Translated by
2020/01/13 17:56:08

WannaCry (virus racketeer)

WannaCry (also WannaCrypt or Wana) is the virus racketeer which was widely adopted in 2017. It is the malware of the U.S. National Security Agency Eternal Blue modified by the version.

Content

As works

WannaCry extends through  exchange protocols files,  the companies set on computers and public institutions. The program encoder damages computers based on Windows.


Over 98% of cases of infection with racketeering software of WannaCry fall on computers running Windows 7, and more than 60% of infections affect the 64-bit version of OS. Such data published analysts of Kaspersky Lab. Statistically, less than 1% of the infected computers work based on versions of Windows Server 2008 R2 and Windows 10 (0.03%).


After penetration into the folder with documents and other files the virus ciphers them, changing expansions on. WNCRY. Then the malware requires to purchase a special key which cost is from 300 to 600 dollars, threatening to delete files otherwise.

In the whole WannaCry — it is an exploit using which there is infection and distribution, plus the encoder who is downloaded on the computer after infection occurred.

In it the important difference of WannaCry from most of other encoders also consists. To infect the computer, the normal, so to say, encoder, the user should make a certain mistake — to click the suspicious link, to permit to perform a macro in Word, to download a doubtful investment from the letter. It is possible to catch WannaCry, at all without doing anything[1].

Founders of WannaCry used an exploit for Windows, known under the name EternalBlue. He operates vulnerability which Microsoft closed in security update of MS17-010 of March 14 of this year. Using this exploit malefactors could get remote access to the computer and set on it actually the encoder.

If you set updating and vulnerability is closed, then far off to crack the computer it will not turn out. However researchers of Kaspersky Lab from GReAT separately pay attention that vulnerability closing does not prevent to work actually in any way to the encoder so if you somehow start it, the patch will not save you.

After successful computer hacking WannaCry tries to extend on a local network to other computers as a worm. He scans other computers regarding existence of that vulnerability which can be operated using EternalBlue and if finds, then attacks and ciphers also them too.

It turns out that, having got on one computer, WannaCry can infect all local network and cipher all computers, in it present. For this reason is the most serious from WannaCry got to the large companies — the more computers in network, the damage is more.


 According to Kaspersky Lab, by May, 2017 not less than 45 thousand users from  74 countries became the victims of WannaCry. 70% of all infected computers, according to in  the company, are located in  Russia.

Besides, the virus mentioned computers in  Great Britain, Spain, Italy, Germany, Portugal, Turkey, Ukraine, Kazakhstan, Indonesia, Vietnam, Japan and  Philippines.

On May 14, 2017 the Avast company detected 126 thousand infected computers in 104 countries, having also selected Russia among the most affected countries — for it 57% of infections were necessary.

As of May 14 of WannaCry collected more than 33 thousand dollars. In spite of the fact that many users paid the redemption, there was no message that their files were unblocked. Researchers found out that receipt of money for the account of racketeers allows to trace what victim translated them. Many racketeers have "support service" which quickly answers the victims in case of problems with payment. But not in a case with WannaCry. Moreover, experts doubt that the ciphered files in general give in to decoding from racketeers.

Spread of the WannaCrypt virus racketeer managed to be suspended, having registered the domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. It appears, some samples WannaCry addressed this domain and if they did not receive affirmative answer, set the encoder and began the dirty deed. If the answer came (i.e. the domain was registered), then the malware curtailed any activity. Having detected reference to this domain in the code of a trojan, the researcher registered it, thus having suspended the attack. For a remaining balance of day to the domain several tens of thousands of addresses came, i.e. several tens of thousands of computers managed to be saved from infection. There is a version that this functionality was built in WannaCry as the breaker — in case something will go not so. Other version to which also the researcher adheres: that it is method to complicate the analysis of behavior of a malware. In research test environments often specially becomes so that from any domains affirmative answers came — and in this case in a test environment the trojan would not do anything. Unfortunately, in new versions of a trojan it is enough to malefactors to change the domain name entered in "breaker" that infection proceeded. So probably the first day of epidemic of WannaCry will not become the last.
В сети вспыхнула эпидемия вируса-вымогателя
В сети вспыхнула эпидемия вируса-вымогателя

As the encoder (it still sometimes is called by WCrypt, and still, for some reason, occasionally call WannaCry Decryptor, though it, according to the logic of things, even a kriptor at all, but not a dekriptor) does to WannaCry the same, as other encoders — ciphers files on the computer and demands the redemption for their interpretation. Most of all it is similar to one more kind of the notorious Trojan of CryptXXX.

