MegaFon's director of public relations, Pyotr Lidov, told Kommersant that the company's capital office had been hacked. “The computers were out of order - they had a lock screen where they asked for $300 to unlock it,” he said. Then information came that the same thing happened to subscribers of Telefonica and Vodafone operators in Spain.
According to Petr Lidov, the specialists had to turn off the networks at some stage to prevent the virus from spreading further. “A number of regions were affected, the rest had to be temporarily turned off as a preventive measure. This affected retail and customer support, because operators, of course, use a PC to access databases. Call centers fixed. Get in touch and personal accounts it had no effect,” said Mr. Lidov.
As Boris Ryutin, a researcher from Digital Security, told Kommersant, MalwareHunterTeam experts and other independent researchers agree that this is ransomware-type malware, that is, a ransomware virus. "The danger of infection is that, depending on the implementation, the user's files may be irretrievably lost," he said.
“We see an attack, and the virus is very complex,” Solar Security told Kommersant. “At the moment, we are developing recommendations for countermeasures.” “The virus is very complex, and so far it cannot be ruled out that it is something more dangerous than a simple ransomware. It is already obvious that the speed of its distribution is unprecedentedly high,” the company added.
Microsoft representative Kristina Davydova told Kommersant that specialists have added detection and protection against a new malware, known as Ransom:Win32.WannaCrypt. “In March, we also introduced additional protection against malware of this nature, along with a security update that prevents malware from spreading over the network,” she said.
The disturbing red-and-white screensaver appeared on thousands of computers all over the planet in a matter of hours. An Internet virus called WannaCry ("I want to cry") encrypted millions of documents, photos and archives. To regain access to their own files, users are invited to pay a ransom within three days: first - $ 300, then the amount increases. Moreover, they demand to pay in virtual currency, in bitcoins, so as not to track the payment.
About a hundred countries were attacked. The ransomware virus started in Europe. In Spain, Telefonica, Iberica Bank, Gas Natural gas company, FedEx delivery service. WannaCry was later detected in Singapore, Taiwan and China, after which it made its way to Australia and Latin America, as well as the Andhra Pradesh state police in India.
In Russia, the virus tried to blackmail MegaFon, VimpelCom, Sberbank and Russian Railways, and from government agencies - the Ministry of Health, the Ministry of Emergency Situations and the Ministry of Internal Affairs. However, they say everywhere that the attacks were promptly tracked and repelled, and there were no data leaks.
“The virus has been localized, technical work is underway to destroy it and update anti-virus protection tools. It is worth noting that the leakage of official information from the information resources of the Russian Ministry of Internal Affairs is completely excluded,” said Irina Volk, an official representative of the Russian Ministry of Internal Affairs.
“The goals are very difficult to understand. I think they are not political goals, these are obvious scammers who just tried to make money on this business. They say this, they demand money, this is a ransomware virus. We can assume that the goal is financial,” she said. Natalya Kasperskaya, president of the InfoWatch holding, said.
But who are these scammers? Versions about the nature of the virus are put forward depending on the degree of freshness of the mind or inflammation of the brain. Who would doubt that someone would immediately start looking for Russian hackers. Like, Russia was attacked like no one actively. So it's Russian. Well, the saying “to spite my mother I will get frostbite of my ears” is, of course, from our folklore.
The virus was first detected in February. And even the Air Force says that its roots grow from the American National Security Agency, where they developed ways to check the stability of the Windows system, but the codes really got to the scammers. Russian experts also talk about American origin. Only they say that the roots are not in the NSA, but in the US CIA.
“There are some details that show that the virus is most likely not Russian. Firstly, we know that its original is from the CIA, it is from CIA combat tools, and secondly, that even those who updated it and launched it in work, most likely, not Russians, because among the formats in which it works, there is no one of the most popular formats in our country - file 1C. If these were real Russian hackers who would like to infect as many as possible, they would use 1C, of course," says the CEO of Ashmanov and Partners, a developer of artificial intelligence systems and information security Igor Ashmanov.
