Virus attack ransomware. A ransomware virus attacked Russian media

Facebook

Viruses themselves as a computer threat do not surprise anyone today. But if previously they affected the system as a whole, causing disruptions in its performance, today, with the advent of such a variety as an encryptor virus, the actions of a penetrating threat affect more user data. It poses perhaps an even greater threat than executable applications destructive to Windows or spyware applets.

What is a ransomware virus?

The code itself, written in a self-copying virus, involves encrypting almost all user data with special cryptographic algorithms, without affecting the system files of the operating system.

At first, the logic of the virus’s impact was not entirely clear to many. Everything became clear only when the hackers who created such applets began demanding money to restore the original file structure. At the same time, the encrypted virus itself does not allow you to decrypt files due to its characteristics. To do this, you need a special decryptor, if you like, a code, a password or an algorithm required to restore the desired content.

The principle of penetration into the system and operation of the virus code

As a rule, it is quite difficult to “pick up” such crap on the Internet. The main source of spread of the “infection” is email at the level of programs installed on a specific computer terminal, such as Outlook, Thunderbird, The Bat, etc. Let us note right away: this does not apply to Internet mail servers, since they have a fairly high degree of protection, and access access to user data is possible only at the level

Another thing is an application on a computer terminal. This is where the field for the action of viruses is so wide that it is impossible to imagine. True, it’s also worth making a reservation here: in most cases, viruses target large companies from which they can “rip off” money for providing a decryption code. This is understandable, because not only on local computer terminals, but also on the servers of such companies, files can be stored, so to speak, in a single copy, which cannot be destroyed under any circumstances. And then decrypting files after a ransomware virus becomes quite problematic.

Of course, an ordinary user can be subject to such an attack, but in most cases this is unlikely if you follow the simplest recommendations for opening attachments with extensions of an unknown type. Even if an email client detects an attachment with a .jpg extension as a standard graphic file, it must first be checked as standard installed on the system.

If this is not done, when you open it by double-clicking (standard method), the activation of the code will start and the encryption process will begin, after which the same Breaking_Bad (encryptor virus) will not only be impossible to remove, but also the files will not be able to be restored after the threat is eliminated.

General consequences of penetration of all viruses of this type

As already mentioned, most viruses of this type enter the system through email. Well, let’s say a large organization receives a letter to a specific registered email with contents like “We have changed the contract, scanned copy is attached” or “You have been sent an invoice for shipping the goods (a copy there).” Naturally, the unsuspecting employee opens the file and...

All user files at the level of office documents, multimedia, specialized AutoCAD projects or any other archival data are instantly encrypted, and if the computer terminal is located on a local network, the virus can be transmitted further, encrypting data on other machines (this becomes noticeable immediately after “braking” of the system and freezing of programs or currently running applications).

At the end of the encryption process, the virus itself apparently sends a kind of report, after which the company may receive a message that such and such a threat has penetrated the system, and that only such and such an organization can decrypt it. This usually involves a virus. [email protected]. Next comes a requirement to pay for decryption services with an offer to send several files to the client’s email, which is most often fictitious.

Harm from exposure to code

If anyone has not yet understood: decrypting files after a ransomware virus is a rather labor-intensive process. Even if you don’t give in to the demands of the attackers and try to involve official government agencies in combating and preventing computer crimes, usually nothing good comes of it.

If you delete all files, produce and even copy the original data from removable media (of course, if there is such a copy), everything will still be encrypted again if the virus is activated. So you shouldn’t delude yourself too much, especially since when you insert the same flash drive into a USB port, the user won’t even notice how the virus will encrypt the data on it too. Then you won't have any problems.

Firstborn in the family

Now let's turn our attention to the first encryption virus. At the time of its appearance, no one had yet thought how to cure and decrypt files after being exposed to an executable code contained in an email attachment with a dating offer. Awareness of the scale of the disaster came only with time.

That virus had the romantic name “I Love You”. An unsuspecting user opened an attachment in an email message and received completely unplayable multimedia files (graphics, video and audio). Back then, however, such actions looked more destructive (harm to user media libraries), and no one demanded money for it.

The newest modifications

As we see, the evolution of technology has become quite a profitable business, especially considering that many managers of large organizations immediately run to pay for decryption efforts, without thinking at all that they could lose both money and information.

