WannaCry (ransomware virus)

How it works

WannaCry is distributed through file sharing protocols installed on computers of companies and government agencies. The ransomware corrupts Windows-based computers.

Over 98% of infections with ransomware ON WannaCry occur on computers under control, Windows 7 with more than 60% of infections affecting the 64-bit version of the OS. Such data were published by analysts. " Kaspersky Lab According to statistics, less than 1% of infected computers are running versions of Windows Server 2008 R2 and (Windows 10 0.03%).

After entering the folder with documents and other files, the virus encrypts them by changing the extensions to.WNCRy. The malware then demands the purchase of a special key costing between $300 and $600, threatening to otherwise delete the files.

In general, WannaCry is an exploit that infects and spreads, plus a ransomware that is downloaded to a computer after the infection has occurred.

This is an important difference between WannaCry and most other ransomware. In order to infect your computer with an ordinary, let's say, ransomware, the user must make a certain mistake - click on a suspicious link, allow the macro to be executed in Word, download a dubious attachment from the letter. You can get WannaCry infected without doing anything at all^[1].

The creators of WannaCry used an exploit for Windows known as EternalBlue. It exploits a vulnerability that Microsoft closed in a March 14 MS17-010 security update. With this exploit, attackers could gain remote access to the computer and install the ransomware itself on it.

If you have an update installed and the vulnerability is closed, then you will not be able to hack your computer remotely. However, Kaspersky Lab researchers from GReAT separately draw attention to the fact that closing the vulnerability does not prevent the ransomware itself from working, so if you launch it in any way, the patch will not save you.

After successfully hacking a computer, WannaCry tries to spread over the local network to other computers like a worm. It scans other computers for the very vulnerability that can be exploited using EternalBlue, and if it finds, it attacks and encrypts them too.

It turns out that, once on one computer, WannaCry can infect the entire local network and encrypt all computers present in it. That is why the most serious thing from WannaCry went to large companies - the more computers on the network, the more damage.

According to Kaspersky Lab, by May 2017, at least 45 thousand users from 74 countries had become victims of WannaCry. 70% of all infected computers, according to the company, are located  in Russia.

In addition, computers in the UK,  Spain, Italy, Germany, Portugal, Turkey, Ukraine, Kazakhstan, Indonesia, Vietnam, Japan and the Philippines were affected  by the virus.

On May 14, 2017, Avast discovered 126 thousand infected computers in 104 countries, also singling out Russia among the most affected countries - it accounted for 57% of infections.

As of May 14, WannaCry has raised over $33,000. Despite many users paying the ransom, there was no report that their files had been unlocked. The researchers found that the flow of money into the ransomware account allows you to track which victim transferred it. Many ransomware have a "support service" that quickly responds to victims in case of payment problems. But not in the case of WannaCry. Moreover, experts doubt that encrypted files are generally decryptible by ransomware.

The spread of the WannaCrypt ransomware virus was suspended by registering a domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. It turns out that some WannaCry samples accessed this domain and, if they did not receive a positive response, installed a ransomware and started their black business. If the answer came (that is, the domain was registered), then the malware curtailed any activity. Having found a reference to this domain in the Trojan code, the researcher registered it, thus suspending the attack. Over the rest of the day, several tens of thousands of calls came to the domain, that is, several tens of thousands of computers were saved from infection. There is a version that this functionality was built into WannaCry as a switch - in case something goes wrong. Another version, which the researcher himself adheres to: that this is a way to complicate the analysis of the behavior of the malware. In research test environments, it is often done specifically so that positive answers came from any domains - in this case, the Trojan would not do anything in the test environment. Unfortunately, in the new versions of the Trojan, it is enough for attackers to change the domain name indicated in the "chopper" for the infection to continue. So probably the first day of the WannaCry epidemic will not be the last.

WannaCry as a ransomware (it is also sometimes called WCrypt, and also, for some reason, sometimes called WannaCry Decryptor, although it, logically, is even a cryptor, not a decryptor) does everything the same as other ransomware - encrypts files on a computer and demands a ransom for decrypting them. Most of all, it looks like another variation of the infamous CryptXXX Trojan.

It encrypts files of various types (a full list can be viewed here^[2]), among which, of course, there are office documents, photos, movies, archives and other file formats that may contain potentially important information for the user. Encrypted files receive the.WCRY extension (hence the name of the ransomware) and become completely unreadable.

