05/15/2017, Mon, 13:33, MSK , Text: Paul Pritula

The other day in Russia, one of the largest and "noisy", judging by the press, Kiberatak: networks of several departments and the largest organizations, including the Ministry of Internal Affairs, have occurred. The virus encrypts data on employees computers and extorted a large amount of money for them to continue their work. This is a visual example of the fact that no one is insured against extortionists. Nevertheless, you can fight this threat - we will show several ways that Microsoft offers.

What do we know about extortioners? It seems that these are criminals who require money from you or things under the threat of adverse consequences. In business, such from time to time happens, everything is about to appear how to act in such situations. But what if the virus is the extortioner settled on your work computers, blocks access to your data and requires to transfer money to certain persons in exchange for unlock code? You need to contact information security specialists. And it is best to do it in advance to prevent problems.

The number of cybercrime in recent years has grown an order. According to the Sentinelone study, half of the companies in the largest European countries were attacked by extortionable viruses, and more than 80% of them became victims of three or more times. A similar picture is observed worldwide. Clearswift Specializing in Information Security Calls a kind of "top" countries most affected by Ransomware - extortionate programs: USA, Russia, Germany, Japan, United Kingdom and Italy. Special interest of attackers cause small and medium business, because they have more money and more sensitive data than in individuals, and there are no powerful security services, like large companies.

What to do and, most importantly, how to prevent the attack of extortioners? To begin with, we will estimate the threat itself. The attack can be carried out by several paths. One of the most common - email. The criminals are actively used by the methods of social engineering, the effectiveness of which did not fall at all from the times of the famous Hacker of the twentieth century Kevin Mitnik. They can call the victim's company's employee on behalf of a really existing counterparty and after the conversation to send a letter with an attachment containing a malicious file. An employee, of course, will open it, because he just spoke with the sender by phone. Or an accountant can receive a letter supposedly from the bailiff or from the bank, which serves his company. Nobody is insured, and even the Ministry of Internal Affairs suffers not for the first time: a few months ago, hackers sent a fake account from Rostelecom with a virus-encryption officer in the accounting department of the Kazan linear management of the Ministry of Internal Affairs.

The source of infection can be a phishing site, to which the user came under a fraudulent link, and "randomly forgotten" by someone from the visitors of the Office flash drive. Increasingly and more often, infection occurs through unprotected mobile devices of employees with which they get access to corporate resources. And the antivirus may not work: hundreds of malicious programs, bypass antiviruses, are known, not to mention the "attacks of the zero day", operating just open "holes" in the software.

What is a "cyber wagon"?

A program known as the "extortioner", "encrypter", Ransomware blocks the user's access to the operating system and usually encrypts all data on the hard disk. A message is displayed on the screen that the computer is blocked and the owner is obliged to transfer the attacker a large amount of money if he wants to return control of the data. Most often, the screen turns on the countdown in 2-3 days so that the user hurries, otherwise the contents of the disk will be destroyed. Depending on the appetites of criminals and the size of the company, the amount of ransom in Russia ranges from several tens to several hundred thousand rubles.

Types of extortionists

Source: Microsoft, 2017

These malware have been known for many years, but in the last two or three years they are experiencing a real flourishing. Why? First, because people pay attackers. According to Kaspersky Lab, 15% of Russian companies attacked in this way, prefer to pay redemption, and 2/3 of companies in the world that have been attacked, lost their corporate data in whole or in part.

The second - toolkit cybercriminals has become more perfect and affordable. And the third - independent attempts to "pick up the password" are not good for the victim, and the police rarely can find criminals, especially during the countdown.

By the way. Not all hackers spend their time to inform the password to the victim that listed them the required amount.

What is the problem of business

The main problem in the field of information security in small and medium-sized businesses in Russia is that they have no money for powerful specialized funds IB, and IT systems and employees with which various incidents can occur, more than enough. To combat RansomWareNew, only customized firewall, antivirus and security policies. You need to use all available tools, first of all provided by the operating system supplier, because it is inexpensive (or included in the cost of the OS) and is 100% compatible with its own software.

