• 12 May 2017, 19:43 Computer systems of the Ministry of Internal Affairs and Megafon were subject to a virus attack

Internal computer system The Russian Ministry of Internal Affairs was struck by the virus, Varlamov.ru reports, citing several sources familiar with the situation.

Mediazona's source in the Ministry of Internal Affairs confirmed the fact of infection of departmental computers. According to him, we're talking about about departments in several regions.

Previously, information about a possible virus infection appeared on the Pikabu website and the Kaspersky forum. According to some users, this is a virus WCry(also known as WannaCry or WannaCryptor) – it encrypts the user’s files, changes their extension and requires you to buy a special decryptor for bitcoins; otherwise the files will be deleted.

According to users on the Kaspersky forum, the virus first appeared in February 2017, but “has been updated and now looks different than previous versions.”

The Kaspersky press service was unable to promptly comment on the incident, but promised to release a statement in the near future.

Company member Avast Jakub Kroustek reported on Twitter that at least 36 thousand computers in Russia, Ukraine and Taiwan are infected.

Varlamov’s website notes that information also appeared about the infection of computers in public hospitals in several regions of the UK and an attack on a Spanish telecommunications company Telefonica. In both cases, the virus also asks for payment.

The company noted that in March the update already provided additional protection against such viruses.

"Users of our free antivirus And updated version Windows are protected. We work with users to provide additional help", the company added.

Previously, Kaspersky Lab Mediazone, which Wanna virus Crypt uses network Windows vulnerability, closed by Microsoft specialists back in March.

The Ministry of Internal Affairs confirmed hacker attacks on its computers

The Ministry of Internal Affairs confirmed hacker attacks to their computers, RIA Novosti reports.

According to the press secretary of the Ministry of Internal Affairs Irina Volk, the department information technologies, Communications and Information Protection of the Ministry recorded a virus attack on the computers of the Ministry of Internal Affairs with the Windows operating system.

“Thanks to timely measures taken, about a thousand infected computers were blocked, which is less than 1%,” Volk said, adding that the server resources of the Ministry of Internal Affairs were not infected because they work on other operating systems.

"IN currently the virus has been localized and is being carried out engineering works for its destruction and renewal of funds antivirus protection"- said the press secretary of the ministry.

More than six thousand dollars were transferred to the Bitcoin wallets of the hackers who spread the WannaCry virus.

At least 3.5 bitcoins were transferred to the hackers who spread the WannaCry ransomware virus, Meduza writes. According to the exchange rate of $1,740 for one bitcoin at 22:00 Moscow time, this amount is $6,090.

Meduza came to this conclusion based on the history of transactions on Bitcoin wallets to which the virus demanded money be transferred. The wallet addresses were published in a Kaspersky Lab report.

Three wallets carried out 20 transactions on May 12. Basically, 0.16-0.17 bitcoins were transferred to them, which equals approximately $300. The hackers demanded to pay this amount in a pop-up window on infected computers.

Avast counted 75 thousand attacks in 99 countries

IT company Avast reported that the virus WanaCrypt0r 2.0 infected 75 thousand computers in 99 countries, according to the organization’s website.

Mostly computers are infected in Russia, Ukraine and Taiwan.

13 hours ago in the blog of a specialist in the field computer security Brian Krebs has a record of transferring bitcoins to hackers totaling 26 thousand US dollars.

Europol: 200 thousand computers in 150 countries were attacked by a virus

Virus infection WannaCry in three days, more than 200 thousand computers in 150 countries were already exposed, he said in an interview with the British TV channel ITV Europol Director of European Policing Rob Wainwright. His words are quoted Sky News.

“The spread of the virus around the world is unprecedented. "The latest estimates are that there are 200,000 victims in at least 150 countries, including businesses, including large corporations," Wainwright said.

He suggested that the number of infected computers would likely increase significantly when people returned to work on their computers on Monday. At the same time, Wainwright noted that so far people have transferred “surprisingly little” money to the spreaders of the virus.

In China, the virus attacked the computers of 29 thousand institutions

Virus WannaCry attacked the computers of more than 29 thousand institutions, the number of those affected computers coming by hundreds of thousands, Xinhua reports data from the Computer Threat Assessment Center Qihoo 360.