After that, he changes the desktop wallpaper, displaying there an infection notification and a list of actions that supposedly need to be taken to return files. WannaCry spreads the same notifications in the form of text files to folders on the computer so that the user definitely does not miss. As always, it all boils down to the fact that it is necessary to transfer a certain amount in bitcoin equivalent to the attackers' wallet - and then they allegedly decrypt the files. At first, cybercriminals demanded $300, but then decided to raise the stakes - the latest versions of WannaCry include a figure of $600.

The virus works only on Windows - it exploits a vulnerability in the operating system and spreads blindly: that is, it does not select victims, but infects those who are not protected. Microsoft closed this vulnerability back in March 2017: the company released an update that was automatically installed on the computers of ordinary users. Everyone who has updated the system is not in danger of having the virus. In some organizations, updates are not automatically installed, but with the approval of people responsible for security. Apparently, those departments and companies in which the update was not installed faced problems.

Microsoft has released updates for operating systems that are no longer supported to stop the spread of the WannaCrypt ransomware virus. The update was released, including for Windows XP, the 2001 operating system, although it has not been supported for three years.

Diaghilev Vasily, head of Check Point Software Technologies in Russia and the CIS: "The culprit of the attacks that began at the end of last week around the world is version 2.0 of WCry ransomware, also known as WannaCry or WanaCrypt0r ransomware. Version 1.0 was discovered on February 10, 2017 and was used on a limited scale in March. Version 2.0 was first detected on May 11, the attack arose suddenly and quickly spread to the UK, Spain, Germany, Turkey, Russia, Indonesia, Vietnam, Japan. The scale of the attack confirms how dangerous ransomware can be. Organizations must be prepared to repel an attack, be able to scan, block, and screen out suspicious files and content before it reaches their network. It is also very important to instruct staff on the possible dangers of letters from unknown sources.'

Authors

 Flashpoint experts, using linguistic analysis, established the nationality of the hackers who allegedly created and launched the WannaCry virus. The analysis showed that attackers could be from the southern regions of China, Hong Kong, Taiwan or Singapore, since the southern dialect of the Chinese language was native to hackers.

Experts analyzed ransom messages that appeared on infected computers. All have been translated into 28 languages, including Russian, Norwegian, Filipino, Turkish and ^[3].

The analysis found that virtually all ransom messages were translated through Google Translate, and only the English and two Chinese versions (simplified and classical) were likely written by native speakers.

Despite the fact that the message in English was written by a person who has a good command of the language, a gross grammatical error indicates that this is not the author's native language. Flashpoint found out that it was the text in English that became the original source, which was subsequently translated into other languages.

Messages about the ransom demand in Chinese differ from others in content and tone. In addition, a large number of unique characters indicate that they were written by a person who is fluent in Chinese.

Three months after the start of attacks using ransomware ON WannaCry, its creators withdrew all funds available in bitcoin wallets - more than $142 thousand. The transactions were spotted by the Quartz bot. The ransomware demanded a ransom of $300-$ 600 in bitcoin from its victims. All the money received was distributed in three wallets. On the night of August 3, 2017, seven transfers of funds were recorded, which were carried out within 15 minutes. Most likely, the money will go through a chain of other bitcoin wallets to hide the final recipient.

Who is to blame

V. Putin: US intelligence agencies

The President Russia Vladimir Putin called the special services USA the source of the WannaCry ransomware virus, which paralyzed the computers of departments in 150 countries.

"As for the source of these threats, in my opinion, Microsoft management directly stated this. They said that the primary source of this virus is the special services of the United States, Russia has absolutely nothing to do with it. It is strange for me to hear something different in these conditions, "the president said at a press conference following his visit to China

.

The head of state said that Russian institutions were not seriously affected by the global cyber attack. "For us, there was no significant damage, for our institutions - neither for banking, nor for the health care system, nor for others. But in general, this is alarming, there is nothing good here, it causes concern, "Vladimir Putin stated.

Microsoft: Intelligence agencies of different countries

Microsoft President Brad Smith said in a blog post that intelligence agencies from different countries were partially responsible for a major cyber attack. He claims that collecting and storing information about vulnerabilities in software by intelligence agencies is a big problem, since this data eventually falls into bad hands.

 "The attack is an example that the problem of governments accumulating vulnerability information is one," he wrote. "We saw how the data of the vulnerabilities that were collected CIA (Central Intelligence Agency) USA ended up on, and Wikileaks a new vulnerability that was stolen from the NSA (US National Security Agency) affected users around the world."

Brad Smith called on "governments around the world" to abandon the accumulation of such data, as well as their exploitation or sale. Instead, special services should transmit information about vulnerabilities to developers, he said.