The overwhelming majority of client computers and a significant part of the servers are running Microsoft Windows OS. Everyone knows built-in security tools, such as Windows Defender and Windows Firewall, which, together with the latest OS updates and the user's rights restriction, provide a completely sufficient security level in the absence of specialized funds for an ordinary employee.

But the peculiarity of business relationships and cybercriminals is that the first often do not know that they are attacked by the second. They believe themselves protected, and in fact, malware have already penetrated through the perimeter of the network and quietly make their work - after all, not all of them behave so brazenly as Troyans-extortioners.

Microsoft has changed the security approach: now it has expanded the IB product line, and also focuses not only to secure the company from modern attacks, but also to enable the opportunity to investigate them if the infection still happened.

Mail Protection

The postal system as the main corporate network penetration channel in the corporate network must be protected additionally. For this, Microsoft has developed an Exchange ATP system (Advanced Treat Protection), which analyzes postal attachments or Internet links and responds in a timely manner to the identified attacks. This is a separate product, it is integrated into Microsoft Exchange and does not require deployment on each client machine.

The Exchange ATP system is able to detect even the "attacks of the zero day", because it launches all attachments in a special "sandbox", without releasing them into the operating system, and analyzes their behavior. If it does not contain attack signs, the attachment is considered secure and the user can open it. And the potentially malicious file is sent to quarantine and the administrator is notified about it.

As for references in letters, they are also checked. Exchange ATP replaces all references to intermediate. The user clicks on a link in a letter, falls on an intermediate link, and at this point the system checks the address for safety. Check occurs so quickly that the user does not notice the delay. If the link leads to an infected site or file, the transition to it is prohibited.

How Exchange ATP works

Source: Microsoft, 2017

Why check occurs at the time of clicking, and not upon receipt of the letter - after all, then there is more time on the study and, therefore, need less computing power? This is done specifically to protect against the trick of attackers with the contents under the link. Typical example: The letter in the mailbox comes at night, the system is checking and does not detect anything, and by the morning on the site for this link already placed, for example, a file with a trojan that the user safely downloads.

And the third part of the Exchange ATP service is a built-in reporting system. It allows you to investigate incidents that have occurred and gives data for answering questions: when the infection occurred, how and where it happened. This allows you to find a source, determine the damage and understand what it was: a random hit or targeted, targeted attack against this company.

This system is useful and for prevention. For example, the administrator can raise the statistics as the transitions on the links marked as dangerous, and who did it from users. Even if there was no infection, it still needs to be clarified with these employees.

True, there are categories of employees who are duties forced to visit a variety of sites - such, for example, marketers, the market research. For them, Microsoft technology allows you to configure the policy so that any downloadable files before saving on the computer will be checked in the sandbox. Moreover, the rules are defined literally in several clicks.

Protection of credentials

One of the goals of attackers attacks is user credentials. The technology of thefts of the logins and passwords of users is quite a lot, and they must withstand durable protection. Hope on the employees themselves is not enough: they come up with simple passwords, apply one password to access all resources and write them on the sticker that is glued to the monitor. This can be struggling with administrative measures and setting the software requirements for passwords, but the guaranteed effect will not still be.

If the company takes about security, it will be delimited by the rights of access, and, for example, an engineer or sales manager cannot enter the accounting server. But in the reserve of hackers there is another trick: they can send a letter from the captured account of an ordinary employee to a target specialist who owns the necessary information (financial data or commercial mystery). Having received a letter from "Colleague", the addressee will absolutely open it and launch the investment. And the program-encryption will access the company's valuable for the company, whose return can pay a lot of money.

In order for the captured account to do not give attackers to penetrate the corporate system, Microsoft proposes to protect it with the Azure Multifactor Authentication Multifactor Authentication. That is, it is necessary to enter not only a pair of login / password, but also a PIN filed by SMS, push-notification generated by a mobile application, or respond to a phone call robot. Multifactor authentication is particularly useful when working with remote employees who can enter the corporate system from different points of the world.

Azure Multifactor Authentication.

Facebook.

Twitter.

Vk.

Odnoklassniki.

Telegram.

Natural science

Wannacry virus-encryption: What to do?

Wannacry's wave rolled around the WANNACRY (Other names of Wana Decrypt0R, Wana Decryptor, Wanacrypt0R), which encrypts documents on the computer and extorts 300-600 USD for decoding them. How to find out if the computer is infected? What needs to be done not to become a victim? And what to do to cure?