By the way, don’t look at all these “wrong” posts on the Internet, saying, “I paid/paid the required amount, they sent me a code, everything was restored.” Nonsense! All this is written by the developers of the virus themselves in order to attract potential, excuse me, “suckers.” But, by the standards of an ordinary user, the amounts to pay are quite serious: from hundreds to several thousand or tens of thousands of euros or dollars.

Now let's look at the newest types of viruses of this type, which were recorded relatively recently. All of them are practically similar and belong not only to the category of encryptors, but also to the group of so-called ransomware. In some cases, they act more correctly (like paycrypt), seemingly sending official business offers or messages that someone cares about the security of the user or organization. Such an encrypting virus simply misleads the user with its message. If he takes even the slightest action to pay, that’s it - the “divorce” will be complete.

XTBL virus

This relatively recent one can be classified as a classic version of ransomware. Typically, it enters the system through email messages containing file attachments, which is standard for Windows screensavers. The system and user think everything is fine and activate viewing or saving the attachment.

Unfortunately, this leads to sad consequences: the file names are converted into a set of characters, and .xtbl is added to the main extension, after which a message is sent to the desired email address about the possibility of decryption after paying the specified amount (usually 5 thousand rubles).

CBF virus

This type of virus also belongs to the classics of the genre. It appears on the system after opening email attachments, and then renames user files, adding an extension like .nochance or .perfect at the end.

Unfortunately, decrypting a ransomware virus of this type to analyze the contents of the code even at the stage of its appearance in the system is not possible, since after completing its actions it self-destructs. Even what many believe is a universal tool like RectorDecryptor does not help. Again, the user receives a letter demanding payment, for which two days are given.

Breaking_Bad virus

This type of threat works in the same way, but renames files in the standard version, adding .breaking_bad to the extension.

The situation is not limited to this. Unlike previous viruses, this one can create another extension - .Heisenberg, so it is not always possible to find all infected files. So Breaking_Bad (a ransomware virus) is a fairly serious threat. By the way, there are cases where even the Kaspersky Endpoint Security 10 license package misses this type of threat.

Virus [email protected]

Here is another, perhaps the most serious threat, which is mostly aimed at large commercial organizations. As a rule, some department receives a letter containing seemingly changes to the supply agreement, or even just an invoice. The attachment may contain a regular .jpg file (such as an image), but more often - an executable script.js (Java applet).

How to decrypt this type of encryption virus? Judging by the fact that some unknown RSA-1024 algorithm is used there, no way. Based on the name, you can assume that this is a 1024-bit encryption system. But, if anyone remembers, today 256-bit AES is considered the most advanced.

Encryptor virus: how to disinfect and decrypt files using antivirus software

To date, no solutions have yet been found to decipher threats of this type. Even such masters in the field of antivirus protection as Kaspersky, Dr. Web and Eset cannot find the key to solving the problem when the system is infected with an encrypting virus. How to disinfect files? In most cases, it is suggested to send a request to the official website of the antivirus developer (by the way, only if the system has licensed software from this developer).

In this case, you need to attach several encrypted files, as well as their “healthy” originals, if any. In general, by and large, few people save copies of data, so the problem of their absence only aggravates an already unpleasant situation.

Possible ways to identify and eliminate the threat manually

Yes, scanning with conventional antivirus programs identifies threats and even removes them from the system. But what to do with the information?

Some try to use decryption programs like the already mentioned RectorDecryptor (RakhniDecryptor) utility. Let us note right away: this will not help. And in the case of the Breaking_Bad virus, it can only do harm. And that's why.

The fact is that people who create such viruses are trying to protect themselves and provide guidance to others. When using decryption utilities, the virus can react in such a way that the entire system crashes, with the complete destruction of all data stored on hard drives or logical partitions. This, so to speak, is an indicative lesson for the edification of all those who do not want to pay. We can only rely on official antivirus laboratories.

Cardinal methods

However, if things are really bad, you will have to sacrifice information. To completely get rid of the threat, you need to format the entire hard drive, including virtual partitions, and then install the operating system again.

Unfortunately, there is no other way out. Even up to a certain saved restore point will not help. The virus may disappear, but the files will remain encrypted.