Microsoft and Britain: The DPRK is to blame

In October 2017, President Microsoft Brad Smith announced that ON North Korean authorities were involved in large-scale attacks using the ransomware WannaCry, which affected more than 150 countries in May 2017. He stated this on the air of ITV. Earlier, experts in the field cyber security have repeatedly expressed suspicions about the connection of WannaCry attacks with the DPRK government, but this is the first time that the Microsoft president has announced this publicly.

"I believe that by this time all knowledgeable observers concluded that the source of WannaCry was the DPRK, which used tools or cyber weapons stolen from the US National Security Agency," Smith said. He added that over the past six months, attacks carried out by individual states have become more frequent and more serious.

While society is increasingly relying on technology, the risk to the most important areas of life and functioning of political institutions is growing, the head of Microsoft believes. He called on governments to take more measures to protect citizens from such damage.

British Home Office Security Secretary Ben Wallace said in a late October 2017 interview with BBC Radio that the UK government is confident in the DPRK's involvement in the WannaCry ransomware attacks that hit the servers of the UK National Health System (NHS) in May this year. The attack was carried out not by a simple hacker group, but by a foreign state, and the British authorities firmly believe in this, the minister said. In the UK and a number of other countries, there is a widespread opinion about the involvement of the DPRK in these attacks.

US: The DPRK is to blame

On December 18, 2017 USA , the DPRK was publicly accused of attacks using ransomware ON WannaCry. About North Korea's direct involvement in the attacks was reported by US Presidential Adviser on Internal Security Thomas Bossert in an opinion piece in the Wall Street Journal.

"The

attack spread indiscriminately around the world in May. It (WannaCry malware - ed.) Encrypted and rendered useless hundreds of thousands of computers in hospitals, schools, companies and homes. It was mean, careless and caused a lot of property damage. The attack was widespread and worth billions. Responsibility for it lies directly with North Korea, "Bossert said^[4]

.

As the adviser explained, his statement is not unfounded and is based on the evidence obtained during the investigation. Intelligence agencies Great Britain and specialists of a number of private companies also came to the conclusions about the DPRK's involvement in the WannaCry attacks, Bossert said.

As digital technology becomes ubiquitous, attackers begin to use it for their own purposes. Cyberspace attacks allow them to remain anonymous and cover their tracks. Through cyber attacks, criminals steal intellectual property and cause damage in every sector, the adviser noted.

Distribution in the world

2022: Virus traffic up 800%

Vulnerabilities that allow the spread of WannaCry malware, even five years after discovery, remain a significant threat. This is evidenced by a study by IBM, the results of which were released on February 22, 2023.

The WannaCry ransomware virus appeared in 2017 and made a lot of noise. As reported in the IBM report, in 2022 the traffic of this malware jumped by 800%. According to the data received, the surge in WannaCry activity occurred in April 2022, after which the intensity of attacks remained high. Most attacks target manufacturing, healthcare and the aviation sector. Attackers are introducing WannaCry into companies' IT infrastructures for ransom.

The continued use of old exploits emphasizes the need for organizations to improve and improve vulnerability resolution schemes, including better understanding attack vectors and prioritizing risk-based fixes, IBM said in a report.

It is estimated that cybercriminals have access to more than 78 thousand of the most diverse exploits, which simplifies the use of old holes in software. In 2022, the number of attacks aimed at intercepting email increased sharply: the intensity of such cyber campaigns jumped twice compared to 2021. IBM says attackers use these tactics to deliver Emotet, Qakbot and IcedID malware, which often lead to ransomware infections.

The findings suggest that outdated exploits allow malware such as WannaCry and Conficker to continue to exist and spread. Moreover, the average time for a successful ransomware attack [in 2022] has decreased from two months to less than four days, the study notes.[5]

2019: WannaCry accounted for 35% of cyber attacks on industrial plants

WannaCry accounted for 35% of cyber attacks on industrial enterprises around the world in 2019. This was reported in a study by Kaspersky Lab, which was published in April 2020.

According to experts, ransomware continues to pose a significant threat to industrial automation systems. At the same time, WannaCry is still a serious threat, although almost three years have passed since its epidemic.

Among all users of Kaspersky Lab products attacked by Trojan ransomware in 2019, more than 23% were attacked by the WannaCry malware (listed in the antivirus database as Trojan-Ransom.Win32.Wanna).