It ciphers files of different types (it is possible to look at the complete list[2] here]), among which, of course, there are office documents, photos, movies, archives and other file formats which can contain information, potentially important for the user. The ciphered files receive expansion. WCRY (from here and the name of the encoder) also become completely unreadable.

After that it changes desktop wall-paper, outputting there the notification on infection and the list of actions which allegedly should be made to return files. WannaCry scatters the same notifications in the form of text files according to folders on the computer — that the user definitely did not pass. As always, everything comes down to the fact that it is necessary to transfer a certain amount of bitcoin equivalent on a purse of malefactors — and then they allegedly will decrypt files. First cybercriminals demanded $300, but then decided to raise the stakes — the digit in $600 appears in the latests version of WannaCry.

The virus works only at Windows — it uses vulnerability in the operating system and extends blindly: i.e. does not select the victims, and infects those who are not protected. Microsoft closed this vulnerability in March, 2017: the company released update which automatically was established on computers of normal users. For whom a system was updated, the virus does not threaten everything. Some organizations of updating are established not automatically, and from approval of the people who are responsible for security. Probably, those departments and the companies in which updating was not set faced problems.

Microsoft released updates for operating systems which are not supported any more to stop spread of the WannaCrypt virus racketeer. Updating came out, including for Windows XP, the operating system of 2001 though she is not supported three years.

Dyagilev Vasily, the chief representative of Check Point Software Technologies company in Russia and the CIS: "Responsible for the attacks which began at the end of the last week worldwide is version 2.0 WCry ransomware also known as WannaCry or WanaCrypt0r ransomware. Version 1.0 was detected on February 10, 2017 and in limited scales was used in March. Version 2.0 for the first time was detected on May 11, the attack arose suddenly and quickly extended in Great Britain, Spain, Germany, Turkey, Russia, Indonesia, Vietnam, Japan. The scale of the attack confirms how dangerous can be racketeering software. The organizations should be ready to attack reflection, have an opportunity to scan, block and eliminate suspicious files and content before it gets to their network. It is also very important to instruct personnel about possible danger of letters from unknown sources".

Authors

Experts  of Flashpoint company using linguistic analysis set  nationality of the hackers who presumably created and started the WannaCry virus. The analysis showed that malefactors can be from the southern areas of China, Hong Kong, Taiwan or Singapore as to the family for hackers there was the southern dialect of Chinese.

Experts analyzed messages  with the requirement of the redemption which appeared on the infected computers. All of them were translated into 28 languages, including Russian, Norwegian, Philippine, Turkish and [3].

The analysis showed that practically all messages about the redemption were translated via Google Translate, and only English and two Chinese versions (simplified and classical) were probably written by native speakers.

In spite of the fact that the message in English was written by the person who is well knowing language, the gross grammatical error indicates that it is not a mother tongue of the author. Flashpoint found out that the text in English became the primary source which was translated afterwards into other languages.

Messages about the requirement of the redemption in Chinese differ from others according to contents and tone. Besides, a large number of unique hieroglyphs demonstrates that they were written by the person who is masterfully using Chinese.

Three months later after the beginning of the attacks using racketeering software of WannaCry his creators displaid all means which are available in bitcoin purses - more than $142 thousand. Transactions were noticed by a Quartz edition bot. The encoder demanded from the victims the redemption in the amount of $300 - $600 in bitcoins. All received money was distributed on three purses. On the night of August 3, 2017 seven money transfers which were carried out within 15 minutes were recorded. Most likely, money will pass bitcoin purses through a chain of others to hide the final receiver.

Who is guilty

V. Putin: Intelligence agencies of the USA

The president Russia Vladimir Putin called intelligence agencies USA a source of the WannaCry virus racketeer which paralyzed computers of departments in 150 countries.

"As for a source of these threats, in my opinion, the management of Microsoft directly declared it. Told that primary source of this virus are intelligence agencies of the United States, Russia it is perfect at anything here. It is strange to me to hear something else in these conditions" — the president at a press conference according to the results of the visit to China told.

The head of state reported that the Russian organizations seriously did not suffer from global cyber attack. "For us essential any damage was not, for our organizations — neither for bank, nor for a health care system, nor for others. But in general it is disturbing, there is nothing good, it causes concern" — Vladimir Putin noted.

Microsoft: Intelligence agencies of the different countries

The president of Microsoft corporation Brad Smith in the blog said that responsibility for large cyber attack  intelligence agencies of the different countries partially bear responsibility. He claims that collecting and storage by intelligence agencies of information on vulnerabilities in the software is a big problem as these data as a result fall into bad hands.