Instead of an afterword

In conclusion, it is worth noting that the situation is this: a ransomware virus penetrates the system, does its dirty work and is not cured by any known methods. Anti-virus protection tools were not ready for this type of threat. It goes without saying that it is possible to detect a virus after exposure or remove it. But the encrypted information will remain unsightly. So I would like to hope that the best minds of antivirus software development companies will still find a solution, although, judging by the encryption algorithms, it will be very difficult to do. Just remember the Enigma encryption machine that the German Navy had during World War II. The best cryptographers could not solve the problem of an algorithm for decrypting messages until they got their hands on the device. This is how things are here too.

“Sorry to bother you, but... your files are encrypted. To get the decryption key, urgently transfer a certain amount of money to your wallet... Otherwise, your data will be destroyed forever. You have 3 hours, time has gone.” And it's not a joke. An encryption virus is a more than real threat.

Today we’ll talk about what the ransomware malware that has spread in recent years is, what to do if infected, how to cure your computer and whether it’s even possible, and how to protect yourself from them.

We encrypt everything!

A ransomware virus (encryptor, cryptor) is a special type of malicious ransomware whose activity consists of encrypting the user’s files and then demanding a ransom for the decryption tool. The ransom amounts start somewhere from $200 and reach tens and hundreds of thousands of green pieces of paper.

Several years ago, only Windows-based computers were attacked by this class of malware. Today, their range has expanded to seemingly well-protected Linux, Mac and Android. In addition, the variety of encryptors is constantly growing - new products appear one after another, which have something to surprise the world. Thus, it arose due to the “crossing” of a classic encryption Trojan and a network worm (a malicious program that spreads across networks without the active participation of users).

After WannaCry, no less sophisticated Petya and Bad Rabbit appeared. And since the “encryption business” brings good income to its owners, you can be sure that they are not the last.

More and more encryptors, especially those that have been released in the last 3-5 years, use strong cryptographic algorithms that cannot be cracked either by brute force or other existing means. The only way to recover data is to use the original key, which the attackers offer to buy. However, even transferring the required amount to them does not guarantee receipt of the key. Criminals are in no hurry to reveal their secrets and lose potential profits. And what is the point for them to keep their promises if they already have the money?

Paths of distribution of encrypting viruses

The main way malware gets onto the computers of private users and organizations is email, or more precisely, files and links attached to emails.

An example of such a letter intended for “corporate clients”:

“Repay your loan debt immediately.”
“The claim has been filed in court.”
“Pay the fine/fee/tax.”
“Additional charge of utility bills.”
“Oh, is that you in the photo?”
“Lena asked me to urgently give this to you,” etc.

Agree, only a knowledgeable user would treat such a letter with caution. Most people, without hesitation, will open the attachment and launch the malicious program themselves. By the way, despite the cries of the antivirus.

The following are also actively used to distribute ransomware:

Social networks (mailing from the accounts of friends and strangers).
Malicious and infected web resources.
Banner advertising.
Mailing via messengers from hacked accounts.
Vareznik sites and distributors of keygens and cracks.
Adult sites.
Application and content stores.

Encryption viruses are often carried by other malicious programs, in particular, advertising demonstrators and backdoor Trojans. The latter, using vulnerabilities in the system and software, help the criminal gain remote access to the infected device. The launch of the encryptor in such cases does not always coincide in time with potentially dangerous user actions. As long as the backdoor remains in the system, an attacker can penetrate the device at any time and initiate encryption.

To infect the computers of organizations (after all, more can be extracted from them than from home users), especially sophisticated methods are being developed. For example, the Petya Trojan penetrated devices through the update module of the MEDoc tax accounting program.

Encryptors with the functions of network worms, as already mentioned, spread across networks, including the Internet, through protocol vulnerabilities. And you can become infected with them without doing absolutely anything. Users of Windows operating systems that are rarely updated are at greatest risk because updates close known loopholes.

Some malware, such as WannaCry, exploit 0-day vulnerabilities, that is, those that system developers are not yet aware of. Unfortunately, it is impossible to fully resist infection in this way, but the likelihood that you will be among the victims does not even reach 1%. Why? Yes, because malware cannot infect all vulnerable machines at once. And while it is planning new victims, system developers manage to release a life-saving update.

How ransomware behaves on an infected computer

The encryption process, as a rule, begins unnoticed, and when its signs become obvious, it is too late to save the data: by that time, the malware has encrypted everything it can reach. Sometimes a user may notice that the extension of files in an open folder has changed.