Vulnerabilities discovered by specialists in 2019 were identified in the most frequently used in software automation systems, industrial control  and the Internet of Things (IoT). Gaps were recorded in remote administration tools (34), SCADA ( 18), backup software (10), as well as Internet of Things products , smart building solutions, PLCs and other industrial components.

The published report claims that the percentage of ACS computers on which experts found malware was 43.1%.

In most cases, the attacked system did not have an installed MS17-010 security update, which allowed WannaCry to successfully exploit the vulnerability in the SMB v1 service. However, the malicious code was not launched because it was blocked by a Kaspersky Lab product.

The vast majority of ACS computers attacked by WannaCry ran Windows 7 and Windows Server 2008 R2. Extended support for these products was discontinued in January 2020. This causes particular concern, since updates for such OS are released only in emergency cases, the company noted.^[6]

First place among all ransomware

Even a few years after a massive campaign using ransomware ON WannaCry, which affected many users in more than 100 countries around the world, it malware still continues to infect devices and even in 2019 ranked first among all ransomware. This became known on January 10, 2020.

According to a study by specialists from Precise Security, more than 23.5% of all ransomware attacks in 2019 were related to WannaCry, and spam and phishing emails remained the most common source of infection.

Among the factors leading to infection, experts indicate spam/phishing emails (67%), lack of cybersecurity skills (36%), unreliable passwords (30%). Only 16% of infections were carried out through malicious sites and advertising.

Like other ransomware, WannaCry encrypts files stored on the device and requires users to pay for the decryption key.

The number of ransomware attacks against government agencies, health, power and education organizations continues to grow, researchers report. While simple ransomware blocks devices in a simple way, more advanced malware uses a method called WannaCry cryptovirus ransomware^[7].

Presence on hundreds of thousands of computers worldwide

On December 26, 2018, it became known that 18 months after the large-scale epidemic ON of ransomware WannaCry, which affected many users in more than 100 countries of the world, malware it is still present in hundreds of thousands, computers according to data Kryptos Logic.

According to Kryptos Logic, every week more than 17 million attempts to connect to the "switch" domain are recorded, emanating from more than 630 thousand unique IP addresses in 194 countries. China, Indonesia, Vietnam, India and Russia are leading in the number of connection attempts. As you might expect, on weekdays the number of attempts increases compared to the weekend.

The presence of ransomware on so many computers can turn into a serious problem - one large-scale network failure is enough to activate it, experts emphasize.

Earlier, Kryptos Logic introduced the free TellTale service, which allows organizations to monitor for WannaCry infection or other known threats^[8].

Attack on TSMC

The world's largest chipmaker TSMC has lost $85 million due to the WannaCry virus. The company announced this in a financial report sent to the Taiwan Stock Exchange (TSE). Read more here.

Attack on Boeing

On March 28, 2018, the company Boeing was attacked using the infamous ransomware ON WannaCry. According to senior engineer Mike VanderWel, the ransomware hit Boeing systems in North Charleston, South Carolina, USA and began to spread rapidly.

"I heard that 777 automated tools for assembling spars could have been turned off,"^[9] quoted the engineer as^[10].

Vanderwell also expressed concern that the malware may have infected aircraft testing equipment and "spread to aircraft software." Nevertheless, according to Linda Mills, vice president of Boeing, reports of the incident in the press are inaccurate, and the danger is too exaggerated.

"Our Center for cyber security found a limited implementation malware affecting a small number of systems. All necessary measures were taken, and no problems with production processes or delivery arose, "Mills said.

Attack on LG Electronics

In August 2017, the malware attacked LG Electronics service centers and disabled their self-service kiosks. The company reported the incident to the Korean Internet and Security Agency (KISA), which managed to take control of the situation because the attack was at the initial stage^[11].

According to a spokesman for LG Electronics to the Korea Herald, the ransomware's attempt to attack the company failed. The immediate shutdown of service center networks avoided data encryption and ransom demands. According to KISA, the kiosks were infected with WannaCry, however, how the malware hit the systems is unknown. Perhaps someone purposefully installed the program on devices. It is also possible that the attackers fraudulently forced one of the employees to download the malware.

Attacks on automakers

On June 21, 2017, Honda Motor announced the suspension of production of cars at one of their factories after an attack by the WannaCry ransomware virus on the computer systems of the Japanese manufacturer.

We are talking about the Honda enterprise located in the city of Sayama (Saitama Prefecture, Japan; located northwest of Tokyo). The Honda Accord sedan, Honda Odyssey minivans and Honda Step Wagon are produced there. The daily output of machines in the factory is about 1000 pieces.

