Suddenly, a window appears on the screen of your Windows computer informing you that user files are encrypted, and they can only be decrypted by paying the hackers a ransom of $300. This must be done within three days, otherwise the price will double, and after a week the data will be deleted permanently. Or rather, they will physically remain on the disk, but it will be impossible to decrypt them. To demonstrate that the data can indeed be decrypted, a “free demo” is offered.

Example of a computer hacking message

What is encryption

You can encrypt any data on your computer. Since they are all files, that is, sequences of zeros and ones, you can write the same zeros and ones in a different sequence. Let's say, if we agree that instead of each sequence “11001100” we will write “00001111”, then later, seeing “00001111” in the encrypted file, we will know that it is actually “11001100”, and we can easily decrypt the data. Information about what is changed to what is called the encryption key, and, alas, the key in in this case Only hackers have it. It is individual for each victim and is sent only after payment for the “services”.

Is it possible to catch hackers?

In this case, the ransom must be paid using bitcoins, an electronic cryptocurrency. The essence of using Bitcoin, in a nutshell, is that payment data is transmitted through a chain of servers in such a way that each intermediate server does not know who the original sender and recipient of the payment are. Therefore, firstly, the final “beneficiary” is always completely anonymous, and secondly, the transfer of money cannot be challenged or canceled, that is, the hacker, receiving the ransom, does not risk anything. The ability to quickly and with impunity receive large amounts money motivates hackers to find new ways to hack.

How to protect yourself from hacking

In general, ransomware has been around for ten years - as a rule, before it was “Trojan horses”. That is, the ransomware was installed by the user out of his own stupidity, for example, under the guise of a “crack” for hacking an expensive office suite or a set of new levels for a popular game, downloaded from somewhere unknown. Basic computer hygiene protects against such Trojans.

However now we're talking about about a virus attack ( Wanna virus Decrypt0r 2.0), which exploits vulnerabilities in Windows operating systems and network file transfer protocols (SMB), causing all computers on the local network to become infected. Antiviruses are silent, their developers do not yet know what to do and are only studying the situation. So the only way protection is the regular creation of backup copies important files and storing them on external hard drives disconnected from the Internet. You can also use less vulnerable operating systems - Linux or Mac OS.

“Today our specialists have added an update - detection and protection against a new malware known as Ransom: Win32.WannaCrypt. In March, we also added a security update that provides additional protection against potential attack. Users of our free antivirus and updated Windows versions protected. We are working with users to provide additional assistance."

Kristina Davydova

Microsoft Russia press secretary

How to save files

If the files are already encrypted and there is no backup copy, then, unfortunately, you will have to pay. However, there is no guarantee that hackers will not encrypt them again.

Hacking will not lead to any global cataclysms: without local accounting acts or reports, of course, it’s difficult, but trains run, and MegaFon’s network works without failures - no one trusts ordinary office PCs with critical data Windows based, and the servers either have multi-stage protection against hacking (down to hardware at the router level), or are completely isolated from the Internet and local networks, to which employee computers are connected. By the way, precisely in case of cyber attacks, important data of government agencies is stored on servers running on special cryptographic strong builds of Linux that have the appropriate certification, and the Ministry of Internal Affairs also runs these servers on Russian processors"Elbrus", for the architecture of which the attackers definitely do not have compiled virus code.

What will happen next

How more people suffer from the virus, paradoxically, it will be better: this will be a good lesson in cybersecurity and a reminder of the need for constant Reserve copy data. After all, they can not only be destroyed by hackers (in 1000 and 1 other ways), but also lost due to the physical loss of the medium on which they were stored, and then you will only have yourself to blame. You will be glad to pay both 300 and 600 dollars for the work of your whole life, but there will be no one!

A hacker attack has infected corporate computers around the world; attackers are extorting $300 in bitcoins from each device to unlock data. Reports of computer infections come from Russia, Great Britain, the USA, China, Spain, Italy, Vietnam, Taiwan and other countries. One of the cybersecurity experts from Avast wrote on Twitter that this is a very large-scale attack and at least 36,000 computers were attacked (an hour after the publication, their number increased to 57,000 and continues to grow) - all of them are infected with the WannaCrypt encryption application or its variations. IN currently There is no information about who may be behind this attack, whether it was centralized or carried out by different groups.