According to researchers, computers at more than 4,340 universities and other educational institutions. Infections were also observed on computers at railway stations, postal organizations, hospitals, shopping centers and government agencies.

“There was no significant damage for us, for our institutions - neither for banking, nor for the healthcare system, nor for others,” he said.

“As for the source of these threats, in my opinion, Microsoft management directly stated this, they said that the primary source of this virus is the intelligence services of the United States, Russia has absolutely nothing to do with it. It’s strange for me to hear something different under these conditions,” the president added.

Putin also called for discussing the problem of cybersecurity “at a serious political level” with other countries. He stressed that it is necessary to “develop a system of protection against such manifestations.”

The virus WannaCry clones appeared

The virus WannaCry two modifications have appeared, Vedomosti writes with reference to Kaspersky Lab. The company believes that both clones were created not by the authors of the original ransomware virus, but by other hackers who are trying to take advantage of the situation.

The first modification of the virus began to spread on the morning of May 14. Kaspersky Lab discovered three infected computers in Russia and Brazil. The second clone learned to bypass a piece of code that was used to stop the first wave of infections, the company noted.

He also writes about virus clones Bloomberg. Founder of the company Comae Technologies, engaged in cybersecurity, Matt Suish said that about 10 thousand computers were infected with the second modification of the virus.

According to Kaspersky Lab's estimates, today there were six times more infections fewer computers than on Friday, May 12.

Virus WannaCry could have been created by a North Korean hacker group Lazarus

Ransomware virus WannaCry could have been created by hackers from the North Korean group Lazarus, according to the specialized website of Kaspersky Lab.

Company specialists drew attention to the analyst’s tweet Google Neela Mehta. As Kaspersky Lab concluded, the message indicates similarities between the two samples - they have a common code. The tweet provides a cryptographic sample WannaCry dated February 2017 and sample group Lazarus dated February 2015.

“The detective story is getting tighter and tighter and now the same code has been found in # WannaCry and in the Trojans from Lazarus», -

Suddenly, a window appears on the screen of your Windows computer informing you that user files are encrypted, and they can only be decrypted by paying the hackers a ransom of $300. This must be done within three days, otherwise the price will double, and after a week the data will be deleted permanently. Or rather, they will physically remain on the disk, but it will be impossible to decrypt them. To demonstrate that the data can indeed be decrypted, a “free demo” is offered.

Example of a computer hacking message

What is encryption

You can encrypt any data on your computer. Since they are all files, that is, sequences of zeros and ones, you can write the same zeros and ones in a different sequence. Let's say, if we agree that instead of each sequence “11001100” we will write “00001111”, then later, seeing “00001111” in the encrypted file, we will know that it is actually “11001100”, and we can easily decrypt the data. Information about what is changed to what is called the encryption key, and, alas, the key in in this case Only hackers have it. It is individual for each victim and is sent only after payment for the “services”.

Is it possible to catch hackers?

In this case, the ransom must be paid using bitcoins, an electronic cryptocurrency. The essence of using Bitcoin, in a nutshell, is that payment data is transmitted through a chain of servers in such a way that each intermediate server does not know who the original sender and recipient of the payment are. Therefore, firstly, the final “beneficiary” is always completely anonymous, and secondly, the transfer of money cannot be challenged or canceled, that is, the hacker, receiving the ransom, does not risk anything. The ability to quickly and with impunity receive large amounts money motivates hackers to find new ways to hack.

How to protect yourself from hacking

In general, ransomware has been around for ten years - as a rule, before it was “Trojan horses”. That is, the ransomware was installed by the user out of his own stupidity, for example, under the guise of a “crack” for hacking an expensive office suite or a set of new levels for a popular game, downloaded from somewhere unknown. Basic computer hygiene protects against such Trojans.

However, now we are talking about a virus attack (Wanna Decrypt0r 2.0 virus) that exploits vulnerabilities in Windows operating systems and file transfer protocols over the network (SMB), due to which all computers within the local network are infected. Antiviruses are silent, their developers do not yet know what to do and are only studying the situation. So the only way protection is the regular creation of backup copies important files and storing them at external hard drives disconnected from the Internet. You can also use less vulnerable operating systems - Linux or Mac OS.

“Today our specialists have added an update - detection and protection against a new malware known as Ransom: Win32.WannaCrypt. In March, we also added a security update that provides additional protection against potential attack. Users of our free antivirus and updated Windows versions protected. We are working with users to provide additional assistance."

