May 12, Onion, WNCRY two kinds of extortion virus variants in the country and the world wide range of outbreak of a large number of individuals and businesses, institutional users in the move.
Unlike in the past,This new variant of the virus added NSA (US National Security Agency) hacker toolkit in the "eternal blue" 0day exploit, through the 445 port (file sharing) in the network for worm infection.
There is no installation of security software or timely update the system patch other network users are likely to passive infection, so the current infected users are mainly concentrated in the enterprise, universities and other internal network environment.
Once infected with the worm virus variants, the system important information file will be encrypted, and extortion of high bitgun ransom, equivalent to RMB 2000-50000 yuan range.
From the current monitoring to the situation, the whole network has tens of thousands of users infected, QQ, microblogging and other social platforms are devastated, follow-up threats can not be underestimated.
Extortion blackmail + remote implementation of the loopholes in the combination of worms caused by the proliferation of dangerous surge on the recent domestic network security situation once a severe test.
After the incident, Microsoft and the major security companies are the first time to follow up, update its security software. Kingsoft also specifically for this blackmailer worm, given a detailed security defense program, dissemination analysis, and other security recommendations.
We also summarize all the Windows system version of the patch, please be sure to install the update as soon as possible.
Spread the infected background
This round of blackmailing worms mainly include Onion, WNCRY two major family variants, first in the United Kingdom, Russia and other countries broke out, there are many enterprises, medical institutions in the system, the loss is very heavy.
Security agencies Global monitoring has found that as many as 74 countries have encountered this hacker worm attack.
From May 12, the amount of domestic transmission of infection began to increase sharply in a number of colleges and universities and enterprises within the concentration of the outbreak and intensified.
74 countries around the world encounter Onion, WNCRY blackmailer worm infection attack
The number of WNCRY blackmailers detected within 24 hours exceeded 10W +
The main reason for the outbreak of this infection is the use of the previous period of its use in the dissemination of the US National Security Agency (NSA) hacker toolkit in the "eternal blue" loopholes (Microsoft March has been released patch, vulnerability number MS17-010 ).
And the history of the "Sasser", "shock wave" and other large-scale worm infection similar to the spread of the attack using the "eternal blue" loopholes through the 445 port direct remote attack target host, the spread of infection is very fast.
The hacker worm virus variants through the "eternal blue" loopholes in network attacks
Although some domestic network operators have shielded the individual users of the 445 network port, but in the education network, part of the runners of the large area network, the campus enterprise network is still a large number of storms attack target.
Especially for the enterprise, once the internal key server system attacks, the loss is immeasurable.
From the detection of feedback situation, a number of colleges and universities are concentrated in the outbreak of infection spread events, including airport flight information, gas stations and other terminal systems are affected, is expected by the recent blackmail the impact of worms will further intensify.
All over the country within the network of blackmailers worm attack attack outbreak
A college computer room all encountered WNCRY blackmailer worm attack
A gas station system in the country suffered a hacker worm attack
An airport flight information terminal also suffered a blackmailer attack
Extortion worm infection
In the system in the documents, pictures, compressed packets, audio and video and other common files will be encrypted by the virus, and then extortion to the user high dollar ransom.
WNCRY variants generally extort the value of 300-600 dollars of bitcoin, Onion variants and even require users to pay 3 tobit, to the current bit currency market, equivalent to about 30,000 yuan.
Such viruses generally use RSA and other asymmetric algorithms, no private key can not decrypt the file. The WNCRY Blackmailer requires the user to pay within 3 days, otherwise the decryption fee will be doubled and no payment will be made within one week will result in failure to recover.
In a sense, this blackmailer virus "can not be resolved", the need for security vendors and users to jointly strengthen security measures and awareness.
The user system that infects the WNCRY extortion virus pops up the bit currency blackmail window
The user file is encrypted, the suffix is changed to "wncry", the desktop is changed to extortion
Some of the variants of the bit to pay the address to track the search found that there are already a small number of users began to pay the rush to the virus writers ransom.
From the figure we can seeThis variant of the virus has received 19 users of the bitmember ransom, totaling 3.58 bit currency, the market value of about 40,000 yuan.
An extortioner's bitter currency pay message tracking
[Defense measures recommended]
1, install antivirus software, keep the security defense function open, Such as Kingsoft has been intercepted (download addressHttp://www.duba.net), Microsoft comes with Windows Defender can also.
Jinshan drug tyrants killing WNCRY blackmailers worms
Jinshan drug tyrants killer virus defense intercept WNCRY virus encryption user file
2, open Windows Update automatically update, timely upgrade the system.
Microsoft in March has been leaked for the NSA leak released MS17-010 upgrade patch, including the hacker worms use the "eternal blue" loopholes, whileFor Windows XP, Windows Server 2003, Windows 8 also released a special fix patchThe
The latest version of the Windows 10 1703 Creator Update does not exist for this vulnerability and does not require a patch.