According to unconfirmed information, Russia suffered from the actions of hackers. Messages about this appeared V in social networks, as well as Meduza, reports about the attack citing anonymous sources. In addition, the publication provides comments from others Russian companies: “Representatives of the Svyaznoy network told Meduza that they are “aware of the problem” and are “taking measures to prevent the virus from penetrating the company’s computers.” The VimpelCom company (Beeline brand) said that it “successfully repelled attempted attacks.” Gradually, more and more references to successful attacks on corporate computers in our country appear on social networks. Reports of hacking even talk about devices belonging to the Russian Ministry of Internal Affairs - this information is confirmed, however, the department talks about “planned work on the internal circuit.” Gazeta.ru also reports an attack on the Investigative Committee, but there has been no official confirmation yet.

It is already known that the actions of cybercriminals led to the desired results. Experts note that the Bitcoin wallets specified in the ransom demand began to be filled with money. There is no information yet whether this leads to unlocking computers. Do not forget that some ransomware work in such a way that even the creators of this malware do not have an “antidote” and cannot restore files on computers.

At the moment, there is no exact information about the list of companies that were attacked and whether the malware continues to spread software. However, we can say with confidence that this attack will have very serious consequences. For example, in Britain, doctors almost at the same time began to report technical failures in hospitals. They received messages about information being blocked on their computers and a ransom demand of $300 in exchange for restoring access. Having lost the ability to obtain information about patient records, previously written prescriptions and test results, doctors were forced to temporarily suspend all visitors except those who need emergency care.

Update at 21:44

- Representatives of Megafon confirmed the attack and reported that they had to turn off part of computer network due to the fact that employees’ computers began to suddenly reboot, and after the reboot a window appeared demanding to pay $300, which did not allow them to continue working. “The attack was large-scale and affected most of the regions of Russia,” Megafon public relations director Petr Lidov commented to TASS. The operator has already restored the work of the call center, and in the next few hours plans to completely eliminate the problems that arose due to the cyber attack.

The computers of the Ministry of Internal Affairs were attacked by a ransomware virus, Ilya Sachkov, founder and head of Group IB, told RNS. The company has received a sample of the virus and is conducting research on it. Time full recovery system after such an attack depends on the amount of data that was encrypted by the virus. “On average, it may take several days to eliminate the consequences. But if the data was not reserved, then there is a possibility that you will actually have to pay a ransom,” Sachkov explained.

Information about the attack on the Investigative Committee has not been confirmed.

Malicious software - a name for everyone software products, the purpose of which is obviously to cause damage to the end user.

Attackers keep coming up with new ones cunning ways distribution malware, most of which are developed for the Android operating system. At the same time, you can “catch” a virus not only on some dubious site, but also by receiving a message with a link from a person you know (friend, relative, colleague).

One of the modifications of malware for smartphones and tablets based on the operating system Android system, once on your mobile device, the first thing it will do is send out a link with a friendly message “Check out the link!” or “My photo for you” across your entire contact list. Anyone who follows the link will receive the virus on their smartphone.

But most often, criminals pass off Trojans as useful applications.

What is the threat of the virus?

Received Trojan horse can not only send SMS to your friends, but also drain your account. Banking Trojans are among the most dangerous. All owners of gadgets using banking applications may suffer. Users of Android smartphones are most at risk - 98% of mobile banking Trojans are created for this purpose. operating system.

When you launch a banking application, the Trojan displays its own interface on top of the real one mobile banking. And thus steals all the data that the user enters. The most advanced malware can spoof the interfaces of dozens of different mobile banks, payment systems and even messaging systems.

Another important stage when money is stolen, this is the interception of SMS from one-time passwords for making payments and transfers. Therefore, Trojans usually need access rights to SMS, and this is why you should be especially careful with applications that request such rights.

Signs that your phone is infected

There are several signs that your phone is infected with malware:

• Hidden sending SMS according to the contact list - friends, acquaintances and colleagues who have received dubious messages begin to contact you;
• Fast spending Money- funds from Personal account written off faster than usual;
• Unauthorized debits from a bank card;
• Lack of SMS from the bank - when you activated the “SMS-informing” service, you stopped receiving SMS notifications about debiting funds from your account;
• The battery drains faster.

How to protect yourself?

• Monitor your operating system regularly for security updates. mobile device and install them in a timely manner;
• Install anti-virus software on your smartphone, tablet, after installation, update it and check your mobile device;
• Use anti-virus software that provides on-line protection and update it regularly;
• Download and run applications only from official stores- Play Store, App Store, Google Play and so on;
• Be careful when granting permissions to applications - programs that ask for access rights to process SMS messages deserve especially suspicious attention;
• Think before you click on a link. Do not lose your vigilance, do not open links from letters or SMS, or messages on social networks, if you are not sure that the message came from a known addressee and is safe;
• If you receive a suspicious SMS with a link from your friend, call him to find out if he sent the message. If not, warn that his smartphone or tablet is infected with a virus;
• Be careful in public networks Wi-Fi, and when connecting to a network, make sure it is legitimate;
• Use complex passwords;
• In the Settings menu, click Data Usage, under Wireless & Networks ( Wireless connection) you can see how much data each application uses and set a limit for working with data;
• Enable “SMS notification” about debiting funds from your account - not all Trojans intercept SMS.