Is the computer infected with a virus-encrypter Wana Decryptor?

According to Jacob Krustek () from Avast, over 100 thousand computers are already infected. 57% of them fall on Russia (is there really strange selectivity?). Reports registration of more than 45 thousand infections. Not only servers are exposed to infection, but also computers of ordinary people on which Windows XP, Windows Vista, Windows 7, Windows 8 and Windows 10 and Windows 10 are installed. All encrypted documents in their title receive the WNCry Prefix.

The protection against the virus was found in March, when Microsoft published a "patch", but judging by the expanded epidemic, many users, including system administrators, ignored the update of the computer security system. And it happened what happened - MegaFon, Russian Railways, the Ministry of Internal Affairs and other organizations work on the treatment of their infected computers.

Given the global scale of the epidemic, on May 12, Microsoft has published a security update and for long-no longer supported products - Windows XP and Windows Vista.

Check if the computer is infected with, you can use the anti-virus utility, for example, Kaspersky or (also recommended on Kaspersky Support Forum).

How not to become a victim of Wana Decryptor encrypter?

The first thing you have to do is close the hole. Download for this

The new wave of attacks of the encryptionist virus attacks rolled the world, among the affected Russian media and Ukrainian companies. In Russia, Interfax suffered from the virus, but the attack touched only part of the agency, since its IT services managed to disable part of a critical infrastructure, the Russian company Group-IB said. They called the Badrabbit virus.

On an unprecedented viral attack on Interfax on its page on Facebook, Yuri Pogorellov's deputy director was informed. Two interfax officers confirmed "Vedomosti" to disable computers. According to one of them, a visually blocked screen is similar to the result of the actions of the famous Petya virus. The virus attacked by Interfax warns that it is not necessary to try to independently decipher the files, and requires to pay a redemption of 0.05 bitcoine ($ 285 for yesterday's course), which invites you to a special site on the TOR network. The virus encrypted the virus assigned a personal identification code.

In addition to the Interfax, two more Russian media suffered from the encrypper virus, one of which is the Petersburg edition of the Fontanka, knows Group IB.

The chief editor of the Fontanka, Alexander Gorshkov, told "Vedomosti" that the "Fontanka" servers were attacked by unknown attackers. But the pots assures that the attack of the encrypter virus on the "fountain" speech does not go: the computers of the editorial staff function, the server was hacked, which was responsible for the work of the site.

Interfax divisions in the UK, Azerbaijan, Belarus and Ukraine, as well as the site "Interfax-Religion" continue to work, told "Vedomosti" regrowling. It is not clear for what reason damage did not touch other units, perhaps this is due to the interfax network topology, with where the servers where the servers are territorially, and with the operating system that is installed on them, he says.

Ukrainian Interfax during the day Tuesday reported a hacker attack at Odessa International Airport. The airport on its page apologized to the passengers "for the forced increase in service time", but judging by his online scoreboard, on Tuesday he still continued to send and accept airplanes.

More about Kiberatka, the Metropolitan Metropolitan of Kiev was told in his Facebook-Account - there were problems with paying for bank cards. The FRONT News Edition reported that the metro was attacked by a virus-encrypter.

GROUP-IB concludes a new epidemic. In recent months, there are already two waves of attacks of encrypters viruses in the world: the Wannacry virus appeared on May 12, and on June 27 - the Petya virus (it is notpetya and expetr). They penetrated computers with the Windows operating system, where updates were not installed, encrypted the contents of hard drives and demanded $ 300 for decoding. As it turned out later, Petya did not think to decrypt the computers of the victims. The first attack touched up hundreds of thousands of computers in more than 150 countries, the second - 12,500 computers in 65 countries. The victims of attacks were the Russian " Megaphone », Evraz. , « Gazprom "And" Rosneft " Almost the virus suffered invitro medical centers, which did not take analyzes in patients for several days.

Petya was able to collect only $ 18,000 for almost a month and a half. But damage caused incomparable. One of his victims is the Danish logistic giant Moller-Maersk assessed the disappeared revenue from cyberatics at $ 200-300 million.