  "The attack represents an example of the fact that the problem of accumulation by the governments of information on vulnerabilities is like that — he wrote. — We saw how data vulnerabilities which were collected by CIA (Central Intelligence Agency of the USA) as a result were detected on Wikileaks, and new vulnerability which was stolen from the NSA (U.S. National Security Agency) affected users worldwide".

Brad Smith urged "the governments of the whole world" to refuse accumulation of such data and also their exploitation or sale. Instead intelligence agencies should transfer information on vulnerabilities to developers, he considers.

Microsoft and Britain: The DPRK is guilty

In October, 2017 the president of Microsoft Brad Smith said that the authorities of North Korea are involved in the large-scale attacks using racketeering software of WannaCry which in May, 2017 affected more than 150 countries of the world. He said it on air of ITV TV channel. Earlier experts in the field of cyber security repeatedly stated suspicions about communication of the attacks of WannaCry with the government of the DPRK, but it for the first time when the president of Microsoft said about it publicly.

"I believe, by this moment all informed observers concluded that the DPRK using the tools or a cyber weapon stolen at the U.S. National Security Agency was a source of WannaCry", - Smith noted. He added that for the last half a year the attacks performed by the certain states became frequent and became more serious.

While society relies upon technologies more and more, the risk for the most important spheres of life activity and functioning of political institutes grows, the head of Microsoft believes. He urged the governments to take more measures for protection of citizens against similar damage.

The minister of security issues of the Ministry of Internal Affairs of Great Britain Ben Wallace said October, 2017 in an interview to BBC Radio at the end that the government of Great Britain is sure of participation of the DPRK in the attacks of the encoder of WannaCry which struck servers of the National health care system of Great Britain (NHS) in May of this year. The attack was made not by simple hacker grouping, but the foreign state, and the British authorities are firmly convinced of it, the minister said. In Great Britain and some other countries the opinion on participation of the DPRK in these attacks is widespread.

USA: The DPRK is guilty

On December 18, 2017 the USA publicly accused the DPRK of the attacks using racketeering software of WannaCry. About direct participation of North Korea in the attacks was reported by the adviser to the U.S. President concerning internal security Thomas Bossert in author's article in Wall Street Journal.

"The attack without discrimination extended worldwide in May. It (the malware WannaCry is an edition) ciphered and did useless hundreds of thousands of computers in hospitals, schools, the companies and houses. It was meanly, carelessly and caused extensive material damage. The attack was widespread and cost billions. Responsibility for it lies directly on North Korea", - Bossert twisted[4].

As the adviser explained, his statement is not unfounded and is based on the evidence obtained during the investigation. About participation of the DPRK in WannaCry attacks intelligence agencies of Great Britain and specialists of a number of private companies also came to conclusions, Bossert noted.

As digital technologies become universal, malefactors begin to use them in the purposes. The attacks in a cyberspace allow them to remain anonymous and to cover up the tracks. Using cyber attacks criminals abduct intellectual property and cause damage in each sector, the adviser noted.

Distribution in the world

the First place among all racketeers

Even several years later after the large-scale campaign using racketeering software of WannaCry from which the great number of users in more than 100 countries of the world suffered the malware still continues to infect devices and even in 2019 won first place among all racketeers. It became known on January 10, 2020.

According to a research of specialists from Precise Security company, more than 23.5% of all attacks using racketeering software in 2019 were connected with WannaCry, and spam and phishing letters remained the most widespread source of infection.

Among the factors leading to infection, specialists specify spam / phishing letters (67%), lack of skills of cyber security (36%), unreliable passwords (30%). Only 16% of infections were performed via the harmful websites and advertizing.

As well as other racketeers, WannaCry ciphers the files which are stored on the device and demands from users of a payment for a decryption key.

The number of the attacks using racketeering software against government agencies, the organizations in the field of health care, power and education continues to grow, researchers report. Whereas ordinary racketeers block devices an easy way, more advanced malware use the method called by cryptoviral racketing[5].

Presence on hundreds of thousands of computers worldwide

On December 26, 2018 it became known that 18 months later after large-scale epidemic of racketeering software of WannaCry from which the great number of users in more than 100 countries of the world suffered the malware still is present at hundreds of thousands of computers, data of company Kryptos Logic demonstrate.

According to Kryptos Logic, over 17 million connection attempts to the domain - "switch" proceeding from more than 630 thousand unique IP addresses in 194 countries are fixed every week. On number of connection attempts China, Indonesia, Vietnam, India and Russia are in the lead. As one would expect, in the working days the number of attempts increases in comparison with days off.

Presence of the racketeer on so large number of computers can turn back a serious problem – for its activation enough one large-scale failure in Network, specialists emphasize.

Earlier Kryptos Logic provided the free service TellTale allowing the organizations to carry out monitoring regarding infection of WannaCry or other known threats[6].