What to do if money is stolen?

The first thing to do is contact the bank as quickly as possible.

The alarming red and white screensaver appeared on thousands of computers across the planet in a matter of hours. An Internet virus called WannaCry (“I want to cry”) has encrypted millions of documents, photographs and archives. To regain access to their own files, users are asked to pay a ransom within three days: initially, $300, then the amount increases. Moreover, they require payment in virtual currency, in bitcoins, so as not to track the payment.

About a hundred countries were attacked. The ransomware virus started in Europe. In Spain - Telefonica company, Iberica bank, gas company Gas Natural, FedEx delivery service. WannaCry was later recorded in Singapore, Taiwan and China, after which it reached Australia and Latin America, as well as the Andhra Pradesh police in India.

In Russia, the virus tried to blackmail Megafon, VimpelCom, Sberbank and Russian Railways, and from government agencies - the Ministry of Health, the Ministry of Emergency Situations and the Ministry of Internal Affairs. However, they say everywhere that attacks were promptly tracked and repelled, and there were no data leaks.

"The virus has been localized, we are carrying out engineering works for its destruction and renewal of funds antivirus protection. It is worth noting that the leak of proprietary information from information resources The Russian Ministry of Internal Affairs is completely excluded,” said Irina Volk, official representative of the Russian Ministry of Internal Affairs.

“The goals are very difficult to understand. I think they are not political goals, these are obvious scammers who were simply trying to make money from this business. That’s what they say, they demand money, this is a ransomware virus. We can assume that the goal is financial,” said said the president of the InfoWatch holding Natalya Kasperskaya.

But who are these scammers? Versions about the nature of the virus are put forward depending on the degree of freshness of mind or inflammation of the brain. Who would doubt that someone would immediately start looking for Russian hackers. They say that Russia was actively attacked like no other. So these are Russians. Well, the saying “I’ll freeze my ears to spite my mother” is, of course, from our folklore.

The virus was first detected in February. And even the Air Force says that its roots come from the American Agency national security, where they developed methods for checking stability Windows systems, but the codes actually got to the scammers. Russian experts also talk about American origin. They just say that the roots are not in the NSA, but in the US CIA.

“There are some details that show that the virus is most likely not Russian. Firstly, we know that its original is fake, it is from the CIA’s military tools, and secondly, that even those who updated it and launched it into work, most likely, not Russians, because among the formats in which it works, there is no one of the most popular formats in our country - the 1C file. If these were real Russian hackers who would like to infect as many as possible, they “We would use 1C, of ​​course,” says CEO"Ashmanov and Partners" company, system developer artificial intelligence And information security Igor Ashmanov.

So, maybe the roots of the virus may be American, but the hack was still done by Russian scammers?

“You have to understand that this virus was posted, its code was leaked by WikiLeaks two months ago. It was sterilized there, but the hackers who took it revived it, sprinkled it with living water and posted it somewhere, for example, on a download site or sent by mail. Perhaps it was just an attempt to check whether these nasty military viruses work,” noted Igor Ashmanov.

Meanwhile, the well-known Edward Snowden claims that the American intelligence services, more precisely the NSA, are themselves involved in this cyber attack. According to another version of the same Air Force, the attack could have been carried out by ideological opponents of President Trump. If so, then these are “wonderful people.” In the struggle for the triumph of philanthropy, social facilities were also hit. In Brazil - according to the social security system.

And in Britain, the blow fell on the NHS - the National Health Care System. Operations have been stopped in many hospitals; only ambulance. Even Prime Minister Theresa May made a special address.

It seems that the virus was indeed aimed at corporate users. Be that as it may, you should not open a suspicious email, it is better to do backups important documents, photos and videos on external media. And advice from experts: you need to update.

"The fact that the virus spread like wildfire shows that users apparently do not update very much. At the same time, many organizations were infected. And in organizations, as you know, updates are very often centralized. This means that the administrators of these organizations did not monitor updating and closing vulnerabilities. Or the process was structured this way somehow. We can only state that this hole was not closed, although the patch for it was already ready," noted Natalya Kasperskaya.