So, maybe the roots of the virus are American, but Russian scammers hacked after all?
“You need to understand that this virus was released, its code was leaked by WikiLeaks two months ago. It was sterilized there, but the hackers who took it revived it, sprinkled it with living water and posted it somewhere, for example, on a download site or sent by mail. Perhaps it was just an attempt to check whether these deadly combat viruses work," said Igor Ashmanov.
Meanwhile, the notorious Edward Snowden that the American intelligence services, more precisely the NSA, was involved in this cyber attack itself. According to another version of the same Air Force, the attack could have been organized by ideological opponents of President Trump. If so, then these are "beautiful people." In the struggle for the triumph of philanthropy, social objects were also hit. In Brazil - according to the social security system.
And in Britain, the impact generally fell on the NHS - the National Health System. In many hospitals, operations have been stopped, only ambulance. Even Prime Minister Theresa May made a special appeal.
It looks like the virus was indeed aimed at corporate users. Be that as it may, a suspicious email should not be opened, it is better to backup important documents, photos and videos to external media. And advice from experts: you need to update.
"The fact that the virus went like wildfire shows that users, apparently, do not update very much. At the same time, many organizations were infected. And in organizations, as you know, updates are very often centralized. This means that the administrators of these organizations did not monitor "updating and closing vulnerabilities. Or the process was somehow built this way. We can only state that this hole was not closed, although a patch for it was already ready," said Natalia Kasperskaya.
In addition to telecommunications companies, according to RBC sources, as well as Gazeta.Ru and Mediazona, Russian law enforcement agencies — the Ministry of Internal Affairs and the Investigative Committee — became victims of hacker attacks.
Interlocutor of RBC in MIA spoke about the attack on the department's internal networks. According to him, mainly the regional departments of the ministry were attacked. He specified that the virus affected computers in at least three regions of the European part of Russia. The source added that this attack should not affect the work of the Ministry of Internal Affairs. Another interlocutor of RBC in the ministry said that hackers could gain access to the databases of the Ministry of Internal Affairs, but it is not known whether they managed to download information from there. The attack on the Ministry of Internal Affairs affected only those computers on which the operating system had not been updated for a long time, a source in the department said. The work of the ministry is not paralyzed by hackers, but it is very difficult.
AT Germany hackers are the services of Deutsche Bahn, which is the main railway operator in the country. This was reported by the ZDF TV channel with reference to the Ministry of Internal Affairs of the country.
The US Department of Homeland Security partners with technical support and assistance in the fight against WannaCry ransomware.
What is a virus?
According to the post "Kaspersky Lab" , the virus in question is the WannaCry ransomware. “According to the analysis, the attack took place through the well-known network vulnerability Microsoft Security Bulletin MS17-010. Then a rootkit was installed on the infected system, using which the attackers launched the encryption program, ”the company said.
“All Kaspersky Lab solutions detect this rootkit as MEM: Trojan.Win64.EquationDrug.gen. Our solutions also detect ransomware used in this attack with the following verdicts: Trojan-Ransom.Win32.Scatter.uf, Trojan-Ransom.Win32.Fury.fr, PDM: Trojan.Win32.Generic (to detect this malware, the System Watcher must be enabled),” the company noted.
To reduce the risks of infection, Kaspersky Lab experts advise users to install an official patch from Microsoft that closes the vulnerability used in the attack, and to prevent such incidents, use threat reporting services in order to receive timely data on the most dangerous attacks and possible infections.
The hacker attack was commented on in Microsoft . “Today, our experts have added detection and protection against a new malware known as Ransom: Win32.WannaCrypt. In March, we also introduced additional protection against malware of this nature, along with a security update that prevents malware from spreading over the network. Users of our free antivirus and updated version Windows are protected. We are working with users to provide additional assistance, ”the Microsoft representative in Russia said in a statement received by RBC.