Attack to TSMC

The world's largest producer of TSMC chips lost $85 million because of the WannaCry virus. The company reported about it in the financial statement sent to the Taiwan stock exchange (Taiwan Stock Exchange, TSE). Read more here.

Attack on Boeing

On March 28, 2018 the Boeing company underwent the attack using notorious racketeering software of WannaCry. According to the senior engineer of the company Mike VanderWel, the racketeer got on the Boeing systems in Nort-Charlstone (South Carolina, the USA) and began to extend promptly.

"I heard, 777 automated assembly tooling of longerons could be switched-off", -[7] quotes the engineer[8].

Vanderuel also expressed concern that the malware could infect the equipment for testing of airplanes and "extend to software for airplanes". Nevertheless, according to the vice president of Boeing company Linda Mills, messages about an incident in the press are inaccurate, and the danger is too exaggerated.

"Our center for cyber security detected the limited implementation of the malware which affected a small number of systems. All necessary measures were taken, and no problems with production processes or delivery arose", - said Mills.

Attack to LG Electronics

In August, 2017 the malware attacked the service centers LG Electronics and put their self-service kiosks out of action. The company announced an incident to the Korean agency concerning the Internet and security (KISA) which managed to regain control over situation as the attack was at the initial stage[9].

As the press secretary of LG Electronics reported the Korea Herald edition, the attempt of the racketeer to attack the company failed. Immediate shutdown of networks of the service centers allowed to avoid data encryption and the requirement of the redemption. According to KISA, booths were infected with WannaCry, however, how the malware got on systems, it is unknown. Perhaps, someone purposefully installed the program on devices. It is not excluded also that malefactors fraudulently forced someone from employees to load a malware.

Attacks to car makers

On June 21, 2017 Honda Motor announced suspension of production of cars on one their plants after an attack of the WannaCry virus racketeer on computer systems of the Japanese producer.

It is about the Honda enterprise located in the city of Sayama (the prefecture Saitama, Japan; is to the northwest from Tokyo). There the Honda Accord sedan, the Honda Odyssey and Honda Step Wagon minivans are made. Daily production volume of machines at factory is about 1000 pieces.

Honda stopped plant operation after the attack of the WannaCry virus
Honda stopped plant operation after the attack of the WannaCry virus

As the representative of Honda told Reuters agency, on June 18, 2017 the company found out that the malware WannaCry snared the companies in Japan, North America, Europe, China and other regions, despite the measures for security of systems taken in the middle of May.

The production line management system at the plant in Sayam was struck with a virus encoder. For an unblocking of data malefactors demanded remuneration.

As a result the enterprise was closed for day, on June 20, 2017 its normal work was resumed. Other production facilities of Honda functioned in the normal mode.

As a result of WannaCry distribution more than 200 thousand computers in 150 countries were blocked. In addition to Honda, other car makers, including Renault and Nissan Motor which because of cyber attack were forced to freeze temporarily production at the plants in Japan, Great Britain, France, Romania and India suffered from a virus.

Though WannaCry attacked Windows computers, car makers had concerns that the virus can break operation of automobile electronics. Tala Ben David, the vice president of Karamba Security company which offers security software for connected to networks and autonomous cars, considers that they for security of machines of the company should set reliable factory settings without a possibility of change.[10]

Infection of road cameras

In June, 2017 creators of the notorious WannaCry virus racketeer involuntarily helped the Australian drivers to avoid penalties for speeding, BBC News reports.[11]

The malware because of which in May blocked there were hundreds of thousands of computers running Windows worldwide later after the global attack struck about a month more than five tens road cameras which are mainly located in the central part of Melbourne.

In Australia the police cancelled 590 penalties to drivers because of the WannaCry virus
In Australia the police cancelled 590 penalties to drivers because of the WannaCry virus

Infection of 55 cameras monitoring observance of rules on roads of Australia occurred in maintenance time (NJ) on June 6. The employee who was carrying out by TO connected the infected USB drive to a video surveillance system and unintentionally loaded a virus.

WannaCry in a video surveillance system revealed after police officers noticed that cameras too often reboot. According to Bleeping Computer, reset happened time several minutes, however despite it, cameras continued to work and fix violations.[12]

As a result of an incident the police of the Australian State of Victoria cancelled 590 penalties for speeding and drives on a red signal of the traffic light though law enforcement authorities assure that all fines were ordered to pay truly.

The acting as the deputy commissioner Ross Guenther explained that the public should be completely sure of correctness of system operation therefore in police and made such decision.