On Friday, May 12, the WanaCrypt0r 2.0 ransomware virus infected tens of thousands of computers around the world. First, he paralyzed the work of British hospitals and Spanish companies, and then reached Russia, attacking regional departments and. While experts are trying to assess the true scale of the disaster, they are finding out who may be behind the development of the malicious program.

The whole world is at his feet

It must have been a hot morning for the specialists at MalwareHunterTeam who track new viruses and vulnerabilities. At four o'clock in the morning they left the panic message that “a new malware, WanaCrypt0r 2.0, is spreading across the network with diabolical speed.”

And they were right more than ever - in just a couple of hours, the ransomware attacked dozens of countries. Starting from Spain and Portugal, where it paralyzed the work of the large telecom operator Telefonica and went through the gas company Gas Natural, the electricity grid operator Iberdrola and the Iberica bank, the malware spread to the internal networks of British hospitals, then it was detected in Singapore, Taiwan and China, and after which it spread throughout the world, even reaching Australia and Latin America.

One of the specialists noted that tens of thousands of computers in 74 countries around the world were infected and this number continues to grow. Another emphasized that the world may have witnessed the biggest virus attack in history.

Screenshot: MalwareTech

In Russia, the first message about WanaCrypt0r appeared on the Pikabu portal - its author claimed that the ransomware had hit the Ministry of Internal Affairs network. The ministry first stated that they were carrying out some “technical work on the internal circuit,” but then admitted the fact of the attack, although the servers were infected with a virus.

Cases of infection in the regional departments of the Ministry of Internal Affairs and the Investigative Committee were also acknowledged by Lenta.ru’s source in law enforcement agencies. True, he did not specify whether the internal networks of departments were affected. He also could not confirm rumors that some hackers downloaded information from the federal government for more than an hour. information system registration (FISM), where all the data of car owners and cars is entered, and whether these attackers are connected with the distribution of WanaCrypt0r.

Victim of ransomware became And mobile operator"Megaphone". Company representative Peter Lidov-Petrovsky, in a conversation with Lenta.ru, explained that the company’s computers were subjected to mass infection, since they are interconnected by an internal network. As a result, technical support stopped working, because operators could not use computers and take calls, and problems arose with customer service in Megafon stores.

Pay, don't skimp

Cybersecurity experts unanimously claim that, at its core, WanaCrypt0r 2.0 is a very standard ransomware Trojan. Once on the victim’s computer, it encrypts all data on the hard drive and demands that the attackers send $300 in bitcoins. Three days are given for reflection, after which the ransom amount is doubled, and after a week the files will remain encrypted forever.

Nevertheless, several experts note a well-designed and very “friendly” interface of the malware with support for dozens of languages, including English, Russian, Spanish, Chinese and even Romanian.

Another interesting feature is that the virus only infects Windows computers. Experts believe that users who have not installed the latest operating system updates are at maximum risk.

Many users noted that a few days before the virus encrypted all files on their computers, the system either restarted uncontrollably or required a computer reboot due to some critical error, carefully reminding users of the need to save all important work files.

Victims also reported that antiviruses are unable to detect WanaCrypt0r 2.0, on full cycle encryption takes him about four hours, but in the process window third party programs not visible. Some tried to format HDD or reinstall Windows, but after a while a message again appeared on the screen demanding to pay a ransom.

Experts remind that ransomware viruses usually hide in text files or PDF documents and distributed by mail. The head of the cybercrime investigation company Group IB also thinks so. According to him, such malware most often spreads through emails, but many victims noted that in Lately did not access mail and did not open dubious attachments.

Sachkov also suggested that the hackers were unlikely to have infected computers for political reasons. "This easy way monetization, and it is often used by attackers for enrichment purposes,” the specialist concluded.

Who is behind the ransomware?

So far, experts do not know what kind of hacker group developed WanaCrypt0r 2.0 and carried out such a large-scale attack. The attackers clearly took advantage of the fact that many users did not install the latest Windows updates. This is clearly visible in the example of China, which was seriously affected by the virus - as you know, the inhabitants of the Celestial Empire have a special love for pirated operating systems that do not receive updates.

But something is known about the virus itself. The first complaints about WannaCry appeared back in February 2017, but were not widespread. The blog clarifies that WanaCrypt0r 2.0 is a new version WannaCry, using a vulnerability codenamed EthernalBlue.

It is described in detail in the documents hacker group Shadowbrokers, which posted in mid-April open access American staff tools. This means that the creators of the virus could also have gotten into detailed description, which the American intelligence services painstakingly collected for themselves.

A number of specialists