As a Honda spokeswoman told Reuters, on June 18, 2017, the company discovered that the WannaCry malware had hit the company's networks in Japan, North America, Europe, China and other regions, despite measures taken in mid-May to ensure system security.

The production line management system at the Sayam plant was hit by a ransomware virus. The attackers demanded a reward for unlocking the data.

As a result, the enterprise was closed for a day, on June 20, 2017, its normal work resumed. Other Honda production facilities functioned normally.

As a result of the distribution of WannaCry, more than 200 thousand computers in 150 countries were blocked. In addition to Honda, other automakers suffered from the virus, including Renault and, Nissan Motor which, due to cyber attacks forced to temporarily freeze production at factories in Japan,,, and Great Britain. France Romania India

Although WannaCry attacked Windows computers, automakers had concerns that the virus could disrupt automotive electronics. Tal Ben-David, vice president of Karamba Security, which offers security software for networked and self-driving cars, believes that for machine security, companies should set reliable factory settings without the possibility of change.^[12]

Infection of road cameras

In June 2017, the makers of the infamous WannaCry ransomware virus unwittingly helped Australian drivers avoid speeding fines, BBC News reported.^[13]

Malware that blocked hundreds of thousands of Windows computers around the world in May hit more than five dozen traffic cameras, mostly located in central Melbourne, about a month after the global attack.

The contamination of 55 cameras monitoring compliance on Australia's roads occurred during maintenance (NJ) on June 6. The employee who conducted the maintenance connected an infected USB drive to the video surveillance system and inadvertently downloaded the virus.

WannaCry in video surveillance system was revealed after police officers noticed that the cameras rebooted too often. According to Bleeping Computer, the reboot took place every few minutes, but despite this, the cameras continued to work and record violations.^[14]

As a result of the incident, the police of the Australian state of Victoria canceled 590 fines for speeding and passes at a red traffic light, although law enforcement officers assure that all fines were assigned correctly.

Acting Deputy Commissioner Ross Guenther explained that the public should be fully confident in the correctness of the system, which is why the police made such a decision.

Although the main wave of WannaCry attacks occurred in mid-May 2017, the ransomware continues to cause trouble for about two more months. Earlier, the American information security company KnowBe4 calculated that the damage from WannaCry in the first four days of distribution alone amounted to more than $1 billion, including losses as a result of data loss, reduced productivity, business disruptions, as well as reputational harm and other factors.^[15]

The first attack on medical equipment

WannaCry became the first ransomware virus to attack not only personal computers of medical institutions, but also medical equipment itself.

On May 17, 2017, Forbes published a screenshot of a Bayer Medrad device infected with WannaCry, the infamous ransomware virus that killed more than 200,000 Windows computers in 150 countries.

Bayer Medrad equipment is used by radiologists to introduce a contrast agent into the patient's body during magnetic resonance imaging, the publication explained. In which particular medical institution the picture was taken, it is not reported. It is only said that the photo was provided by a source in the system, health care USA that is, we are talking about some of the American hospitals.

A Bayer spokesman confirmed that the company was informed about two cases of equipment infection, but which models were affected is not specified.

In both cases, the devices were restored to operation within 24 hours. When hacking the computer network of a medical institution, Bayer equipment running Windows connected to the network can also be infected, the spokesman said.

Usually malware , Windows computers that are used in medical institutions suffer from. WannaCry in particular has hit PCs in nearly five dozen hospitals. Great Britain The Bayer Medrad incident is the first time that the medical device itself has become a victim of a ransomware, Forbes emphasized.

WannaCry was able to penetrate the medical equipment, since it used a version of Windows Embedded as the operating system, which supports the vulnerable SMBv1 protocol, which became the starting point of infection.

On the same day, a number of the largest manufacturers of medical devices, such as Smiths Medical, Medtronic and Johnson & Johnson, distributed warnings about the threat of infection, but there was no information about incidents with their equipment.^[16]

Kaspersky calls for the introduction of state certification of software for medical institutions

During the recent CeBIT Australia exhibition, Evgeny Kaspersky, head of antivirus software manufacturer KasperskyLab, shared some thoughts on the WannaCry ransomware virus. Hundreds of thousands of users from 150 countries have suffered from the actions of the latter, writes ZDNet^[17].

Considering that WannaCry hit the network of medical institutions in the first place, their protection is of paramount importance, the head of the antivirus company believes and requires government intervention. "The thought does not leave me that governments should pay more attention to regulating cyberspace, at least this applies to critical health infrastructure," Eugene said.

