first modification of the virus began to spread on the morning of May 14. Kaspersky Lab discovered three infected computers in Russia and Brazil. The second clone learned to bypass a piece of code that was used to stop the first wave of infections, the company noted.
He also writes about virus clones Bloomberg. Founder of the company Comae Technologies, engaged in cybersecurity, Matt Suish said that about 10 thousand computers were infected with the second modification of the virus.
According to Kaspersky Lab, six times fewer computers were infected today than on Friday, May 12.
Virus WannaCry could have been created by a North Korean hacker group Lazarus
Ransomware virus WannaCry could have been created by hackers from the North Korean group Lazarus, according to the specialized website of Kaspersky Lab.
Company specialists drew attention to the analyst’s tweet Google Neela Mehta. As Kaspersky Lab concluded, the message indicates similarities between the two samples - they have general code. The tweet provides a cryptographic sample WannaCry dated February 2017 and sample group Lazarus dated February 2015.
“The detective story is getting tighter and tighter and now the same code has been found in # WannaCry and in the Trojans from Lazarus», —
In addition to telecommunications companies, Russian law enforcement agencies - the Ministry of Internal Affairs and the Investigative Committee - became victims of hacker attacks, according to sources from RBC, as well as Gazeta.Ru and Mediazona.
RBC's interlocutor in Ministry of Internal Affairs spoke about an attack on the department’s internal networks. According to him, the attack was mainly regional departments ministries. He clarified that the virus affected computers in at least three regions of the European part of Russia. The source added that this attack should not affect the work of the Ministry of Internal Affairs. Another RBC interlocutor at the ministry said that hackers could have gained access to the Ministry of Internal Affairs databases, but it is not known whether they managed to download information from there. The attack on the Ministry of Internal Affairs affected only those computers on which the operating system had not been updated for a long time, a source at the department said. The work of the ministry is not paralyzed by hackers, but it is greatly hampered.
IN Germany hackers services of Deutsche Bahn, which is the country's main railway operator. This was reported by the ZDF TV channel with reference to the country's Ministry of Internal Affairs.
US Department of Homeland Security partners technical support and assistance in the fight against the WannaCry ransomware.
What kind of virus?
According to the message Kaspersky Lab , the virus in question is the WannaCry ransomware. “As the analysis showed, the attack occurred through the well-known network vulnerability Microsoft Security Bulletin MS17-010. Then a rootkit was installed on the infected system, using which the attackers launched an encryption program,” the company said.
“All Kaspersky Lab solutions detect this rootkit as MEM: Trojan.Win64.EquationDrug.gen. Our solutions also detect the ransomware that was used in this attack with the following verdicts: Trojan-Ransom.Win32.Scatter.uf, Trojan-Ransom.Win32.Fury.fr, PDM: Trojan.Win32.Generic (to detect this malware System component Watcher must be enabled),” the company noted.
To reduce the risk of infection, Kaspersky Lab experts advise users to install the official patch from Microsoft, which closes the vulnerability used in the attack, and to prevent such incidents, use threat information services in order to receive timely data on the most dangerous attacks and possible infections.
The hacker attack was also commented on Microsoft . “Today our experts have added detection and protection against a new malware known as Ransom: Win32.WannaCrypt. In March we also introduced additional protection against malware of this nature, along with a security update that prevents the malware from spreading across the network. Users of our free antivirus and updated version of Windows are protected. We are working with users to provide additional assistance,” says a statement from a Microsoft representative in Russia received by RBC.
Representative Solar Security told RBC that the company sees the attack and is currently examining a sample of the virus. “We are not ready to share details right now, but the malware was clearly written by professionals. It cannot yet be ruled out that it is something more dangerous than a ransomware. It is already obvious that the speed of its spread is unprecedentedly high,” the source said. According to him, the damage from the virus is “enormous”; it has affected large organizations in 40 countries, but it is impossible to give an accurate assessment yet, since the capabilities of the malware have not yet been fully studied and the attack is currently in development.
General manager Group-IB Ilya Sachkov told RBC that ransomware similar to the one used in the current attack is a growing trend. In 2016, the number of such attacks increased more than a hundred times compared to the previous year, he said.