Though the main wave of the attacks of WannaCry fell on the middle of May, 2017, the encoder continues to cause troubles about two more months. Earlier in the American cybersecurity company KnowBe4 counted that the damage from WannaCry only for the first four days of distribution was more than $1 billion, including losses as a result of loss of data, declines in production, failures in business work and also reputation harm and other factors.[13]

The first attack on the medical equipment

WannaCry became the first virus encoder which attacked not only personal computers of medical institutions, but also directly medical equipment.

On May 17, 2017 the Forbes edition published the screenshot of the Bayer Medrad device infected with WannaCry notorious for a virus racketeer which victims were more than 200 thousand Windows computers in 150 countries of the world.

The screenshot of the Bayer Medrad device infected with the WannaCry virus, a kotor is used when carrying out MRT-inspection
The screenshot of the Bayer Medrad device infected with the WannaCry virus, a kotor is used when carrying out MRT-inspection

The equipment of Bayer Medrad is used by radiologists for introduction to a body of the patient of contrast substance when performing magnetic resonance imaging, explained in the edition. In what medical institution the picture was made, it is not reported. It is told only that the photo was provided by a source in a health care system of the USA, i.e. the speech about some of the American hospitals.

The representative of Bayer confirmed that the company was informed on two cases of infection of the equipment, however what models suffered, is not specified.

«
In both cases operation of devices was recovered within 24 hours. When cracking a computer network of medical institution also the equipment of Bayer running Windows OS connected to network can undergo infection — the press secretary said.
»

Usually suffer from the malware from Windows computers which use in medical institutions. In particular, WannaCry struck the PC almost in five tens hospitals of Great Britain. An incident with Bayer Medrad — the first case when the medical device fell a victim of the encoder, was emphasized in Forbes.

WannaCry could get into the medical equipment as as the operating system in it the version of Windows Embedded OS supporting vulnerable SMBv1 protocol which became starting point of infection was used.

On the same day a number of the largest producers of medical devices, such as Smiths Medical, Medtronic and Johnson & Johnson, extended warnings of threat of infection, but information on incidents with their equipment did not arrive.[14]

Kaspersky urges to enter the state certification of software for medical institutions

During the recent CeBIT Australia exhibition the head of the antivirus software vendor of KasperskyLab Evgeny Kaspersky shared some reflections concerning the WannaCry virus racketeer. Hundreds of thousands of users from 150 countries suffered from actions of the last, writes the ZDNet edition[15].

Considering that first of all WannaCry struck network of medical institutions, their protection is case of paramount importance, the head of the anti-virus company considers and demands intervention of the state. "I am not abandoned by a thought that the governments should pay more attention to regulation of a cyberspace, at least, it concerns crucial infrastructure of health care" — Evgeny told.

According to him, certification of medical institutions should include certain requirements which guarantee protection of the valuable data. One of them is obtaining special permissions which certify that this or that clinic undertakes to do data backup according to the diagram and also to timely make updates of OS. In addition the state should make the list obligatory to use in the health sector of systems and applications (together with specifications which are required for them for safe Internet connection).

Evgeny Kaspersky considers that the equipment delivered by producers of the medical equipment also should submit to requirements of state bodies. "Producers of the iatrotechnics turn out the certified products which under the terms of the contract cannot be modified. In many cases these requirements do not allow to replace or update software in such equipment. It is no wonder that Windows XP can remain nepropatchenny many years if not forever" — the expert says.

The distribution map and damage from the racketeer of WannaCry

The American experts assessed damages from the large-scale hacker attack which at the beginning of May, 2017 fell upon computer systems of state agencies, large corporations and other organizations in 150 countries of the world. This damage, appraisers of KnowBe4 are sure, made $1 billion Software to these data, all WannaCry struck from 200 thousand to 300 thousand computers.

"The expected damage caused to WannaCry for the first four days exceeded $1 billion, considering the large-scale idle times of the large organizations caused by it worldwide" — the head of KnowBe4 Stew Syyuverman said. Data loss, decline in production, idle times in work, legal costs, reputation damages and other factors entered overall assessment of damage.
Data on 5/18/2017
Data on 5/18/2017

Distribution in Russia

Russia was included into the three of the countries on spread of a virus

At the end of May, 2017 the Kryptos Logic company developing solutions for ensuring cyber security published a research which showed that Russia was included into the three of the countries with the greatest number of the hacker attacks using the WannaCry virus racketeer.

Outputs of Kryptos Logic are based on number of requests to the abnormal domain (kill switch) which prevents infection. During the period from May 12 to May 26, 2017 experts recorded about 14-16 million requests.