Kristina Davydova

Microsoft Russia press secretary

How to save files

If the files are already encrypted and there is no backup copy, then, unfortunately, you will have to pay. However, there is no guarantee that hackers will not encrypt them again.

Hacking will not lead to any global cataclysms: without local accounting acts or reports, of course, it’s difficult, but trains run, and MegaFon’s network works without failures - no one trusts ordinary office PCs with critical data Windows based, and the servers either have multi-stage protection against hacking (down to hardware at the router level), or are completely isolated from the Internet and local networks, to which employee computers are connected. By the way, precisely in case of cyber attacks, important data of government agencies is stored on servers running on special cryptographic strong builds of Linux that have the appropriate certification, and the Ministry of Internal Affairs also runs these servers on Russian processors"Elbrus", for the architecture of which the attackers definitely do not have compiled virus code.

What will happen next

How more people suffer from the virus, paradoxically, it will be better: this will be a good lesson in cybersecurity and a reminder of the need for constant Reserve copy data. After all, they can not only be destroyed by hackers (in 1000 and 1 other ways), but also lost due to the physical loss of the medium on which they were stored, and then you will only have yourself to blame. You will be glad to pay both 300 and 600 dollars for the work of your whole life, but there will be no one!

The alarming red and white screensaver appeared on thousands of computers across the planet in a matter of hours. An Internet virus called WannaCry (“I want to cry”) has encrypted millions of documents, photographs and archives. To regain access to their own files, users are asked to pay a ransom within three days: initially, $300, then the amount increases. Moreover, they require payment in virtual currency, in bitcoins, so as not to track the payment.

About a hundred countries were attacked. The ransomware virus started in Europe. In Spain - Telefonica company, Iberica bank, gas company Gas Natural, FedEx delivery service. WannaCry was later recorded in Singapore, Taiwan and China, after which it reached Australia and Latin America, as well as the Andhra Pradesh police in India.

In Russia, the virus tried to blackmail Megafon, VimpelCom, Sberbank and Russian Railways, and from government agencies - the Ministry of Health, the Ministry of Emergency Situations and the Ministry of Internal Affairs. However, they say everywhere that attacks were promptly tracked and repelled, and there were no data leaks.

"The virus has been localized, technical work is being carried out to destroy it and update anti-virus protection tools. It is worth noting that the leak of official information from information resources The Russian Ministry of Internal Affairs is completely excluded,” said Irina Volk, official representative of the Russian Ministry of Internal Affairs.

“The goals are very difficult to understand. I think they are not political goals, these are obvious scammers who were simply trying to make money from this business. That’s what they say, they demand money, this is a ransomware virus. We can assume that the goal is financial,” said said the president of the InfoWatch holding Natalya Kasperskaya.

But who are these scammers? Versions about the nature of the virus are put forward depending on the degree of freshness of mind or inflammation of the brain. Who would doubt that someone would immediately start looking for Russian hackers. They say that Russia was actively attacked like no other. So these are Russians. Well, the saying “I’ll freeze my ears to spite my mother” is, of course, from our folklore.

The virus was first detected in February. And even the Air Force says that its roots come from the American Agency national security, where they developed methods for checking stability Windows systems, but the codes actually got to the scammers. Russian experts also talk about American origin. They just say that the roots are not in the NSA, but in the US CIA.

“There are some details that show that the virus is most likely not Russian. Firstly, we know that its original is fake, it is from the CIA’s military tools, and secondly, that even those who updated it and launched it into work, most likely, not Russians, because among the formats in which it works, there is no one of the most popular formats in our country - the 1C file. If these were real Russian hackers who would like to infect as many as possible, they “We would use 1C, of ​​course,” says CEO"Ashmanov and Partners" company, system developer artificial intelligence And information security Igor Ashmanov.

So, maybe the roots of the virus may be American, but the hack was still done by Russian scammers?

“You have to understand that this virus was posted, its code was leaked by WikiLeaks two months ago. It was sterilized there, but the hackers who took it revived it, sprinkled it with living water and posted it somewhere, for example, on a download site or sent by mail. Perhaps it was just an attempt to check whether these nasty military viruses work,” noted Igor Ashmanov.

