The virus struck megaphone. What is known about the attack of hackers to Russia. What kind of virus

Malicious software is the name for all software products whose purpose is obviously damage to the end user.

The attackers come up with all new cunning methods for the dissemination of malware, most of which are designed for the Android operating system. At the same time, the virus can be "pickled" not only on some dubious site, but also received a message with reference from a person known to you (friend, relative, colleagues).

One of the modifications of malicious software for smartphones and tablets based on the Android operating system, hitting your mobile device, first of all the links with a friendly message "Check the link!" Or "My photo for you" over the entire list of contacts. Everyone who goes on the link will receive a virus already on their smartphone.

But most often the criminals give Trojans for useful applications.

What threatens the virus?

The resulting Trojan program can not only send SMS to your friends, but also empty your account. Banking Trojans are one of the most dangerous. All owners of gadgets that use bank applications can suffer. Most risks Android-smartphones - 98% of mobile banking Trojans are created for this operating system.

When you start the Troyan bank application, displays your own interface over the interface of this mobile bank. And thus steals all the data that the user enters. The most advanced malware are able to fake the interfaces of dozens of various mobile banks, payment systems and even messaging systems.

Another important stage with stealing money is to intercept SMS with disposable passwords for payments and transfers. Therefore, Troyans usually need access rights to SMS, and that is why it should be especially careful with applications that such rights are requested.

Signs that your phone is infected

There are several signs that your phone is infected with malicious software:

• Hidden sending SMS on the list of contacts - Friends, acquaintances and colleagues who have received dubious messages begin to contact you;
• The rapid spending of money - funds from the personal account are debited faster than usual;
• Unauthorized write-offs from a bank card;
• The lack of SMS from the Bank - when the SMS-Informing service connected, you have ceased to receive SMS-notifications about the write-off of funds from the account;
• The battery is discharged faster.

How to protect yourself?

• Regularly following the release of the security updates of the operating system of your mobile device and install them in a timely manner;
• Install anti-virus software on your smartphone, tablet, after installation Update it and check your mobile device;
• Use anti-virus software by protection in ON-LINE mode, and regularly update it;
• Download and run applications only from official stores - Play Store, App Store, Google Play, and so on;
• Be careful when issuing rights of applications - a particularly suspicious relationship deserve programs that are asking for access rights to the processing of SMS messages;
• Think before moving on the link. Do not lose vigilance, do not open links from letters or SMS, or messages on social networks, if not confident that the message has come from the recipient known to you and safely;
• If you have suspicious SMS with reference from your friend, call him to clarify whether he sent a message. If not, warn that his smartphone or tablet is infected with the virus;
• Be careful in public networks Wi-Fi, and when connecting to the network, make sure it is legitimate;
• Use complex passwords;
• In the "Settings" menu, click "Data Usage", in the Wireless & Networks section, you can see how much data each application uses, and set the limit to work with data;
• Connect "SMS-informing" on the write-off of funds from the account - not all the troyans are intercepting SMS.

What if you stole money?

The first thing to do is to contact the bank as quickly as possible.

In addition to telecommunication companies, victims of Hacker attacks, according to RBC sources, as well as Gazety.Ru and Mediazones, were the powerful departments of Russia - the Ministry of Internal Affairs and the Investigation Committee.

Interlocutor RBC B. MVD. spoke about the attack on the internal networks of the department. According to him, the Attack was mainly regional administrative departments. He clarified that the virus struck computers at least in three regions of the European part of Russia. The source added that at the work of the Ministry of Internal Affairs, this attack should not affect. Another source of RBC in the ministry told that hackers could access the databases of the Ministry of Internal Affairs, but it is not known whether they managed to download information from there. Attack on the Ministry of Internal Affairs touched only those computers on which the operating system was not updated for a long time, the interlocutor was told in the department. The work of the ministry is not paralyzed by hackers, but is very difficult.

IN Germanyhackers Deutsche Bahn services, which is the main railway operator of the country. This was announced by the TV channel ZDF with reference to the Ministry of Internal Affairs of the country.

US National Security Partners Technical Support and Assistance in Combating the Wannacry program.

What kind of virus?

According to the report "Kaspersky Lab" The virus affably is a Wannacry encryption program. "As the analysis showed, the attack took place through the well-known Network Vulnerability of Microsoft Security Bulletin MS17-010. Then a rootkit was installed on the infected system, using which, attackers launched the encryption program, "they told in the company.