Sachkov noted that, as a rule, infection of the device in this case occurs through email. Speaking about WannaCry, the expert noted that this encryption program has two features. “Firstly, it uses the ETERNALBLUE exploit, which was posted in open access hackers Shadow Brokers. A patch that closes this vulnerability for the OS Windows Vista and older, became available on March 9 as part of bulletin MS17-010. At the same time, a patch for older operating systems like Windows XP and Windows server There will be no 2003, since they are no longer supported,” he said.
“Secondly, in addition to encrypting files, it scans the Internet for vulnerable hosts. That is, if an infected computer gets into some other network, the malware will spread there too, hence the avalanche-like nature of infections,” Sachkov added.
Protection against such attacks, according to Sachkov, can be ensured by using “sandbox” solutions, which are installed on the organization’s network and scan all files sent to employees’ emails or downloaded from the Internet. In addition, the expert recalled, it is important to conduct explanatory conversations with employees about the basics of “digital hygiene” - do not install programs from unverified sources, do not insert unknown flash drives into the computer and do not follow dubious links, as well as update software on time and not use operating systems that are not supported by the manufacturer.
Who's to blame
It is not yet clear who is behind the large-scale cyber attack. Former NSA employee Edward Snowden said that a virus developed by the NSA could have been used in the global hacker attack that occurred on May 12. WikiLeaks previously announced this possibility.
In turn, the Romanian authorities said that behind the attempted attack could be an organization “associated with the cybercrime group APT28/Fancy Bear,” which is traditionally classified as “Russian hackers.”
The Telegraph suggests that the Shadow Brokers group, linked to Russia, may be behind the attack. They link this to hackers' claims in April that they had stolen a "cyber weapon" from the US intelligence community, giving them access to all Windows computers.
Malicious software- name for everyone software products, the purpose of which is obviously to cause damage to the end user.
Attackers are coming up with new and cunning ways to distribute malware, most of which are developed for the Android operating system. At the same time, you can “catch” a virus not only on some dubious site, but also by receiving a message with a link from a person you know (friend, relative, colleague).
One of the modifications of malware for smartphones and tablets based on the operating system Android system, once on your mobile device, the first thing it will do is send out a link with a friendly message “Check out the link!” or “My photo for you” across your entire contact list. Anyone who follows the link will receive the virus on their smartphone.
But most often, criminals pass off Trojans as useful applications.
What is the threat of the virus?
Received Trojan horse can not only send SMS to your friends, but also drain your account. Banking Trojans are among the most dangerous. All owners of gadgets using banking applications may suffer. Users of Android smartphones are most at risk - 98% of mobile banking Trojans are created for this operating system.
When you launch a banking application, the Trojan displays its own interface on top of the interface of a real mobile bank. And thus steals all the data that the user enters. The most advanced malware can spoof the interfaces of dozens of different mobile banks, payment systems, and even messaging systems.
Another important step when stealing money is intercepting SMS with one-time passwords for making payments and transfers. Therefore, Trojans usually need access rights to SMS, and this is why you should be especially careful with applications that request such rights.
Signs that your phone is infected
There are several signs that your phone is infected with malware:
- Hidden sending of SMS to your contact list - friends, acquaintances and colleagues who have received dubious messages begin to contact you;
- Fast spending of funds - funds are debited from the Personal Account faster than usual;
- Unauthorized debits from a bank card;
- Lack of SMS from the bank - when you activated the “SMS-informing” service, you stopped receiving SMS notifications about debiting funds from your account;
- The battery drains faster.
How to protect yourself?
- Monitor your operating system regularly for security updates. mobile device and install them in a timely manner;
- Install anti-virus software on your smartphone, tablet, after installation, update it and check your mobile device;
- Use anti-virus software that provides on-line protection and update it regularly;
- Download and run applications only from official stores - Play Store, App Store, Google Play and so on;
- Be careful when granting permissions to applications - programs that ask for access rights to process SMS messages should be treated especially suspiciously;
- Think before you click on a link. Do not be vigilant, do not open links from letters or SMS, or messages in social networks, if you are not sure that the message came from a known addressee and is safe;
- If you receive a suspicious SMS with a link from your friend, call him to find out if he sent the message. If not, warn that his smartphone or tablet is infected with a virus;
- Be careful in public Wi-Fi networks, and when connecting to the network, make sure that it is legitimate;
- Use complex passwords;
- In the Settings menu, click Data Usage, under Wireless & Networks ( Wireless communication) you can see how much data each application uses and set a limit for working with data;
- Enable “SMS notification” about debiting funds from your account - not all Trojans intercept SMS.