Among the divisions of Moller-Maersk, the main blow came on Maersk Line engaged in sea transportation of containers (in 2016 Maersk Line earned a total of $ 20.7 billion, 31,900 people operate in the division).

Business quickly came to my senses after the attack, but the company and regulators remained on guard. So, in August, the directors of their branches were warned by the directors of its branches, the Federal Networking Company of the EEC (manages the All-Russian Electric Network), and a few days later, Russian banks received a similar warning from FINCERT (the structure of the CBB CBBC).

The new attack of the encryptionist virus noted the "Kaspersky Lab", according to the observations of which most attack victims are located in Russia, but there are infection and in Ukraine, in Turkey and Germany. All signs indicate that this is a focused attack on corporate networks, the head of the Kaspersky Lab Anti-virus study is confident, Vyacheslav Zakorzhevsky: Methods similar to Expetr tools are used, but no connection with this virus is not traced.

And according to Eset anti-virus company, the encrypter is still a relative of Petya. The attack uses a malicious program diskcoder.d - this is a new modification of the encoder.

Pullery reported that the Symantec anti-virus was installed on Interfax computers. Representatives of Symntec yesterday did not respond to the request of the "Vedomosti".

Wannacry, Petya, Mischa and other extortion viruses will not threaten you if you adhere to simple recommendations for preventing PC infection!

Last week, the entire Internet stipped the news about the new virus-encrypter. He provoked a much larger-scale epidemic in many countries of the world than the notorious Wannacry, whose wave fell on May of this year. Names have a new virus: Petya.a, EXPETR, notPety, Goldeneye, Trojan.ransom.Petya, Petrwrap, DiskCoder.c, however, most often he appears just like Petya.

This week the attacks continue. Even in our office, a letter came, slyly disguised for some kind of mythical update of software! Fortunately, no one thought of opening the filed archive :) Therefore, I would like to devote today to the question of how to protect my computer from extortion viruses and not become a victim of Petya or some more encrypter.

What do extortion viruses do?

The first extortion viruses appeared approximately in the early 2000s. Many who in these years enjoyed the Internet, probably remember Trojan.Winlock. It blocked the boot of the computer and to get the unlock code requested to list a certain amount on the WebMoney wallet or on a mobile phone:

The first Windows blockers were very harmless. Their window with the text about the need to list the funds at the beginning could simply "nail" through the task manager. Then there were more complex versions of Trojan, which made edits at the registry level and even MBR. But it was possible to "cure", if you know what to do.

Modern extortionable viruses have become very dangerous. They not only block the operation of the system, but also encrypt the contents of the hard disk (including the main boot record of the MBR). For unlocking the system and decrypting files, attackers are now charged in Bitcoin "ah, an equivalent amount from 200 to 1000 US dollars! And even if you list the agreed funds on the specified wallet, then this will not give warranty that hackers will send you a unlock key .

An important point is that today there are practically no working ways to get rid of the virus and get back their files. Therefore, in my opinion, it is better not initially to come across all sorts of tricks and more or less reliably protect your computer from potential attacks.

How not to become a victim of the virus

Encipher viruses usually apply to two ways. The first exploits various windows technical vulnerabilities. For example, Wannacry used EternalBlue exploit, which allowed access to a computer using the SMB protocol. A new Petya encryption can penetrate the system through open TCP ports 1024-1035, 135 and 445. A more common way of infection is phishing. Simply put, users themselves infect PCs, opening the malicious files sent by mail!

Technical Protection against Encrybers Viruses

Although direct infection of viruses and not so frequent, but they happen. Therefore, it is better to eliminate already known potential security bars. First, you need to update the antivirus or install it (for example, it copes well with the recognition of encrypter viruses free 360 \u200b\u200bTotal Security). Secondly, you must install the latest Windows updates.

So to eliminate the potentially dangerous bug in the SMB Microsoft protocol released extraordinary updates for all systems, starting with Windows XP. You can download them for your version of the OS.