The unreasonable appearance of a new and sometimes a second extension on files, after which they stop opening, absolutely indicates the consequences of an encryptor attack. By the way, it is usually possible to identify the malware by the extension that damaged objects receive.

An example of what the extensions of encrypted files can be:. xtbl, .kraken, .cesar, .da_vinci_code, .codercsu@gmail_com, .crypted000007, .no_more_ransom, .decoder GlobeImposter v2, .ukrain, .rn, etc.

There are a lot of options, and new ones will appear tomorrow, so there’s no point in listing everything. To determine the type of infection, it is enough to feed several extensions to the search engine.

Other symptoms that indirectly indicate the beginning of encryption:

Command line windows appear on the screen for a split second. Most often, this is a normal phenomenon when installing system and program updates, but it is better not to leave it unattended.
UAC requests to launch some program that you did not intend to open.
A sudden reboot of the computer followed by simulating the operation of the system disk check utility (other variations are possible). During the “verification”, the encryption process occurs.

After the malicious operation is successfully completed, a message appears on the screen with a ransom demand and various threats.

Ransomware encrypts a significant portion of user files: photos, music, videos, text documents, archives, mail, databases, files with program extensions, etc. However, they do not touch operating system objects, because attackers do not need the infected computer to stop work. Some viruses replace boot records of disks and partitions.

After encryption, all shadow copies and recovery points are typically deleted from the system.

How to cure a computer from ransomware

Removing malware from an infected system is easy—almost all antivirus programs can handle most of them without difficulty. But! It is naive to believe that getting rid of the culprit will solve the problem: whether you remove the virus or not, the files will still remain encrypted. In addition, in some cases this will complicate their subsequent decryption, if possible.

Correct procedure when starting encryption

Once you notice signs of encryption, Immediately turn off the computer's power by pressing and holding the buttonPower for 3-4 seconds. This will save at least some of the files.
Create a boot disk or flash drive with an antivirus program on another computer. For example, Kaspersky Rescue Disk 18, DrWeb LiveDisk ESET NOD32 LiveCD etc.
Boot the infected machine from this disk and scan the system. Remove any viruses found and keep them in quarantine (in case they are needed for decryption). Only after that you can boot your computer from your hard drive.
Try to recover encrypted files from shadow copies using system tools or using third-party .

What to do if the files are already encrypted

Don't lose hope. The websites of antivirus product developers contain free decryption utilities for various types of malware. In particular, utilities from Avast And Kaspersky Lab.
Having determined the encoder type, download the appropriate utility, definitely do it copies damaged files and try to decipher them. If successful, decipher the rest.

If the files are not decrypted

If none of the utilities help, it is likely that you have suffered from a virus for which there is no cure yet.

What can you do in this case:

If you use a paid antivirus product, contact its support team. Send several copies of the damaged files to the laboratory and wait for a response. If technically possible, they will help you.

By the way, Dr.Web is one of the few laboratories that helps not only its users, but all those affected. You can send a request to decrypt the file on this page.

If it turns out that the files are hopelessly damaged, but they are of great value to you, you can only hope and wait that a rescue remedy will someday be found. The best thing you can do is to leave the system and files as is, that is, completely shut down and not use the hard drive. Deleting malware files, reinstalling the operating system, and even updating it can deprive you and this chance, since when generating encryption/decryption keys, unique system identifiers and copies of the virus are often used.

Paying the ransom is not an option, since the likelihood that you will receive the key is close to zero. And there is no point in financing a criminal business.

How to protect yourself from this type of malware

I would not like to repeat advice that each of the readers has heard hundreds of times. Yes, installing a good antivirus, not clicking suspicious links and blablabla is important. However, as life has shown, a magic pill that will give you a 100% guarantee of security does not exist today.

The only effective method of protection against ransomware of this kind is data backup to other physical media, including cloud services. Backup, backup, backup...

Doctor Web specialists are studying a new ransomware Trojan Trojan.Encoder.12544, referred to in the media as Petya, Petya.A, ExPetya and WannaCry-2. Based on a preliminary analysis of the malware, Doctor Web provides recommendations on how to avoid infection, tells what to do if infection has already occurred, and reveals the technical details of the attack.