What to do if money is stolen?
The first thing to do is contact the bank as quickly as possible.
Suddenly, a window appears on the screen of a computer running Windows with information that the user’s files are encrypted, and they can only be decrypted by paying the hackers a ransom of $300. This must be done within three days, otherwise the price will double, and after week the data will be deleted permanently. Or rather, they will physically remain on the disk, but it will be impossible to decrypt them. To demonstrate that the data can indeed be decrypted, a “free demo” is offered.
Example of a computer hacking message
What is encryption
You can encrypt any data on your computer. Since they are all files, that is, sequences of zeros and ones, you can write the same zeros and ones in a different sequence. Let’s say, if we agree that instead of each sequence “11001100” we will write “00001111”, then later, seeing “00001111” in the encrypted file, we will know that it is actually “11001100”, and we can easily decrypt the data. Information about what is changed to what is called the encryption key, and, alas, only hackers have the key in this case. It is individual for each victim and is sent only after payment for the “services”.
Is it possible to catch hackers?
In this case, the ransom must be paid using bitcoins, an electronic cryptocurrency. The essence of using Bitcoin, in a nutshell, is that payment data is transmitted through a chain of servers in such a way that each intermediate server does not know who the original sender and recipient of the payment are. Therefore, firstly, the final “beneficiary” is always completely anonymous, and secondly, the transfer of money cannot be disputed or canceled, that is, the hacker, receiving the ransom, does not risk anything. The ability to get large sums of money quickly and with impunity motivates hackers to find new ways to hack.
How to protect yourself from hacking
In general, ransomware has been around for ten years - as a rule, before it was “ Trojan horses" That is, the encryption program was installed by the user himself out of his own stupidity, for example under the guise of a “crack” for hacking an expensive office suite or a set of new levels for a popular game, downloaded from nowhere. Basic computer hygiene protects against such Trojans.
However, now we are talking about a virus attack (Wanna Decrypt0r 2.0 virus) that exploits operating system vulnerabilities Windows systems and network file transfer protocols (SMB), which is why all computers on the local network are infected. Antiviruses are silent, their developers do not yet know what to do and are only studying the situation. So the only way to protect yourself is to regularly create backups important files and storing them on external hard drives that are disconnected from the Internet. You can also use less vulnerable ones operating systems- Linux or Mac OS.
“Today our specialists have added an update - detection and protection against a new malware known as Ransom: Win32.WannaCrypt. In March, we also added a security update that provides additional protection against potential attack. Users of our free antivirus and updated version of Windows are protected. We are working with users to provide additional assistance."
Kristina Davydova
Microsoft Russia press secretary
How to save files
If the files are already encrypted and backup copy no, then, unfortunately, you have to pay. However, there is no guarantee that hackers will not encrypt them again.
Hacking will not lead to any global cataclysms: without local accounting acts or reports, of course, it’s difficult, but trains run, and MegaFon’s network works without failures - no one trusts ordinary office PCs with critical data Windows based, and the servers either have multi-stage protection against hacking (down to hardware at the router level), or are completely isolated from the Internet and local networks, to which employee computers are connected. By the way, precisely in case of cyber attacks, important data of government agencies is stored on servers running on special cryptographic strong builds of Linux that have the appropriate certification, and the Ministry of Internal Affairs also runs these servers on Russian Elbrus processors, for the architecture of which the attackers certainly do not have compiled virus code .
What happens next
The more people suffer from the virus, the better it will be, paradoxically: it will become good lesson cybersecurity and remind you of the need for constant backup data. After all, they can not only be destroyed by hackers (in 1000 and 1 other ways), but also lost due to the physical loss of the medium on which they were stored, and then you will only have yourself to blame. You will be glad to pay both 300 and 600 dollars for the work of your whole life, but there will be no one!