In his opinion, certification of medical institutions should include certain requirements that guarantee the protection of valuable data. One of them is obtaining special permits that certify that a particular clinic undertakes to back up data on schedule, as well as make timely updates. OS In addition, the state should draw up a list of mandatory systems and applications for use in the health sector (together with the specifications that they require for a secure Internet connection).

Evgeny Kaspersky believes that equipment supplied by manufacturers of medical equipment should also comply with the requirements of state bodies. "Manufacturers of medical equipment produce certified products that cannot be modified under the terms of the contract. In many cases, these requirements do not allow you to replace or update the software in such equipment. It is not surprising that Windows XP can remain unpatched for many years, if not forever, "says the expert.

Distribution map and damage from WannaCry ransomware

American experts assessed the damage from a large-scale hacker attack that hit the computer systems of government agencies, large corporations and other institutions in 150 countries in early May 2017. This damage, the KnowBe4 appraisers are sure, amounted to $1 billion. According to this data, in total WannaCry hit from 200 thousand to 300 thousand computers.

"The estimated damage caused by WannaCry in the first four days exceeded $1 billion, given the large-scale downtime of large organizations around the world caused by this," said KnowBe4 CEO Stu Suverman. The overall damage assessment includes data loss, performance degradation, downtime, legal costs, reputational damage, and other factors.

Distribution in Russia

Russia entered the top three countries in the spread of the virus

At the end of May 2017, Kryptos Logic, which develops security solutions, cyber security published a study that showed that Russia was among the top three countries with the most hacker attacks using the WannaCry ransomware virus.

The conclusions of Kryptos Logic are based on the number of requests to the crash domain (kill switch), which prevents infection. In the period from May 12 to May 26, 2017, experts recorded about 14-16 million requests.

In the early days of the massive distribution of WannaCry, antivirus companies reported that most (from 50% to 75%) of cyber attacks using this virus occurred in Russia. However, according to Kryptos Logic, China became the leader in this regard, from which 6.2 million requests to the emergency domain were recorded. The indicator for the United States amounted to 1.1 million, for Russia - 1 million.

The top ten countries with the highest WannaCry activity also included India (0.54 million), Taiwan (0.375 million), Mexico (0.3 million), Ukraine (0.238 million), the Philippines (0.231 million), Hong Kong (0.192 million) and Brazil (0.191 million).

The fact that China the most attempts to infect computers with the WannaCry virus have been recorded, experts explain the slow penetration. operating system Windows 10 Most of the PCs in the Middle Kingdom by the end of May 2017 are still based on Windows 7 or. Windows XP

According to Kaspersky Lab, more than 98% of WannaCry-affected computers are managed by Windows 7. Kryptos Logic confirmed that the worm does indeed infect mainly devices on the "seven," since other operating systems (even the outdated Windows XP) are much less vulnerable to this virus and, when trying to infect, simply prevent the malware from installing or disabling the computer by launching the "blue screen of death."^[18]

Head of the Ministry of Communications: WannaCry did not hit Russian software

The WannaCry virus did not affect Russian software, but found weaknesses in foreign software, said Russian Minister of Communications and Mass Media Nikolai Nikiforov in the Vesti.Ekonomika program in May 2017.

He admitted that some state-owned enterprises had problems because of this virus. Therefore, information technologies operating in Russia should be "our technologies, Russian," Nikiforov emphasized.

"Moreover, we have scientific and technical potential. We are one of the few countries that, with some efforts, organizational, financial, technical, is able to create the entire stack of technologies that allow you to feel confident, "the minister

said.

"The virus did not affect domestic software, the virus affected foreign software, which we use en masse," he stressed.

Security Council of the Russian Federation: WannaCry did not cause serious damage to Russia

The Security Council of the Russian Federation assessed the damage that the WannaCry virus caused to the infrastructure of Russia. According to the Deputy Secretary of the Security Council of the Russian Federation Oleg Khramov, the WannaCry virus did not cause serious damage to the facilities of Russia's critical information infrastructure.

These facilities include information systems in the defense industry, health care, transport, communications, credit and financial sector, power and others.

Khramov recalled that in order to reliably protect its own critical information infrastructure, in accordance with the decree of the President of the Russian Federation, a state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation is being consistently created.

"Thanks to the mentioned state system, serious damage was avoided. The critical information infrastructure turned out to be ready to resist the large-scale spread of this virus, "Oleg Khramov said. ^[19] to ^[20]

At the same time, the Deputy Secretary of the Security Council of the Russian Federation stressed that such threats to information security are becoming more sophisticated and large-scale.