"All solutions" Kaspersky Lab "detect this rootkit as mem: trojan.win64.equationdrug.gen. Also, our solutions detect the encryption programs that were used in this attack, the following verdicts: Trojan-Ransom.win32.scatter.uf, Trojan-ransom.win32.fury.fr, PDM: Trojan.win32.Genic (for detecting this malware component System Watcher must be included), "the company noted.

To reduce the risks of infection, the Kaspersky Lab specialists advise users to install the official patch from Microsoft, which closes the vulnerability used in the attack, and to prevent such incidents to use threat information services in order to obtain data on the most dangerous attacks and possible infesses.

Hacker attack commented on and in Microsoft. . "Today, our specialists added detection and protection against a new malware, known as Ransom: Win32.wannacrypt. In March, we also presented additional protection against malicious for a similar nature along with a security update, which prevents the dissemination of malware on the network. Users of our free antivirus and updated version of Windows are protected. We work with users to provide additional assistance, "the Microsoft representative of the representative of Microsoft in Russia arrived in RBC.

Representative Solar Security RBC said that the company sees the attack and currently examines the sample of the virus. "Now we are not ready to share details, but the malware is clearly written by professionals. So far, it is impossible to exclude that it is something more dangerous than encrypter. It is already obvious that its spread speed is unprecedented high, "the interlocutor said. According to him, the damage from the virus is "huge", it hurts large organizations in 40 countries around the world, but it is impossible to give an accurate assessment yet, since the possibilities of malware are not yet fully studied and the attack is now in development.

CEO Group-ib Ilya Sachkov told RBC that encryption programs similar to the one that was used for the current attack is a growing trend. In 2016, the number of such attacks increased more than a hundred times compared with the previous year, he clarified.

Sachkov noted that, as a rule, the device infection in this case occurs through email. Speaking of Wannacry, the expert noted that this program-encrypter has two features. "First, it uses EternalBlue exploit, which was laid out in open access with Shadow Brokers hackers. The patch covering this vulnerability for Windows Vista and older has become available on March 9 in the MS17-010 bulletin. At the same time, the patch for the old OS seems to be Windows XP and Windows Server 2003 will not be, as they are derived from under support, "he told.

"Secondly, in addition to encrypting files, it performs an Internet scanning for vulnerable hosts. That is, if the infected computer got into some other network, the malicious software will spread in it, too, - hence the avalanche-shaped character of infection, "added Sachkov.

Protection against such attacks, according to Sachkov, can be provided using the Sandbox class solutions that are installed in the organization's network and check all the files coming to the mail to employees or those downloaded by them from the Internet. In addition, the expert recalled, it is important to conduct explanatory conversations with employees about the foundations of "digital hygiene" - not to install programs from unverified sources, do not insert unknown flash drives to the computer and do not move on dubious links, as well as update the software on time and not to use OS, which Not supported by the manufacturer.

Who is guilty

Who is behind a large-scale kiberatka, not yet clear. Ex-employee of the National Academy of Sciences Edward Snowden, which, with a global hacker attack, which happened on May 12, a virus developed by the NSA could be used. About such an opportunity earlier stated Wikileaks.

In turn, the authorities of Romania that an organization, "APT28 / Fancy Bear", which is traditionally ranked with Russian Hackers, can stand at the attack attempt.

The Telegraph suggests that the attack may stand the Shadow Broker group associated with Russia. They associate this with the statements of hackers, who sounded in April, that they allegedly stole a "cyber weapon" of the US intelligence community, which gives them access to all computers from Windows.

• 12 May 2017, 19:43 Computer systems of the Ministry of Internal Affairs and MegaFon have undergone viral attack

The inner computer system of the Ministry of Internal Affairs of Russia struck the virus, transfers "Varlamov.ru" with reference to several sources familiar with the situation.

The "media" source in the Ministry of Internal Affairs confirmed the fact of infection of departmental computers. According to him, we are talking about management in several regions.

Earlier, information about the possible infection of the virus appeared on the "Picaba" website and the Kaspersky Forum. According to some users, it's about the virus WCry. (also known as Wannacry. or Wannacryptor) - It encrypts the user files, changes their expansion and requires a special decrypt for bitcoins; Otherwise, the files will be deleted.

According to users on the Kaspersky Forum, the virus first appeared in February 2017, but "was updated and now looks different than previous versions."