The chart reflecting the countries with the greatest spread of the WannaCry virus to the first two weeks given to Kryptos Logic
The chart reflecting the countries with the greatest spread of the WannaCry virus to the first two weeks given to Kryptos Logic

In the first days of mass distribution of WannaCry the anti-virus companies reported that the most part (from 50% to 75%) cyberattacks by means of this virus fell on Russia. However, according to Kryptos Logic, China from which 6.2 million requests to the abnormal domain are recorded became the leader in this respect. The indicator across the USA was 1.1 million, across Russia — 1 million.

Ten the states with the greatest activity of WannaCry also included India (0.54 million), Taiwan (0.375 million), Mexico (0.3 million), Ukraine (0.238 million), Philippines (0.231 million), Hong Kong (0.192 million) and Brazil (0.191 million).

China Experts explain the fact that in most of all attempts of infection of computers with the WannaCry virus are recorded with slow penetration operating system Windows 10. The most part of the PC in Celestial Empire by the end of May, 2017 is still based on Windows 7 or Windows XP.

According to Kaspersky Lab, more than 98% of victims of WannaCry of computers are controlled Windows 7. Kryptos Logic confirmed that the worm really infects generally devices on "seven" as other OS (even outdated Windows XP) are much less vulnerable to this virus and in attempt of infection just do not allow the malware to be established or switch-off the computer start of "the blue screen of death".[16]

Head of Ministry of Communications: WannaCry did not strike Russian software

The WannaCry virus did not affect the Russian software, and found weak points in foreign software, the Minister of Telecom and Mass Communications of the Russian Federation Nikolai Nikiforov in the Opinion program message.economy in May, 2017 said.

He recognized that in some public industries there were problems because of this virus. Therefore the information technologies working in Russia should be "our technologies, Russian", Nikiforov emphasized.

"Moreover, we have a scientific and technical potential. We one of the few countries which at some efforts, organizational, financial, technical, is capable to create all stack of the technologies allowing to feel confident", - the minister said.
"The virus did not affect domestic software, the virus affected foreign software which we in large quantities use", - he emphasized.

Russian Security Council: WannaCry did not cause serious damage to Russia

The Russian Security Council assessed damages which  the WannaCry virus caused  to infrastructure facilities of Russia. According to  the deputy secretary of the Russian Security Council Oleg Hramov,  the WannaCry virus did not cause serious damage to objects of critical information infrastructure of Russia.

Information systems in defense industry, the field of health care, transport, communication, the credit and financial sphere, power and others belong to these objects.

Hramov reminded that for reliable protection of own critical information infrastructure according to the decree of the President of the Russian Federation the state detection system, warnings and mitigations of consequences of the computer attacks on information resources of the Russian Federation is consistently created.

"Thanks to the mentioned state system it was succeeded to avoid serious damage. Critical information infrastructure was ready to resist to large-scale spread of this virus" — [17] said [18].

At the same time the deputy secretary of SCRF emphasized that similar threats of information security become more and more sophisticated and large-scale.

Attack to the Ministry of Internal Affairs

On May 12, 2017 it became known of an attack of the WannaCry virus on computers of the Ministry of Internal Affairs (MIA) of Russia. Infected there were 1% of the systems of department.

As RIA Novosti with reference to the official representative of the Ministry of Internal Affairs of the Russian Federation Irina Volk, Department of information technologies reported, communication and  data protection (DITSIZI) of the Ministry of Internal Affairs of the Russian Federation recorded a virus attack on  personal computers of department on  which the Windows operating system is installed.

The Ministry of Internal Affairs of the Russian Federation reported that on May 12 its servers underwent the hacker attack
The Ministry of Internal Affairs of the Russian Federation reported that on May 12 its servers underwent the hacker attack
«
Thanks to timely taken measures about one thousand infected computers were blocked that makes less than 1%. At the moment the virus is localized, technical works on  its destruction and  updating of means of antivirus protection are carried out — reported the Wolf on May 12, 2017.
»

She also noted that WannaCry could not infect server resources of the Ministry of Internal Affairs as they are used other operating systems and servers on the Russian Elbrus processors.[19]

A number of personal computers of staff of department underwent WannaCry infection owing to violation by employees of instructions for use of information systems. Attempts of employees of the Ministry of Internal Affairs to connect office computers to the Internet "by means of this or that mechanism" became the reason of infection. Infected there were exclusively personal computers of employees, the internal network of the Ministry of Internal Affairs is protected from external influence.

Attack to "the big three"

On May 12, 2017 MegaFon announced a hacker attack on the computers using a virus. The operator claims that he managed to avoid serious effects thanks to the taken measures in time.