The ransomware worm that caused a lot of noise Trojan.Encoder.12544 poses a serious danger to personal computers running Microsoft Windows. Various sources call it a modification of the Trojan known as Petya ( Trojan.Ransom.369), But Trojan.Encoder.12544 has only some similarities with him. This malicious program penetrated the information systems of a number of government agencies, banks and commercial organizations, and also infected the PCs of users in several countries.

It is currently known that the Trojan infects computers using the same set of vulnerabilities that were previously used by attackers to infiltrate the computers of victims of the WannaCry Trojan. Mass distribution Trojan.Encoder.12544 started in the morning of June 27, 2017. When launched on the attacked computer, the Trojan searches for available PCs on the local network in several ways, after which it begins scanning ports 445 and 139 using the list of received IP addresses. Having detected machines on the network on which these ports are open, Trojan.Encoder.12544 tries to infect them using a well-known vulnerability in the SMB protocol (MS17-10).

In its body, the Trojan contains 4 compressed resources, 2 of which are 32- and 64-bit versions of the Mimikatz utility, designed to intercept passwords for open sessions in Windows. Depending on the bitness of the OS, it unpacks the corresponding version of the utility, saves it in a temporary folder, and then launches it. Using the Mimikatz utility, as well as two other methods Trojan.Encoder.12544 receives a list of local and domain users authorized on the infected computer. Then it looks for writable network folders, tries to open them using the received credentials and saves its copy there. To infect computers that he managed to gain access to, Trojan.Encoder.12544 uses the PsExec utility to control a remote computer (it is also stored in the Trojan’s resources) or a standard console utility to call Wmic.exe objects.

The encoder controls its restart using a file it saves in the C:\Windows\ folder. This file has a name that matches the Trojan's name without the extension. Since the worm sample currently being distributed by attackers is named perfc.dat, the file that prevents it from running again will be named C:\Windows\perfc. However, as soon as attackers change the original name of the Trojan, creating a file in the C:\Windows\ folder with the name perfc without an extension (as some antivirus companies advise) will no longer save the computer from infection. In addition, the Trojan checks for the presence of a file only if it has sufficient privileges in the operating system to do so.

After starting, the Trojan configures its privileges, loads its own copy into memory and transfers control to it. The encoder then overwrites its own disk file with junk data and deletes it. First of all Trojan.Encoder.12544 corrupts the VBR (Volume Boot Record) of drive C:, the first sector of the disk is filled with garbage data. The ransomware then copies the original Windows boot record to another part of the disk, having previously encrypted it using the XOR algorithm, and writes its own in its place. Next, it creates a task to restart the computer and begins to encrypt all files with the extensions .3ds, .7z, .accdb, .ai, .asp, .aspx, .avhd, .back, .bak, .c, detected on local physical disks. .cfg, .conf, .cpp, .cs, .ctl, .dbf, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .kdbx , .mail, .mdb, .msg, .nrg, .ora, .ost, .ova, .ovf, .pdf, .php, .pmf, .ppt, .pptx, .pst, .pvi, .py, . pyc, .rar, .rtf, .sln, .sql, .tar, .vbox, .vbs, .vcb, .vdi, .vfd, .vmc, .vmdk, .vmsd, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .xvd, .zip.

The Trojan encrypts files only on fixed computer drives; data on each drive is encrypted in a separate stream. Encryption is carried out using AES-128-CBC algorithms; each disk has its own key (this is a distinctive feature of the Trojan that has not been noted by other researchers). This key is encrypted using the RSA-2048 algorithm (other researchers have reported using an 800-bit key) and is saved to the root folder of the encrypted drive in a file named README.TXT. Encrypted files do not receive an additional extension.

After completing the previously created task, the computer reboots and control is transferred to the Trojan boot record. It displays text on the screen of an infected computer that resembles a message from the standard CHDISK disk scanning utility.

Security measures

The regulator recommends that banks make sure that their system-wide and special software is updated, and antivirus software is installed and updated. FinCert also recommends segmenting the computer networks of financial institutions and checking the settings of firewalls - they should block connections to unregulated network addresses. It is also recommended to back up critical information systems and databases.

In addition, the regulator advises instructing bank employees to pay attention to suspicious email messages and not visit dubious sites.

A representative of the Central Bank told Vedomosti that from March to August 2017, the Central Bank had already warned banks about ransomware six times.