Attack on the Ministry of Internal Affairs

On May 12, 2017, it became known about the WannaCry virus attack on computers of the Ministry of Internal Affairs (MIA) of Russia. 1% of the department's systems turned out to be infected.

As RIA Novosti reported with reference to the official representative of the MINISTRY OF INTERNAL AFFAIRS Russian Federation Irina Volk, the Department, information technology Communications and ( information protection DITSiZI) of the Ministry of Internal Affairs Russia recorded a viral attack on the department's personal computers on which it was installed. operating system Windows

Thanks to timely measures taken, about a thousand infected computers were blocked, which is less than 1%. At the moment, the virus is localized, technical work is underway to destroy it and update antivirus protection tools, Volk said on May 12, 2017.

She also noted that WannaCry could not infect the server resources of the Ministry of Internal Affairs, since they use other operating systems and servers based on Russian Elbrus processors. ^[21]

A number of personal computers of employees of the department were infected with WannaCry due to violation by employees of the rules for using information systems. The reason for the infection was the attempts of the Ministry of Internal Affairs to connect office computers to the Internet "through one or another mechanism." Exclusively personal computers of employees turned out to be infected, the internal network of the Ministry of Internal Affairs is protected from external influences.

Attack on the "big three"

On May 12, 2017, MegaFon reported a hacker attack on its computers using a virus. The operator claims that he managed to avoid serious consequences thanks to the measures taken in time.

For some time, the work of call center operators was blocked, they could not turn on their computers, there were problems at retail points. Therefore, we were forced inside our network to partially disconnect entire networks so that the virus would not spread,  "Petr Lidov, director of public relations at the company, told RIA Novosti.

MegaFon repulsed the attack thanks to the use of virtualization technologies (when users' file resources are placed in a secure "cloud") and the implementation of technological measures that limit the spread of the virus. A MTS spokesman told TASS Russia's Information Agency that attacks on the operator's employees' computers were recorded at night. "We reflected them," he added.

VimpelCom also announced that it had successfully repelled the attack. The press service of Rostelecom reported that the company recorded the fact of the attack.

After the WannaCry attack, Megafon's subsidiary is looking for new Chief information officers

Megafon.Retail"" - the retail subsidiary of the "mobile operator" Megaphone"- in May 2017 began the search for new managers and specialists of its IT division. Such vacancies are posted by Megafon in the Headhunter.ru database^[22].

In Moscow, a search is underway for candidates for the positions of "IT manager" and "information technology director" of Megafon.Retail. The search for these vacancies began from May 17 to May 26, 2017. The specialists sought by the company should be responsible for the effective organization of IT, the organization of uninterrupted operation of IT services and infrastructure, the implementation of federal IT projects, etc.

The publication "Роем.ру" links the opening of vacancies for IT managers of "Megafon.Retail" with the global attack of the ransomware virus WannaCry, which began on May 12, 2017.

Attack on Sberbank

Sberbank said that it had recorded attempts at a hacker attack on its infrastructure, but all of them were repelled. "Information security systems timely recorded attempts to penetrate the bank's infrastructure. The bank's network provides protection against such attacks. No viruses entered the system, "Sberbank said in a statement to RBC. It also emphasizes that in connection with reports of virus attacks, the bank's services responsible for cybersecurity have been put on high alert.

To replace WannaCry

EternalBlue exploit on Windows 10

RiskSense published a lengthy report in June 2017 on how to make the EternalBlue exploit work in a Windows 10 environment that did not previously function in it.

EternalBlue is one of the "exploits" NSA stolen from the Equation cyber group in 2016. In mid-April 2017, this exploit, along with several others, was distributed by The Shadow Brokers. Soon after, there was a global epidemic of the WannaCry ransomware ransomware, which used this exploit^[23]

In the published document, the researchers showed how they managed to bypass the Windows 10 protection tools - in particular, come up with a new way to bypass DEP (Data Execution Prevention) and ASLR (address space layout randomization).

Adylkuzz and Uiwix viruses

Proofpoint has discovered the Adylkuzz virus, which exploits the same vulnerability  in Windows as WannaCry. The virus steals cryptocurrency and has already hit more than 200 thousand computers. At the same time, the hackers who created Adylkuzz have already earned about  $43,000. According ^[24].

The researchers note that Adylkuzz launched attacks before WannaCry - at least May 2, and possibly April 24. The virus did not attract so much attention, because it is much more difficult to notice it. The only "symptoms" that the victim can pay attention to are a slowdown in the PC, as the virus pulls back the system resources.