«
For some term work of operators of call centers was blocked, they  could not turn on the computers, in  points of retail sales there were problems. Therefore we were forced in our network partially to disconnect the whole networks  in order that the virus  did not extend —   the director of public relations of the company Pyotr Lidov told RIA Novosti.
»

MegaFon beat off the attack thanks to technologies of virtualization (when file resources of users are placed in the protected "cloud") and implementation of the technology measures limiting spread of a virus. The representative of MTS TASS reported that attacks on computers of staff of operator were recorded at night. "We reflected them" — he added.

VimpelCom also stated that it successfully reflected the attack. The press service of Rostelecom reported that in the company fixed the attack fact.

After the attack of WannaCry "dochka" of MegaFon looks for new Chief information officers

" Megafon.retail " - retail "subsidiary" of MegaFon mobile operator - in May, 2017 began search of new heads and specialists of the IT department. Such vacancies are placed by MegaFon in Headhunter.ru[20].

In Moscow search of candidates for positions "the head of IT" and "CIO" " Megafon.retail " is conducted. Search of these vacancies began during the period from May 17 to May 26, 2017. Required specialists should be responsible with the company for the IT effective organization, the organization of smooth operation of IT services and infrastructures, implementation of federal IT projects and so forth.

The Роем.ру edition coordinates opening of vacancies of IT heads of " Megafon.retail " to the global attack of the WannaCry virus racketeer which began on May 12, 2017.

Attack to Sberbank

Sberbank reported that it recorded attempts of the hacker attack on the infrastructure, however all of them were reflected. "Information security systems timely recorded attempts of penetration into infrastructure of bank. The network of bank provides protection against the similar attacks. Penetrations of viruses into a system did not happen" — it is told in the message of Sberbank which came to RBC. In it it is also emphasized that in connection with messages about the virus attacks of service of bank, responsible for cyber security, are transferred to high alert.

To replace  WannaCry

The EternalBlue exploit on Windows 10

Specialists of RiskSense company published in June, 2017 the extensive report on how it is possible to force to work the EternalBlue exploit in the environment of Windows 10, in it not functioning earlier.

EternalBlue is one of the "exploits of the NSA" stolen at the Equation cybergrouping in 2016. In the middle of April, 2017 this exploit, along with several others, was extended by The Shadow Brokers group. Soon after that there was global epidemic of the encoder racketeer of WannaCry, in whom this exploit was used[21].

Researchers showed in the published document how they managed to bypass instruments of protection Windows 10 - in particular, to think up a new method to bypass DEP (Data Execution Prevention, function of prevention of accomplishment of data) and ASLR (address space layout randomization — "randomization of placement of an address space").

Adylkuzz and Uiwix viruses

Specialists of Proofpoint company detected  the Adylkuzz virus which uses the same vulnerability in  Windows, as WannaCry. The virus steals cryptocurrency and already affected more than 200 thousand computers. At the same time the hackers  who created  Adylkuzz earned already   about 43,000 dollarovpo [22].

Researchers note that  Adylkuzz began the attacks before  WannaCry —  at least on May 2, and perhaps and on April 24. The virus did not draw to itself a lot of attention because it is much more difficult to notice it.  Only "symptoms" to which the victim, this deceleration of operation of the PC as the virus delays on itself system resources can pay attention.

At the same time  Adylkuzz protected  injured users from it from WannaCry attacks as closed itself a gap in  Windows and did not allow other virus to it to use.

Besides, after  WannaCry there was one more encoder —  Uiwix which also uses sensational vulnerability  in  Windows. It was said  by specialists of Heimdal Security company.

Uiwix, in distinguish from numerous imitators  of WannaCry, really  ciphers files of the victims and poses a real threat. Besides Uiwix has no mechanism of "emergency shutdown" therefore it is impossible to stop its distribution, having registered a certain domain.

This virus ciphers data of the victims and requires the redemption in the amount of 0.11943 bitcoins (about 215 dollars at a current rate).

Attempts to profit on WannaCry from creators of other viruses

In June, 2017 researchers from RiskIQ company detected hundreds of mobile applications issuing themselves for means of protecting from the encoder of WannaCry in practice being at best useless, in the worst — harmful. Similar applications are a part of more large-scale problem — false mobile antiviruses. Read more here.

Errors in the WannaCry code

The WannaCry code was complete of errors and had very low quality. To such an extent low that some victims can recover access to the original files even after those were ciphered.

The analysis of WannaCry which is carried out by researchers from the Kaspersky Lab specializing in security revealed that the majority of errors means that files can be recovered using public software tools or even simple commands[23].

In one case the error WannaCry in the mechanism of processing of files means only for reading that it cannot cipher such files at all. Instead the racketeer creates the ciphered copies of files of the victim. At the same time original files remain inviolable, but are marked as hidden. It means that it is easy to return files, having just removed attribute "hidden".