To protect against Petya, it is recommended to close the ports on the ports on the computer. To do this, the easiest way to use regular firewall. Open it in the control panel and select the section in the sidebar "Extra options". Filtering Rules Management Window opens. Choose "Rules for incoming connections" and on the right side click "Create Rule". A special master in which you need to make a rule "For Port", then choose the option "Defined Local Ports" and prescribe the following: 1024-1035, 135, 445 :

After adding the port list, install the option on the next screen. "Block connection" For all profiles and set the name (description optional) for the new rule. If you believe the recommendations on the Internet, it will not give the virus to download the files you need even if it gets to your computer.

In addition, if you are from Ukraine and used accounting on me.doc, you could install updates that contained backdors. These backdors were used for large-scale computers with Petya.a virus. Of the analyzed today, you know at least three updates with security vulnerabilities:

• 01/10/175-10.01.176 of April 14;
• 01/10/180-10.01.181 of May 15;
• 01/10/188-10.01.189 of June 22.

If you installed these updates, then you are in the risk group!

Protection from Phishing

As already mentioned, in most infections guilty, nevertheless, the human factor. Hackers and spammers launched a large-scale phishing campaign worldwide. In its framework, email emails were sent out of official organizations with various investments, which were issued for accounts, updates for or other "important" data. It was enough to open a disguised malicious file, as it installed the virus on the computer, which encrypts all the data!

How to distinguish a phishing letter from real. This is very easy if you follow common sense and the following recommendations:

1. From whom the letter? First of all, pay attention to the sender. Hackers can sign a letter, at least the name of your grandmother! However, there is an important point. Email "Grandma" you need to know, and the address of the sender of the phishing letter, as a rule, will be an indefinable set of characters. Something like: " [Email Protected]". And the nuance is: the name of the sender and its address, if this official letter, usually correlated among themselves. For example, E-mail from a certain company" Pupkin and Co "may look like" [Email Protected]", but it is unlikely to have the kind" [Email Protected]" :)
2. What is the letter? As a rule, phishing letters contain any call to action or hint on it. At the same time, in the body of the letter, usually nothing is written or nothing is written, or some additional motivation is given to the opening of nested files. Words "URGENT!", "The score for services" or "critical update" in letters from unknown senders can be a bright example of trying to hack you. Think logically! If you have not requested any accounts, updates or other documents from a particular company, then this is a probability of 99% - phishing ...
3. What in the letter? The main element of phishing letters are its investments. The most obvious type of attachment can be an exe file with fake "update" or "program". Such investments are a rather rude face, but are found.

   More "elegant" ways to deceive the user are to disguise the script downloading the virus, under the document Excel or Word. Masking can be two types. At the first version, the script itself is issued for the office document and it is possible to recognize it by the "double" extension of the name, for example, " .xls.js."Or" Summary .doc.vbs."In the second case, the attachment may consist of two files: a real document and a file with a script that is called as a macro from Word or Excel's office document.

   In any case, it is not worth opening such documents, even if the "sender" asks you a lot about it! If you even suddenly among your customers have a one who theoretically could you send a letter with such content, it is better to bother to contact him directly and clarify whether it sent you any documents. Advanced television in this case can save you from unnecessary trouble!

I think, if you close all the technical bars in your computer and you will not give in to the provocations of spammers, then no viruses are scary to you!

How to restore files after infection

And, nevertheless, you were pleased to infect the computer with a virus-encrypter ... Do not turn off the PC after the appearance of an encryption message !!!

The fact is that due to a number of errors in the code of the viruses themselves, before rebooting the computer, there is a chance to pull out the key from the memory you need to decrypt files! For example, Wannakiwi utility will suit to obtain the Wannacry decryption key. Alas, there is no such solutions to restore files after the attack of Petya, but you can try to extract them from the shadow copies of the data (if you have activated the option to create them on the hard disk section) using the ShadowExplorer miniature program:

If you have already rebooted the computer or the above tips did not help, it is possible to restore files only using data recovery programs. As a rule, encrypter viruses operate according to the following scheme: create an encrypted copy of the file and remove the original without it overwriting. That is, only the file label is actually deleted, and the data itself is saved and can be restored. There are two programs on our site: it will suit more to resuscitize media files and photos, and R.Saver copes well with documents and archives.