At the same time , Adylkuzz protected users affected by it from WannaCry attacks, as it closed a gap in Windows and did not allow another virus to take advantage of it.

In addition, after WannaCry, another ransomware appeared - Uiwix, which also exploits a sensational vulnerability  in Windows. This was stated by specialists from Heimdal Security.

Uiwix, unlike numerous WannaCry imitators, really encrypts victims' files and poses a real threat. In addition, Uiwix does not have an "emergency shutdown" mechanism, so it is impossible to stop its distribution by registering a specific domain.

This virus encrypts the data of victims and requires a ransom of 0.11943 bitcoin (about $215 at the current exchange rate).

Attempts to cash in on WannaCry from creators of other viruses

In June 2017, researchers from RiskIQ discovered hundreds of mobile applications posing as means of protection against the WannaCry ransomware, in fact, turning out to be useless at best, and malicious at worst. Such applications are part of a larger problem - fake mobile antiviruses. Read more here.

Errors in WannaCry code

The WannaCry code was full of bugs and of very poor quality. It is so low that some victims can regain access to their original files even after they have been encrypted.

A WannaCry analysis by researchers at Kaspersky Lab, which specializes in security, found that most errors mean that files can be restored using public software tools or even simple commands^[25] code^[26].

In one case, a WannaCry error in the read-only file engine means that it cannot encrypt such files at all. Instead, the ransomware creates encrypted copies of the victim's files. In this case, the original files remain inviolable, but are marked as hidden. This means that files are easy to check in by simply removing the "hidden" attribute.

This is not the only example of poor WannaCry coding. If the ransomware enters the system, files that its developers do not consider important are moved to a temporary folder. These files contain original data that is not overwritten, but only deleted from the disk. This means that they can be returned using data recovery software. Unfortunately, if the files are in an "important" folder such as Documents or Desktop, WannaCry will write random data on top of the original files, in which case it will not be possible to restore them.

However, many errors in the code give hope to those affected, since the amateur nature of the ransomware provides ample opportunities for recovering at least files.

"If you have been infected with the WannaCry ransomware, you are likely to be able to recover many files on your affected computer. We recommend that individuals and organizations use file recovery utilities on affected machines on their network, "said Anton Ivanov, a security researcher at Kaspersky Lab.

This is not the first time WannaCry has been characterized as some kind of amateur form of ransomware. And the fact that three weeks after the attack, only a minuscule share of infected victims paid a total of $120 thousand in bitcoins in the form of a ransom allows us to argue that the ransomware, although it caused a massive stir, failed to get a lot of money, which is the ultimate goal of ransomware.

WannaCry Removal Tool

Windows XP is one of the vulnerable operating systems affected by the ransomware ON WannaCry. Despite the release of updates that fix the vulnerability, a huge number of computers have become victims of malware. Fortunately, French security researcher Adrien Guinet has developed a tool to remove WannaCry from the system without paying a ransom.

It is worth noting that the tool works only if the computer has not been restarted after infecting the system. If the system was restarted and WannaCry encrypted the files, Gine's program would be useless.

The tool developed by the researcher looks for a key for decryption in the memory of the computer itself and is able to restore the primes of the private RSA key used by WannaCry when encrypting the victim's files. As Gine explained, his tool searches for numbers in the wcry.exe process, which generates a private RSA key.

After encrypting the private key, its unencrypted version is removed from the memory of the infected computer using the CryptReleaseContext function. However, as the researcher explained, CryptDestroyKey and CryptReleaseContext erase only the token pointing to the key, but not the numbers, so that the private key can be extracted from memory.

The program works only on Windows XP and has not been tested on other versions of the OS. You can download the tool from the GitHub repository.

How to protect your computer from infection?

• Install all Microsoft Windows updates.
• Ensure that all network nodes are protected by comprehensive antivirus software. We recommend heuristic-based technologies that allow you to detect new threats and provide protection against so-called zero-day attacks. This increases security if previously unknown malware enters the system.
• Stop using Microsoft Windows operating systems that are not supported by the manufacturer. Before replacing legacy operating systems, use an update released by Microsoft for Windows XP, Windows 8, and Windows Server 2003.
• Use services to access information about the latest threats.
• If an infection is suspected, disconnect the infected workstations from the corporate network and contact your antivirus solution provider's technical support for further advice.

See more Protection against targeted ransomware attacks.

See also

Notes