Representative solar security RBC told RBC that the company sees the attack and is currently investigating a sample of the virus. “Now we are not ready to share the details, but the malware is clearly written by professionals. For now, it cannot be ruled out that it is something more dangerous than a cryptographer. It is already obvious that the speed of its spread is unprecedentedly high,” the source said. According to him, the damage from the virus is “enormous”, it affected large organizations in 40 countries of the world, but it is not yet possible to give an exact assessment, since the capabilities of the malware have not yet been fully studied and the attack is now in development.
General director GroupIB Ilya Sachkov told RBC that encryption software, similar to the one used in the current attack, is a growing trend. In 2016, the number of such attacks increased by more than a hundred times compared to the previous year, he said.
Sachkov noted that, as a rule, the infection of the device in this case occurs through email. Speaking about WannaCry, the expert noted that this encryption program has two features. “Firstly, it uses the ETERNALBLUE exploit, which was posted in open access by Shadow Brokers hackers. The patch that closes this vulnerability for the OS Windows Vista and older, became available March 9 as part of bulletin MS17-010. At the same time, patches for older operating systems like Windows XP and windows server 2003 will not be, as they are taken out of support,” he said.
“Secondly, in addition to file encryption, it scans the Internet for vulnerable hosts. That is, if an infected computer gets into some other network, malware will spread in it too, hence the avalanche-like nature of infections,” Sachkov added.
Protection against such attacks, according to Sachkov, can be provided using solutions of the "sandbox" class, which are installed on the organization's network and check all files sent to employees' mail or downloaded from the Internet. In addition, the expert recalled, it is important to conduct explanatory conversations with employees about the basics of "digital hygiene" - do not install programs from unverified sources, do not insert unknown flash drives into the computer and do not follow dubious links, as well as update software on time and do not use operating systems that are not supported by the manufacturer.
Who's guilty
Who is behind the large-scale cyberattack is not yet clear. Former NSA employee Edward Snowden that a global hacker attack that occurred on May 12 could have used a virus developed by the NSA. This possibility was previously announced by WikiLeaks.
In turn, the Romanian authorities, that an organization “associated with the APT28/Fancy Bear cybercrime group”, which is traditionally referred to as “Russian hackers”, may be behind the attempted attack.
The Telegraph speculates that Russia-linked Shadow Brokers may be behind the attack. They attribute this to hackers' claims in April that they allegedly stole a "cyber weapon" from the US intelligence community that gives them access to all Windows computers.
- May 12, 2017
internal computer system The Ministry of Internal Affairs of Russia was struck by the virus, Varlamov.ru reports, citing several sources familiar with the situation.
Mediazona's source in the Ministry of Internal Affairs confirmed the infection of departmental computers. According to him, we are talking about departments in several regions.
Earlier, information about a possible infection with a virus appeared on the Peekaboo website and the Kaspersky forum. According to some users, we are talking about a virus WCry(also known as WannaCry or WannaCryptor) - it encrypts the user's files, changes their extension and requires you to buy a special decryptor for bitcoins; otherwise, the files will be deleted.
According to users on the Kaspersky forum, the virus first appeared in February 2017, but "was updated and now looks different than previous versions."
The press service of "Kaspersky" could not promptly comment on the incident, but promised to issue a statement in the near future.
Company member Avast Jakub Croustek informed on Twitter that at least 36,000 computers in Russia, Ukraine and Taiwan are infected.
Varlamov's website notes that information has also appeared about the infection of computers in public hospitals in several regions of the UK and an attack on a Spanish telecommunications company. Telefonica. In both cases, the virus also asks for payment.
The company noted that in March, the update already introduced additional protection against such viruses.
“Users of our free antivirus and updated Windows versions reserved. We are working with users to provide additional assistance,” the company added.
Earlier, Kaspersky Lab told Mediazone that the WannaCrypt virus uses a network vulnerability in Windows, closed by Microsoft specialists back in March.
Ministry of Internal Affairs confirmed hacker attacks on their computers
The Ministry of Internal Affairs has confirmed hacker attacks on its computers, RIA Novosti reports.
According to the press secretary of the Ministry of Internal Affairs, Irina Volk, the department information technologies, Communications and Information Protection of the Ministry recorded a virus attack on the computers of the Ministry of Internal Affairs with the Windows operating system.