In the press service of Kaspersky, they could not quickly comment on the incident, but promised to release a statement in the near future.

Company member Avast. Yakub Crawsec reported On Twitter, which is infected at least 36 thousand computers in Russia, in Ukraine and in Taiwan.

The site of Varlamov notes that information also appeared on infecting computers in public hospitals in several regions of Great Britain and the attack on the Spanish telecommunications company Telefonica.. In both cases, the virus also asks for payment.

The company noted that in March, additional protection against such viruses was already presented in the update.

"Users of our free antivirus and updated version of Windows are protected. We work with users to provide additional assistance, "added to the company.

Previously, the Kaspersky Lab "MediaZone" that Wannacrypt's virus uses Windows network vulnerability, closed Microsoft specialists in March.

MVD confirmed hacker attacks on their computers

The Ministry of Internal Affairs confirmed hacker attacks on their computers, reports RIA Novosti.

According to the press secretary of the Ministry of Internal Affairs Irina Wolf, the Department of Information Technologies, the Communications and Protection of Information of the Ministry recorded the viral attack on the MVD computers with the Windows operating system.

"Thanks to the timely adopted measures, about thousands of infected computers were blocked, which is less than 1%," said the Wolf, adding that the MIA server resources were not infected because they work on other operating systems.

"At the moment, the virus is localized, technical work is carried out on its destruction and updating of anti-virus protection tools," said the press secretary of the ministry.

On the Bitcoin wallets of hackers, distributed Wannacry virus, transferred more than six thousand dollars

Wannacry Virus Wannacry Virus transferred at least 3.5 Bitcoin, writes "Medusa". According to the course of 1740 dollars for one Bitcoin at 22:00 Moscow time, this amount is $ 6090.

The conclusion of the "Medusa" came on the basis of the history of transactions on the Bitcoin wallets, which the virus demanded to list the money. The address of the wallets were published in the report "Kaspersky Lab".

On three wallets spent 20 transactions for May 12. Basically, they were translated from 0.16-0.17 Bitcoin, which equals approximately 300 dollars. Such a sum of hackers demanded to pay in the pop-up window on infected computers.

Avast. counted 75 thousand attacks in 99 countries

IT company Avast. reported that the virus Wanacrypt0r. 2.0 infected 75 thousand computers in 99 countries, reported on the organization's website.

Mainly infected computers in Russia, in Ukraine and in Taiwan.

13 hours ago, a record about the transfer of bitcoins hackers in a total amount of 26 thousand US dollars has appeared on the blogging specialist in the field of Computer Security of Bryan Krebs.

Europol: 200 thousand computers in 150 countries have undergone viral attack

Infection with virus Wannacry. For three days, more than 200 thousand computers have undergone in 150 states, said in an interview to the British TV channel ITV. Director of the European Police Service Europol Rob Wainwright. His words quotes Sky News..

"The spread of the virus in the world is unprecedented. According to the latest estimates, we are talking about 200 thousand victims of at least 150 countries, and among these victims of the enterprise, including large corporations, "said Wainwright.

He suggested that the number of infected computers would most likely grow significantly when people return to work to their computers on Monday. At the same time, Wainwright noted that while people translated "amazingly little" money to dissectors of the virus.

In China, the virus attacked computers 29 thousand institutions

Virus Wannacry. Attack computers more than 29 thousand institutions, the score of the affected computers is on hundreds of thousands, leads the Agency "Xinhua" Data Center for Computer Threats Qihoo 360..

According to researchers, computers were attacked in more than 4,340 universities and other educational institutions. Also, the infection was noted on computers of railway stations, postal organizations, hospitals, shopping centers and government agencies.

"For us, no significant damage was not, for our institutions - nor for banking, nor for the health system, nor for others," he said.

"With regard to the source of these threats, then, in my opinion, Microsoft's management stated directly about this, they said that the primary source of this virus are the United States special services, Russia here is not at all. I am strange to hear something else in these conditions, "the president added.

Putin also called on to discuss the problem of cybersecurity "at a serious political level" with other countries. He stressed that it is necessary to "develop a system of protection against such manifestations."

Virusa Wannacry. There were clones

Virusa Wannacry.two modifications appeared, write "Vedomosti" with reference to the Kaspersky Lab. The company believes that both clones have created not the authors of the original extortion virus, but other hackers who are trying to take advantage of the situation.