The system official download address is as follows:
Windows for Windows XP 32-bit / 64-bit / embedded, Windows Vista 32/64, Windows Server 2003 SP2 32-bit / 64-bit, Windows 8 32-bit / 64-bit, Windows Server 2008 32-bit / 64-bit /
For Windows 7 32-bit / 64-bit / embedded, Windows Server 2008 R2 32-bit / 64-bit
Applies to Windows 8.1 32-bit / 64-bit, Windows Server 2012 R2 32-bit / 64-bit
For Windows 8 Embedded, Windows Server 2012
For Windows 10 RTM 32 bit / 64 bit / LTSB
Applies to Windows 10 1511 November Updated 32/64 bits
Applies to Windows 10 1607 anniversary update 32/64 bit, Windows Server 2016 32/64 bit
3, Windows XP, Windows Server 2003 system users can also close the 445 port, to avoid the encounter of the blackmailer worm infection attack.
Proceed as follows:
(1), turn on system firewall protection.Control Panel - & gt; Security Center - & gt; Windows Firewall - & gt; enabled.
Turn on system firewall protection
(2), shut down the system port 445.
(A), shortcut keys WIN + R start the run window, enter cmd and execute, open the command line operation window, enter the command "Netstat -an"To detect whether the 445 port is open.
(B), as shown above, if the 445 port is turned on, enter the following command to turn off:
Net stop rdr / net stop srv / net stop netbt
After the results are as follows:
4, carefully open the unknown source of the URL and mail, open the Office document when the macro is disabled, the network hanging horse and fishing mail has been an important channel for domestic and international extortion virus transmission.
Phishing e-mail documents hidden in the blackmail virus, to induce users to open the macro running virus
5, to develop a good backup habits, the timely use of network disk or mobile hard disk backup personal important documents.
The outbreak of the blackmail incident, many domestic colleges and universities have encountered attacks, a lot of important important information have been blackmail the virus, hope that the majority of users to improve the safety of important documents backup awareness.
In the face of the raging Onion, WNCRY two types of extortion virus variants in the country outbreak of the situation, Kingsoft Internet Center has been issued an emergency release of special currency blackmail the virus and emergency treatment program.
It is reported that extortion virus variants increase the NSA hacker toolkit in the "eternal blue" 0day exploit, can be active in the LAN worm active transmission,The system will not be promptly infected, the extortion of high dollar ransom equivalent to RMB 2000 ~ 50000 range.
Has been confirmed by the infected computer focused on enterprises and institutions, government agencies, universities and other internal network environment. Drug tyrants security experts point out,Virus encryption user documents will delete the original file, so there is a chance to restore some or all of the original file to be deletedThe Suggested computer poisoning, try to reduce the operation, the timely use of professional data recovery tools, recovery probability is higher.
Kingsoft Internet Security 11 download(Recommended) to intercept extortion virus):Poke this
Exclusive immunity tools:Poke this direct download
Detects whether the current computer has an immune bitbar blackmail virus attack
Successful immunization effect is shown below
We know that those data files that have been encrypted, in the absence of access to the key in the case of decryption is basically impossible. But after understanding the principles of virus encryption,Found that there is still a chance to find the original file: the virus to encrypt the original file, it will delete the original file, simply delete the file hard disk as long as a large number of write operations, there is the possibility of successful recovery.
Use Jinshan drug tyrants data recovery to retrieve the damaged document
Please use the free account ksda679795862, password: kingsoft, To enable Jinshan drug tyrants data recovery function.
1. Select Delete File Recovery
2. Select the scan object: Select the disk or folder where the file was lost in the interface, and click "Start Scan".
3. The scanning process: The more the number of files, the longer the scan time, please be patient. (General scanning speed 2 minutes 3G)
4. Scan the results preview: Click on the file can be previewed, you can preview is the opportunity to successfully recover. Check the need to restore the file (folder), click Start recovery to restore the file.
5. Select the recovery path: The restored file will save the path of the folder you selected, please select which folder you want to restore to. (It is strongly recommended that files to be restored be saved to other hard drives instead of missing files on the hard disk to avoid causing secondary damage.)
6. Review the recovery results: The restored folder will be saved in the folder path of your choice, open the directory to check the recovered file.
The following situations need attention:
1. Scanned out of the photos, office documents, display can not be previewed, can not be restored. (Can not preview the office document, said the document has been partially damaged)
2. does not support the preview of the file type, can only be restored to know whether it can be used normally
3. Use the file to delete the function, after scanning, each file will have a recovery probability display, recovery probability is high, recovery success rate is high
4. Video files are prone to fragmentation and data coverage, so the possibility of full recovery of video files is very small.
5. Physical damage to the hard disk or other storage media, the restored file may be corrupted file.
Recommended use vvcat news app