“Thanks to the timely measures taken, about a thousand infected computers were blocked, which is less than 1%,” Volk said, adding that the Ministry of Internal Affairs’ server resources were not infected, since they work on other operating systems.
“At the moment, the virus is localized, technical work is being carried out to destroy it and update anti-virus protection tools,” the spokeswoman for the ministry said.
More than six thousand dollars were transferred to bitcoin wallets of hackers who spread the WannaCry virus
At least 3.5 bitcoins were transferred to hackers who spread the WannaCry ransomware virus, writes Meduza. According to the rate of 1740 dollars for one bitcoin at 22:00 Moscow time, this amount is 6090 dollars.
Meduza came to this conclusion based on the history of transactions on bitcoin wallets, to which the virus demanded to transfer money. Wallet addresses were published in a Kaspersky Lab report.
On three wallets, 20 transactions were made on May 12. Basically, 0.16-0.17 bitcoins were transferred to them, which equals approximately $300. The hackers demanded to pay this amount in a pop-up window on infected computers.
Avast counted 75 thousand attacks in 99 countries
IT company Avast reported that the virus WanaCrypt0r 2.0 infected 75,000 computers in 99 countries, according to the organization's website.
Computers in Russia, Ukraine and Taiwan are mostly infected.
13 hours ago, Brian Krebs, a computer security specialist, posted a blog entry about the transfer of bitcoins to hackers in the total amount of 26 thousand US dollars.
Europol: 200 thousand computers in 150 countries were attacked by a virus
Virus infection WannaCry over 200,000 computers in 150 states have already been exposed in three days, he said in an interview with a British television channel ITV Rob Wainwright, Director of the European Police Service Europol. His words are quoted sky news.
“The spread of the virus around the world is unprecedented. According to the latest estimates, we are talking about 200,000 victims in at least 150 countries, and among these victims are enterprises, including large corporations,” Wainwright said.
He suggested that the number of infected computers is likely to increase significantly when people return to work on their computers on Monday. At the same time, Wainwright noted that so far people have transferred "surprisingly little" money to the distributors of the virus.
In China, the virus attacked the computers of 29 thousand institutions
Virus WannaCry attacked computers of more than 29 thousand institutions, the number of affected computers goes to hundreds of thousands, Xinhua News Agency cites data from the Computer Threat Assessment Center Qihoo 360.
According to researchers, computers were attacked in more than 4340 universities and other educational institutions. Infections were also noted on the computers of railway stations, postal organizations, hospitals, shopping centers and government agencies.
“There was no significant damage for us, for our institutions - neither for banking, nor for the healthcare system, nor for others,” he said.
“As for the source of these threats, in my opinion, Microsoft management directly stated this, they said that the United States intelligence services are the primary source of this virus, Russia has absolutely nothing to do with it. It’s strange for me to hear something different under these conditions,” the president added.
Putin also called for discussing the issue of cybersecurity "at a serious political level" with other countries. He stressed that it is necessary "to develop a system of protection against such manifestations."
The virus WannaCry clones appeared
The virus WannaCry two modifications appeared, Vedomosti writes with reference to Kaspersky Lab. The company believes that both clones were created not by the authors of the original ransomware virus, but by other hackers who are trying to take advantage of the situation.
The first modification of the virus began to spread on the morning of May 14th. Kaspersky Lab found three infected computers in Russia and Brazil. The second clone learned to bypass a piece of code that stopped the first wave of infections, the company noted.
He also writes about virus clones Bloomberg. Company Founder Comae Technologies, engaged in cybersecurity, Matt Syuish said that about 10 thousand computers were infected with the second modification of the virus.
Kaspersky Lab estimates that six times fewer computers were infected today than on Friday, May 12.
Virus WannaCry could have been created by a North Korean hacker group Lazarus
ransomware virus WannaCry could have been created by hackers from the North Korean group Lazarus, according to a specialized website of Kaspersky Lab.