The first modification of the virus began to spread in the morning of May 14. The Kaspersky Lab found three infected computers in Russia and Brazil. The second clone learned to bypass a piece of code, with the help of which stopped the first wave of infections, noted in the company.

About clones of the virus also writes Bloomberg.. Founder of the company Comae technologies.Having been engaged in cybersecurity, Matt Suish told that about 10 thousand computers were infected with the second modification of the virus.

According to the "Kaspersky Lab", today it was infected six times less computers than on Friday, May 12.

Virus Wannacry. Could create the North Korean group of hackers Lazarus.

Virus extortioner Wannacry. The hackers from the North Korean group of Lazarus could have been reported on the specialized site of the Kaspersky Lab.

Specialists of the company drew attention to the tweet of analyst Google Neil Meht. As concluded in the Kaspersky Lab, the message indicates similarity between the two samples - they have a common code. Cryptographic sample Wannacry. From February 2017 and sample group Lazarus. From February 2015.

"The detective is twisted all the strongest and now one and the same code found in # Wannacry. and in the Trojans from Lazarus.», —

Anxious red and white screensaver for reading hours appeared on thousands of computers throughout the planet. The Internet virus called Wannacry ("I want to cry") encrypted millions of documents, photos and archives. To return access to your own files, users are offered for three days to pay redemption: first - 300 dollars, then the amount increases. Moreover, you can pay in virtual currency, in bitcoins, so as not to track the payment.

Attacked about a hundred countries. The virus extortion started from Europe. In Spain - Telefonica, Bank IBERICA, Gas Natural gas company, FedEx delivery service. Later Wannacry was recorded in Singapore, in Taiwan and in China, after which he reached Australia and Latin America, as well as the police of Andhra Pradesh in India.

In Russia, the virus tried to blackmail "MegaFon", VimpelCom, Sberbank and Russian Railways, and from state bodies - Ministry of Health, Ministry of Emergency Situations and the Ministry of Internal Affairs. However, there are everywhere that attacks are quickly tracked and reflected, and there are no data leaks.

"The virus is localized, technical work is carried out on its destruction and updating of anti-virus protection funds. It is worth noting that the leakage of official information from the information resources of the Ministry of Internal Affairs of Russia is completely excluded," said Irina Volk, the official representative of the Ministry of Internal Affairs of Russia.

"The goals are very difficult to understand. I think they are not political goals, these are clear scammers who tried to earn just in this business. They say it, they require money, this is a wizard virus. We can assume that the goal is financial," said The President of the InfoWatch Holding President Natalya Kasperskaya said.

But who are these fraudsters? The versions about the nature of the virus are advanced depending on the degree of freshness of the mind or inflammation of the brain. Who would doubt that someone immediately starts looking for Russian hackers. Like, Russia attacked how to actively actively. So, these are Russian. Well, the saying "I called my mother's ears with my mother" is, of course, from our folklore.

For the first time, the virus was dressed in February. And even in the Air Force, it is said that its roots grow from the American National Security Agency, where we developed ways to check for the stability of the Windows system, but codes really hit fraudsters. Russian experts say about American origin. Just say that the roots are not in the NAM, but in the US CIA.

"There are some details that show that the virus is most likely not Russian. First, we know that its original is CRS, he is from the CIA combat instruments, secondly, that even those who updated it and launched in work, most likely not Russian, because among those formats in which it works, there is no one of the most popular formats in our country - File 1C. If these were real Russian hackers who would like to infect as much as possible, they I would use 1C, of \u200b\u200bcourse, "says the general director of Ashmanov and Partners, the developer of artificial intelligence systems and information security Igor Ashmanov.

So, maybe, let the roots of the virus of the American, and the Russian fraudsters chaknuli all the same?

"It is necessary to understand that this virus was laid out, his code in the leak of WikiLeaks two months ago. He was sterilized there, but the hackers who took him revived him, blurred with live water and placed somewhere, for example, on the site for downloading Or sent by mail. Perhaps it was just an attempt to check whether these Circus Battle Viruses work, "said Igor Ashmanov.

Meanwhile, the notorious Edward Snowden that American intelligence agencies, more precisely, the NSB, is involved in this cyberatka itself. According to another version, the same Air Force, the attack could arrange the ideological opponents of President Trump. If so, then it is "beautiful people." In the struggle for the celebration of human lobby hit both social objects. In Brazil - on the Sobes system.