Meanwhile, the well-known Edward Snowden claims that the American intelligence services, more precisely the NSA, are themselves involved in this cyber attack. According to another version of the same Air Force, the attack could have been carried out by ideological opponents of President Trump. If so, then these are “wonderful people.” In the struggle for the triumph of philanthropy, social facilities were also hit. In Brazil - according to the social security system.

And in Britain, the blow fell on the NHS - the National Health Care System. Operations have been stopped in many hospitals; only ambulance. Even Prime Minister Theresa May made a special address.

It seems that the virus was indeed aimed at corporate users. Be that as it may, you should not open a suspicious email, it is better to do backups important documents, photos and videos on external media. And advice from experts: you need to update.

"The fact that the virus spread like wildfire shows that users apparently do not update very much. At the same time, many organizations were infected. And in organizations, as you know, updates are very often centralized. This means that the administrators of these organizations did not monitor updating and closing vulnerabilities. Or the process was structured this way somehow. We can only state that this hole was not closed, although the patch for it was already ready," noted Natalya Kasperskaya.

On Friday, May 12, the WanaCrypt0r 2.0 ransomware virus infected tens of thousands of computers around the world. First, he paralyzed the work of British hospitals and Spanish companies, and then reached Russia, attacking regional departments and. While experts are trying to assess the true scale of the disaster, they are finding out who may be behind the development of the malicious program.

The whole world is at his feet

It must have been a hot morning for the specialists at MalwareHunterTeam who track new viruses and vulnerabilities. At four o'clock in the morning they left the panic message that “a new malware, WanaCrypt0r 2.0, is spreading across the network with diabolical speed.”

And they were right more than ever - in just a couple of hours, the ransomware attacked dozens of countries. Starting from Spain and Portugal, where it paralyzed the work of the large telecom operator Telefonica and went through the gas company Gas Natural, the electricity grid operator Iberdrola and the Iberica bank, the malware spread to the internal networks of British hospitals, then it was detected in Singapore, Taiwan and China, and after which it spread throughout the world, even reaching Australia and Latin America.

One of the specialists noted that tens of thousands of computers in 74 countries around the world were infected and this number continues to grow. Another emphasized that the world may have witnessed the biggest virus attack in history.

Screenshot: MalwareTech

In Russia, the first message about WanaCrypt0r appeared on the Pikabu portal - its author claimed that the ransomware had hit the Ministry of Internal Affairs network. The ministry first stated that they were carrying out some “technical work on the internal circuit,” but then admitted the fact of the attack, although the servers were infected with a virus.

Cases of infection in the regional departments of the Ministry of Internal Affairs and the Investigative Committee were also acknowledged by Lenta.ru’s source in law enforcement agencies. True, he did not specify whether the internal networks of departments were affected. He also could not confirm rumors that some hackers downloaded information from the federal government for more than an hour. information system registration (FISM), where all the data of car owners and cars is entered, and whether these attackers are connected with the distribution of WanaCrypt0r.

Victim of ransomware became And mobile operator"Megaphone". Company representative Peter Lidov-Petrovsky, in a conversation with Lenta.ru, explained that the company’s computers were subjected to mass infection, since they are interconnected by an internal network. As a result, technical support stopped working, because operators could not use computers and take calls, and problems arose with customer service in Megafon stores.

Pay, don't skimp

Cybersecurity experts unanimously claim that, at its core, WanaCrypt0r 2.0 is a very standard ransomware Trojan. Once on the victim’s computer, it encrypts all data on the hard drive and demands that the attackers send $300 in bitcoins. Three days are given for reflection, after which the ransom amount is doubled, and after a week the files will remain encrypted forever.

Nevertheless, several experts note a well-designed and very “friendly” interface of the malware with support for dozens of languages, including English, Russian, Spanish, Chinese and even Romanian.

Another interesting feature is that the virus only infects Windows computers. Experts believe that users who have not installed the latest updates are at maximum risk operating system.

Many users noted that a few days before the virus encrypted all files on their computers, the system either restarted uncontrollably or required a computer reboot due to some critical error, carefully reminding users of the need to save all important work files.

Victims also reported that antiviruses are unable to detect WanaCrypt0r 2.0, on full cycle encryption takes him about four hours, but in the process window third party programs not visible. Some tried to format HDD or reinstall Windows, but after a while a message again appeared on the screen demanding to pay a ransom.