The company's specialists drew attention to the analyst's tweet Google Neela Mehta. As Kaspersky Lab concluded, the message indicates a similarity between the two samples - they have a common code. The tweet presents a cryptographic sample WannaCry dated February 2017 and sample group Lazarus dated February 2015.
“The detective is twisting more and more and now the same code is found in # WannaCry and in Trojans from Lazarus», —
Suddenly, a window appears on the screen of a computer running Windows with information that user files are encrypted and can only be decrypted by paying a ransom of $ 300 to hackers. This must be done within three days, otherwise the price will double, and after week the data will be permanently deleted. Or rather, they will physically remain on the disk, but it will be impossible to decrypt them. To demonstrate that the data can indeed be decrypted, it is proposed to use the "free demo version".
Example of a computer hack message
What is encryption
You can encrypt any data on your computer. Since they are all files, that is, sequences of zeros and ones, it is possible to write the same zeros and ones in another sequence. Let's say, if we agree that instead of each sequence "11001100" we will write "00001111", then later, when we see "00001111" in the encrypted file, we will know that in fact it is "11001100", and we can easily decrypt the data. Information about what changes to what is called the cipher key, and, alas, only hackers have the key in this case. It is individual for each victim and is sent only after payment of "services".
Is it possible to catch hackers
In this case, the ransom must be paid using bitcoins - an electronic cryptocurrency. The essence of using bitcoins, in short, is that payment data is transmitted through a chain of servers in such a way that each intermediate server does not know who the original sender and recipient of the payment is. Therefore, firstly, the final "beneficiary" is always completely anonymous, and secondly, the transfer of money cannot be disputed or canceled, that is, a hacker, receiving a ransom, does not risk anything. The ability to quickly and with impunity to receive large sums of money well motivates hackers to look for new ways to hack.
How to protect yourself from hacking
In general, ransomware programs have been around for ten years already - as a rule, before they were "Trojan horses". That is, the encryptor program was installed by the user himself, out of his own stupidity, for example, under the guise of a “crack” for hacking an expensive office suite or a set of new levels for a popular game downloaded from nowhere. Basic computer hygiene protects against such Trojans.
However, now we are talking about a virus attack (the Wanna Decrypt0r 2.0 virus) that exploits operating system vulnerabilities. Windows systems and network file transfer protocols (SMB), due to which all computers within the local network are infected. Antiviruses are silent, their developers do not yet know what to do, and only study the situation. So the only way protection is the regular creation of backup copies of important files and storing them on external hard drives disconnected from the network. You can also use less vulnerable operating systems- Linux or Mac OS.
“Today our specialists have added an update - detection and protection against a new malware known as Ransom: Win32.WannaCrypt. In March, we also added a security update that provides additional protection against a potential attack. Users of our free antivirus and updated version of Windows are protected. We are working with users to provide additional assistance."
Christina Davydova
press secretary Microsoft Russia
How to save files
If the files are already encrypted and backup no, then, alas, you have to pay. However, there is no guarantee that hackers will not encrypt them again.
Hacks will not lead to any global cataclysms: without local accounting acts or reports, of course, it’s hard, but electric trains run and MegaFon’s network works without failures - no one trusts critical data with ordinary Windows-based office PCs, and servers either have multi-stage protection against hacking (up to hardware at the level of routers), or are generally completely isolated from the Internet and local networks to which employees' computers are connected. By the way, just in case of cyberattacks, important data of state structures are stored on servers running on special cryptographic resistant assemblies of Linux that have the appropriate certification, and at the Ministry of Internal Affairs these servers also work on Russian Elbrus processors, under the architecture of which the attackers definitely do not have the compiled virus code .
What will happen next
The more people affected by the virus, the better, paradoxically, it will be a good lesson in cybersecurity and a reminder of the need for constant Reserve copy data. After all, they can not only be destroyed by hackers (another 1000 and 1 way), but also lost when the medium on which they were stored is physically lost, and then only oneself will be to blame. You will be glad to pay both 300 and 600 dollars for the labors of your whole life, but there will be no one!