And in Britain, the blow at all came to NHS - the National Health System. In many hospitals, operations are stopped, only ambulance works. Even Premier Teresa May spoke with a special appeal.

It seems that the virus was indeed aimed at corporate users. Be that as it may, suspicious email should not be opened, it is better to make backup copies of important documents, photos and videos on external media. And advice from specialists: need to be updated.

"The fact that the virus went like a fire shows that users apparently are not very updated. At the same time, very many organizations have been infected. And in organizations, as you know, the update is very often centrally centralized. So, the administrators of these organizations did not follow Upgrading and closing vulnerabilities. Or somehow it was so built. We can only state that this hole was not closed, although the patch was ready for it, "Natalia Kasperskaya noted.

Suddenly, a window with information that user files are encrypted are encrypted, and they will be able to decipher them, only by paying a ransom of $ 300 from the amount of 300 dollars. Make it takes for three days, otherwise the price will grow twice The week data will be removed permanently. Rather, physically they will remain on the disk, but it will be impossible to decipher. To demonstrate that the data can really decipher, it is proposed to use the "free demo version".

Example message about hacking a computer

What is encryption

You can encrypt any data on the computer. Since all of them are files, that is, the sequences of zeros and units, you can record the same zeros and units in a different sequence. Let's say, if you agree that instead of each sequence "11001100" we will write "00001111", then, after seeing in the encrypted file "00001111", we will know that in fact it is "11001100", and we can easily decipher the data. Information about what changes is called, called the cipher key, and, alas, the key in this case is only at hackers. He is individual for every victim and will be sent only after payment of the "services".

Can I catch hackers

In this case, the redemption needs to be paid with the help of bitcoins - electronic cryptocurrency. The essence of the use of bitcoins, if briefly, is that the payment data is transmitted over the server chain in such a way that each intermediate server does not know who is the initial sender and the pay recipient. Therefore, firstly, the final "benifier" is always completely anonyment, and secondly, the transfer of money cannot be challenged or canceled, that is, a hacker, receiving a ransom, does not risk anything. The possibility of quickly and impunity to receive large amounts of money well motivates hackers to search for new hacking methods.

How to protect yourself from hacking

In general, the extortion programs exist for ten years - as a rule, before it was "Trojan horses". That is, the encryption program installed the user's own nonsense itself, for example, under the type of "Kryaka" for hacking an expensive office package or a set of new levels for a popular game, downloaded incomprehensible from. From such Trojans protects elementary computer hygiene.

However, now we are talking about a viral attack (Wanna Decrypt0R 2.0 virus) using Windows operating system vulnerability and file transfer protocols over the network (SMB), due to which all computers are infected with the local network. Antiviruses are silent, their developers do not yet know what to do, and only learn the situation. So the only way to protect is a regular creation of backup copies of important files and storing them on external hard drives disconnected from the network. And you can also use less vulnerable operating systems - Linux or Mac OS.

"Today, our experts added an update - detection and protection against a new malware, known as Ransom: Win32.wannacrypt. In March, we also added security update, which provides additional protection against a potential attack. Users of our free antivirus and updated version of Windows are protected. We work with users to provide additional help. "

Kristina Davydova

Microsoft RUSSIA spokesman

How to save files

If the files are already encrypted, and there is no backup, then, alas, you have to pay. At the same time there is no guarantee that hackers will not encrypt them again.

To some global hacking cataclysm will not lead: without local accounting acts or reports, of course, it is hard, but the electric trains are driving, and the MegaFon network works without failures - critical data nobody trusts the usual office PC based on Windows, and servers either They have multi-stage protection against hacking (up to hardware at the level of routers), or are generally fully isolated from the Internet and local networks to which the computers of employees are connected. By the way, it is in case of the case of cyberak, important state structure data is stored on servers working on special cryptographic persistent Linux assemblies with appropriate certification, and in the Ministry of Internal Affairs, these servers also work on Russian processors "Elbrus", under the architecture of which attackers are definitely no compiled virus code .

What will happen next

The more people suffer from the virus, however paradoxically, it will be better: it will become a good class of cybersecurity and remind you of the need for constant backup data. After all, they can not only be destroyed by hackers (another 1000 and 1 way), but also lost at the physical loss of the carrier, on which they were stored, and then only to blame themselves. You will pay and pay 300, and $ 600 for the works of your life, let it be no one!