Experts remind that ransomware viruses usually hide in text files or PDF documents and distributed by mail. The head of the cybercrime investigation company Group IB also thinks so. According to him, such malware most often spreads through emails, but many victims noted that in Lately did not access mail and did not open dubious attachments.

Sachkov also suggested that the hackers were unlikely to have infected computers for political reasons. "This easy way monetization, and it is often used by attackers for enrichment purposes,” the specialist concluded.

Who is behind the ransomware?

So far, experts do not know what kind of hacker group developed WanaCrypt0r 2.0 and carried out such a large-scale attack. The attackers clearly took advantage of the fact that many users did not install the latest Windows updates. This is clearly visible in the example of China, which was seriously affected by the virus - as you know, the inhabitants of the Celestial Empire have a special love for pirated operating systems that do not receive updates.

But something is known about the virus itself. The first complaints about WannaCry appeared back in February 2017, but were not widespread. The blog clarifies that WanaCrypt0r 2.0 is a new version WannaCry, using a vulnerability codenamed EthernalBlue.

It is described in detail in the documents hacker group Shadowbrokers, which posted in mid-April open access American staff tools. This means that the creators of the virus could also have gotten into detailed description, which the American intelligence services painstakingly collected for themselves.

A number of specialists

Malicious software- name for everyone software products, the purpose of which is obviously to cause damage to the end user.

Attackers keep coming up with new ones cunning ways distribution malware, most of which are developed for the Android operating system. At the same time, you can “catch” a virus not only on some dubious site, but also by receiving a message with a link from a person you know (friend, relative, colleague).

One of the modifications of malware for smartphones and tablets based on the operating system Android system, once on your mobile device, the first thing it will do is send out a link with a friendly message “Check out the link!” or “My photo for you” across your entire contact list. Anyone who follows the link will receive the virus on their smartphone.

But most often, criminals pass off Trojans as useful applications.

What is the threat of the virus?

Received Trojan horse can not only send SMS to your friends, but also drain your account. Banking Trojans are among the most dangerous. All owners of gadgets using banking applications may suffer. Users of Android smartphones are most at risk - 98% of mobile banking Trojans are created for this operating system.

When you launch a banking application, the Trojan displays its own interface on top of the real one mobile banking. And thus steals all the data that the user enters. The most advanced malware can spoof the interfaces of dozens of different mobile banks, payment systems and even messaging systems.

Another important stage when money is stolen, this is the interception of SMS from one-time passwords for making payments and transfers. Therefore, Trojans usually need access rights to SMS, and this is why you should be especially careful with applications that request such rights.

Signs that your phone is infected

There are several signs that your phone is infected with malware:

• Hidden sending SMS according to the contact list - friends, acquaintances and colleagues who have received dubious messages begin to contact you;
• Fast spending Money- funds from Personal account written off faster than usual;
• Unauthorized debits from a bank card;
• Lack of SMS from the bank - when you activated the “SMS-informing” service, you stopped receiving SMS notifications about debiting funds from your account;
• The battery drains faster.

How to protect yourself?

• Monitor your operating system regularly for security updates. mobile device and install them in a timely manner;
• Install anti-virus software on your smartphone, tablet, after installation, update it and check your mobile device;
• Use anti-virus software that provides on-line protection and update it regularly;
• Download and run applications only from official stores- Play Store, App Store, Google Play and so on;
• Be careful when granting permissions to applications - programs that ask for access rights to process SMS messages deserve especially suspicious attention;
• Think before you click on a link. Do not be vigilant, do not open links from letters or SMS, or messages in in social networks, if you are not sure that the message came from a known addressee and is safe;
• If you receive a suspicious SMS with a link from your friend, call him to find out if he sent the message. If not, warn that his smartphone or tablet is infected with a virus;
• Be careful in public networks Wi-Fi, and when connecting to a network, make sure it is legitimate;
• Use complex passwords;
• In the Settings menu, click Data Usage, under Wireless & Networks ( Wireless connection) you can see how much data each application uses and set a limit for working with data;
• Enable “SMS notification” about debiting funds from your account - not all Trojans intercept SMS.

What to do if money is stolen?

The first thing to do is contact the bank as quickly as possible.