It is not the only example of bad coding of WannaCry. If the racketeer gets into a system, files which his developers do not consider important, move to the time folder. These files contain original data which are not rewritten, and are only removed from a disk. It means that they can be returned, using software for data recovery. Unfortunately, if files are in the "important" folder, such as Documents or Desktop, WannaCry will write accidental data over original files, and in this case their recovery will be impossible.

Nevertheless, the set of errors in the code gives hope to victims as the amateur character of the racketeer gives ample opportunities for recovery, at least, of files.

"If you were infected by the racketeer of WannaCry, probability is high that you will be able to recover many files on the damaged computer. We recommend to individuals and the organizations to use recovery utilities of files by damaged machines in the network" — Anton Ivanov, the researcher of security from Kaspersky Lab told.

Not the first time of WannaCry is characterized as a certain amateur form of the racketeer. And the fact that in three weeks after the attack only the scanty share of the infected victims paid in total 120 thousand dollars in bitcoins in the form of the redemption allows to claim that the racketeer, though caused a mass alarm, did not manage to receive big money that he is an ultimate goal of programs racketeers.

The tool for removal of WannaCry

Windows XP is one of the vulnerable operating systems struck with racketeering software of WannaCry. Despite an exit of the updates correcting vulnerability, a huge number of computers became the victims of a malware. Fortunately, the French researcher of security Adrien Guinet developed the tool allowing to delete WannaCry from a system without payment of the redemption.

It should be noted, the tool works only if after infection of a system it was not rebooted. If a system was restarted, and WannaCry ciphered files, the program Gin will be useless.

The tool developed by the researcher looks for a key for decoding in memory of the computer and is capable to recover prime numbers of the closed RSA key used by WannaCry when enciphering files of the victim. As explained Gin, his tool looks for numbers in the course of wcry.exe, generating the closed RSA key.

After encoding of private key its not ciphered version is removed from memory of the infected computer using the CryptReleaseContext function. Nevertheless, as the researcher explained, CryptDestroyKey and CryptReleaseContext erase only the marker indicating a key, but not numbers thanks to what the private key can be taken from memory.

The program works only at Windows XP and was not tested on other versions of OS. It is possible to download the tool from GitHub repository.

How to secure the computer against infection?

  • Set all updates of Microsoft Windows.
  • Make sure that all nodes of network are protected by complex antivirus software. We recommend technologies based on heuristics which allow to detect new threats and to provide protection against so-called zero day attacks. It increases security if earlier unknown malware gets into a system.
  • Refuse use OS of Microsoft Windows which are not supported by the producer. Before replacement of outdated operating systems use the update released by Microsoft for Windows XP Windows 8 and Windows Server 2003.
  • Use services for an information access about the latest threats.
  • At suspicion of infection disconnect the infected workstations from corporate network and address in technical support service of your supplier of anti-virus solutions for further recommendations.

You look Protection against the target attacks of encoders in more detail.

You See Also

Notes

  1. Epidemic of the encoder of WannaCry: what occurred and how to be protected
  2. [https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/ of WannaCry ransomware used in widespread attacks all over the world
  3. drugiyepo  to the materials gazeta.ru
  4. the USA officially accused the DPRK of WannaCry attacks
  5. WannaCry became the most dangerous racketeering software in 2019
  6. 1.5 years Later the racketeer of WannaCry still is present at hundreds of thousands of computers
  7. [https://www.securitylab.ru/news/492346.php the Boeing CNET edition
  8. fell a new victim of WannaCry]
  9. the Racketeer of WannaCry fell back into the old ways again
  10. Honda halts Japan car plant after WannaCry virus hits computer network
  11. WannaCry helps speeding drivers dodge fines in Australia
  12. WannaCry Ransomware Infects 55 Speed and Red-Light Cameras in Australia
  13. Here’s one tally of the losses from WannaCry ransomware global attack
  14. Medical Devices Hit By Ransomware For The First Time In US Hospitals
  15. Kaspersky urges to enter the state certification of software for medical institutions
  16. WannaCry: Two Weeks and 16 Million Averted Ransoms Later
  17. Oleg Hramovpo
  18. to materials of the Kommersant newspaper
  19. Computers of the Ministry of Internal Affairs underwent cyber attack
  20. base After the attack of WannaCry "dochka" of MegaFon looks for new Chief information officers
  21. , Experts found out what OS will fall a new victim of WannaCry
  22.  to the materials xakep.ru , TASS, PLUSworld.ru
  23. of the Error in the WannaCry code give to its victims chance to return the files