Naturally, the virus itself needs to be removed from the system. If Windows is loaded, then for this, the MalwareBytes Anti-Malware program is well. If the virus has blocked the loading, then the Dr.Web LiveCD boot disk with a proven utility to combat various malware DR.Web Cureit on board. In the latter case, it will also have to recover MBR. Because LiveCD from Dr.Web based on Linux, then I think you will be useful for instructions from a habra on this topic.

conclusions

The problem of windows on Windows is relevant for many years. And every year we see that the viruses are inventing increasingly sophisticated forms of damage to computers of users. The last epidemics of encryption virusers demonstrate to us that the attackers are gradually moving towards active extortion!

Unfortunately, even if you pay money, it is unlikely to get any answer. Most likely, it will have to restore its data on their own. Therefore, it is better to show vigilance in time and prevent infection than then to mess around with the elimination of its consequences!

P.S. It is allowed to freely copy and quote this article if you specify an open active reference to the source and maintaining the authorship of Ruslana TRADER.

Continuing its depressing procession over the network, infecting computers and encrypting important data. How to protect yourself from the encrypter, protect Windows from the extortioner - are patches, patches are released to decipher and cure files?

New virus-encrypter 2017 Wanna Cry Continues to infect corporate and private PC. W. scherb from viral attack has 1 billion dollars. For 2 weeks, the virus encrypter infected at least 300 thousand computersDespite the warnings and security measures.

Virus encryption year 2017 that is - As a rule, you can "pick up", it would seem, on the most harmless sites, such as banking servers with user access. Once at the hard drive of the victim, the encrypter "settles" in the system folder System32. From there the program immediately turns off the antivirus and falls into "autorun" After each reboot, the encryption program runs in the registry, Starting your black business. Encrypter starts to download similar copies of programs like Ransom and Trojan. Also often happens self-evaporation encrypter. This process may be shortened, and may occur weeks - until the victim removes nonlade.

Encrypter is often masked under ordinary pictures, text files, but the essence is always alone - these are executable file with extension.exe, .drv, .xvd; sometimes - libraries.dll.. Most often the file is quite harmless, for example " document. DOC", or " picture.jpg.", Where the extension is written manually, and the true type of file is hidden.

After completing encryption, the user sees instead of familiar files a set of "random" characters in the title and inside, and the expansion changes at the most unknown - .No_more_ransom, .xdata. other.

Virus-encrypter 2017 WANNA CRY - how to protect yourself. I would like to immediately note that Wanna Cry is rather a collective term of all viruses of encrypters and extortioners, since lately infected computers most often. So, it will be about s ask from Ransom Ware encrypters, which are a great set: breaking.dad, no_more_ransom, xData, Xtbl, Wanna Cry.

How to protect Windows from encrypter. – EternalBlue via port SMB protocol.

Windows protection from encrypter 2017 - Basic Rules:

• windows Update, timely transition to licensed OS (Note: XP version is not updated)
• updating anti-virus databases and firewalls on demand
• limit care when downloading any files (cute "cats" can turn into loss of all data)
• backing up important information on replaceable carrier.

Virus-encrypter 2017: How to cure and decrypt files.

Hoping for anti-virus software, you can forget about the decoder for a while. In laboratories Kaspersky, Dr. Web, Avast! and other antiviruses while no solution for the treatment of infected files. At the moment, it is possible to remove the virus with the help of antivirus, but the algorithms return everything "into circles" yet.

Some are trying to apply the RECTORDECRYPTOR utilitybut it will not help: algorithm for decryption new viruses has not yet been compiled. It is also absolutely unknown how the virus behaves if it is not deleted, after applying such programs. Often it can turn into erasure of all files - in the edification of those who do not want to pay for attackers, the authors of the virus.

At the moment, the most efficient way to return lost data is an appeal to those. Support for the supplier of the antivirus program you are using. To do this, send a letter, or use the Form for Feedback on the manufacturer's website. In the attachment, be sure to add an encrypted file and, if there is a copy of the original. This will help programmers in the compilation of the algorithm. Unfortunately, for many, the viral attack becomes a complete surprise, and the copies are not that at times it complicates the situation.

Cardial methods of Windows treatment from encrypter. Unfortunately, sometimes you have to resort to the full formatting of the hard drive, which entails the complete change of the OS. Many people will be restored by the system, but this is not an output - even there is a "rollback" will make rid of the virus, the files will still remain cross-seated.