At the same time, banks were warned about the danger of the WannaCry ransomware virus back in April. On May 12, when it became known that hackers were attempting to attack a number of organizations around the world using the WannaCry virus, FinCERT targeted banks and then repeated its warning. The names of the affected banks were not disclosed in that message. It is known that the virus tried, however, according to the financial institution, hackers did not penetrate their systems.

From the Petya ransomware virus the Russian banking sector. “As a result of the attacks, isolated cases of infection were recorded,” FinCERT wrote. Among the well-known banks affected by the attack are "". The bank reported that no customer or transaction data was compromised.

Representatives of banks interviewed by Vedomosti note that the recommendations of the Central Bank are regular, and financial institutions implement them.

Potential cyber attack

Alexey Pavlov, an analyst at the Solar JSOC cyberthreat monitoring center, told the newspaper that over the past few days, organizations in various industries, including banks, have received warnings about the possible activity of ransomware, although the monitoring center has no information about the preparation of a new hacker attack.

There is no data about a new attack at Kaspersky Lab either, says Denis Gorchakov, head of the fraud research and analysis group. He suggests that the FinCERT letter is related to a warning about a threat in the energy sector: on the eve of August 9, they warned that a new cyber attack could be carried out in the near future.

In connection with the threat of a hacker attack, the energy company asked the directors of its branches to limit the access of corporate network users to the Internet in the period from August 4 to 14 and also to warn employees not to open attachments from unknown senders or click on unrelated links in email.

The Center for Monitoring and Response to Computer Attacks in the Credit and Financial Sphere (FinCERT) is a structure of the Central Bank that deals with cybersecurity. Created in 2015 by decision of the Russian Security Council. Banks send information to the Central Bank about detected computer attacks (on card accounts, remote service systems, banking websites), after which specialists analyze this data, identify the causes of problems and send the results of the analysis to market participants and law enforcement agencies.

An encryption virus attacked Russian media, one of which was Interfax, the Russian company Group-IB said in a statement. Only part of the agency was affected, since its IT services managed to turn off part of the critical infrastructure. The virus has been assigned the identifier BadRabbit.

About the unprecedented virus attack on Interfax on its page in Facebook reported Deputy Director of the agency Yuri Pogorely. Interfax faced an unprecedented virus attack. Some of our services are not available to clients. Our engineers are restoring their functionality. My apologies. We are trying to get back to you as quickly as possible!” - he wrote.

The Central Bank warned banks about a possible cyber attack by a ransomware virus

Two previous viruses, WannaCry and Petya, have already tried to attack banks

According to Vedomosti’s observations, the agency’s mobile application and the service provided by Interfax for disclosing the reports of Russian companies on the website e-disclosure.ru do not work.

Infterfax divisions in the UK, Azerbaijan, Belarus and Ukraine and the Interfax-religion website continue to operate, Pogorely told Vedomosti. It is not yet clear why the damage did not affect other divisions; perhaps this is due to the topology of the Interfax network, where the servers are located geographically, and the operating system that is installed on them, he says.

Two Interfax employees confirmed to Vedomosti that the computers had been turned off. According to one of them, the visually blocked screen is similar to the result of the actions of the famous Petya virus. The virus that attacked Interfax warns that you should not try to decrypt files yourself, and demands to pay a ransom of 0.05 bitcoin ($283), for which it invites you to go to a special site on the Tor network. The virus assigned a personal identification code to the encrypted computer.

Not only Interfax

Two more Russian media outlets were affected by the ransomware virus, one of which was the St. Petersburg publication Fontanka, Group-IB clarifies.

Fontanka editor-in-chief Alexander Gorshkov told Vedomosti that Fontanka servers were attacked by attackers today at 3:20 p.m. “After this, the publication’s website was unavailable, and it is still unavailable. Our technical specialists are making every effort to restore the site. We have no doubt that these actions were committed by terrorist organizations,” he said.

Over the past weeks, criminals have been attacking the Fontanka editorial office, posting hundreds of false custom-made articles on the Internet mentioning journalists and editors of the publication. In addition, false information about the activities of the Fontanka publisher JSC Azhur-Media is being communicated to regulatory authorities, he says. “We have no doubt that these actions have a single customer and these are links in the same chain,” concluded Gorshkov.