It continues its depressing march across the Web, infecting computers and encrypting important data. How to protect yourself from the ransomware, protect Windows from ransomware - have any patches or patches been released to decrypt and disinfect files?
New ransomware virus 2017 Wanna Cry continues to infect corporate and private PCs. Have The damage from a virus attack totals $ 1 billion... In 2 weeks, the ransomware virus infected at least 300 thousand computers despite warnings and safety measures.
What is ransomware 2017?- as a rule, you can "pick up", it would seem, on the most innocuous sites, for example, bank servers with user access. Once on the victim's hard drive, the ransomware "settles" in the System32 system folder... From there, the program immediately disables the antivirus and gets into "Autostart". After each reboot, the ransomware runs into the registry starting your dirty deed. The ransomware starts downloading similar copies of programs like Ransom and Trojan... It also often happens ransomware self-replication... This process can be momentary, or it can take weeks - until the victim notices that something was wrong.
The cryptor is often disguised as ordinary pictures, text files, but the essence is always one - it is an executable file with the extension .exe, .drv, .xvd; sometimes - library.dll... Most often, the file has a completely harmless name, for example “ document. doc", or " picture.jpg", Where the extension is written manually, and the true file type is hidden.
After the encryption is completed, the user sees instead of familiar files a set of "random" characters in the name and inside, and the extension changes to a hitherto unknown - .NO_MORE_RANSOM, .xdata other.
2017 Wanna Cry ransomware virus - how to protect yourself... I would like to point out right away that Wanna Cry is rather a collective term for all ransomware and ransomware viruses, since it has infected computers most often recently. So, we will talk about s Protect from Ransom Ware ransomware, of which there are a great many: Breaking.dad, NO_MORE_RANSOM, Xdata, XTBL, Wanna Cry.
How to protect Windows from the ransomware. – EternalBlue via SMB ports protocol.
Protecting Windows from ransomware 2017 - basic rules:
- Windows update, timely transition to a licensed OS (note: XP version is not updated)
- updating antivirus databases and firewalls on demand
- utmost care when downloading any files (cute "cats" can result in the loss of all data)
- backup important information on removable media.
Ransomware virus 2017: how to cure and decrypt files.
Hoping for antivirus software, you can forget about the decoder for a while... In laboratories Kaspersky, Dr. Web, Avast! and other antiviruses so far no solution found to cure infected files... On the this moment it is possible to remove the virus using antivirus, but there are no algorithms to return everything to square one yet.
Some people try to use decoders like the RectorDecryptor utility but it won't help: an algorithm for decrypting new viruses has not yet been drawn up... It is also absolutely unknown how the virus will behave if it is not removed after using such programs. Often this can result in the erasure of all files - as an edification to those who do not want to pay cybercriminals, the authors of the virus.
At the moment, the most effective way to recover lost data is to contact those. support from the vendor of the antivirus program you are using. To do this, send a letter, or use the form for feedback on the manufacturer's website. The attachment must include an encrypted file and, if there is one, a copy of the original. This will help programmers to compose the algorithm. Unfortunately, for many, a virus attack comes as a complete surprise, and no copies are found, which greatly complicates the situation.
Cardinal methods of curing Windows from the ransomware... Unfortunately, sometimes you have to resort to full formatting of the hard drive, which entails a complete change of the OS. Many people will think of a system restore, but this is not an option - even if there is a "rollback" will get rid of the virus, the files will still remain encrypted.
In short: To protect data from ransomware viruses, you can use an encrypted disk based on a crypto container, a copy of which must be kept in the cloud storage.
- The analysis of cryptolockers showed that they only encrypt documents and the file container from the encrypted disk is not of interest to Cryptolockers.
- The files inside such a crypto container are inaccessible to the virus when the disk is disconnected.
- And since the Encrypted Disk turns on only at the moment when it is necessary to work with files, there is a high probability that the cryptolocker will not have time to encrypt it or will find itself before that moment.
- Even if a cryptolocker encrypts files on such a disk, you can easily restore a crypto disk container backup from the cloud storage, which is automatically created every 3 days or more often.
- Storing a copy of your disk container in the cloud is safe and easy. The data in the container is securely encrypted, which means that Google or Dropbox will not be able to look inside. Due to the fact that a crypto container is one file, by uploading it to the cloud, you actually upload all the files and folders that are inside it.
- A crypto-container can be protected not only with a long password, but also with a rutoken type electronic key with a very strong password.
Ransomware viruses such as Locky, TeslaCrypt, CryptoLocker and WannaCry cryptolocker are designed to extort money from the owners of infected computers, which is why they are also called ransomware. After infecting a computer, the virus encrypts files of all known programs (doc, pdf, jpg ...) and then extorts money for their reverse decryption. The injured party will most likely have to pay a couple hundred dollars to decrypt the files, as this is the only way to get the information back.
If the information is very expensive, the situation is hopeless, and is complicated by the fact that the virus includes a countdown and is able to self-destruct without giving you the opportunity to return the data if you think for a very long time.
Benefits of Rohos Disk Encryption to protect information from crypto-viruses:
- Creates a Crypto container for reliable protection of files and folders.
The principle of on-the-fly scrambling and strong encryption algorithm AES 256 Bit are used. - Integrates with Google Drive, Dropbox, Cloud Mail.ru, Yandex Disk.
Rohos Disk allows these services to periodically scan the crypto container and upload only changes to the encrypted data to the cloud, so the cloud stores several revisions of the crypto disk. - The Rohos Disk Browser utility allows you to work with a crypto disk so that other programs (including viruses) do not have access to this disk.
Crypto container Rohos Disk
Rohos Disk creates a crypto container and a drive letter for it in the system. You work with such a disk as usual, all data on it is automatically encrypted.
When the crypto disk is disabled, it is inaccessible to all programs, including ransomware viruses.
Integration with cloud storage
Rohos Disk allows you to place a crypto container in the cloud storage service folder and periodically start the process of synchronizing a crypto container.
Supported services: Google Drive, Dropbox, Cloud Mail.ru, Yandex Disk.
If the crypto-disk was enabled, a virus infection occurred and the virus began to encrypt data on the crypto-disk, you have the opportunity to restore the image of the crypto-container from the cloud. For information - Google Drive and Dropbox are able to track changes in files (revisions), store only the changed parts of the file and therefore allow you to restore one of the versions of the crypto container from the recent past (usually 30-60 days, depending on free space on Google Drive).
Rohos Disk Browser utility
Rohos Disk Browser allows you to open a crypto container in explorer mode without making the disk available at the driver level for the entire system.
The advantages of this approach:
- Information from the disk is displayed only in Rohos Disk Browser
- No other application can access the data from the disk.
- Rohos Disk Browser user can add file or folder, open file and do other operations.
Complete data protection against malware:
- The files are not available to other programs including Windows components.
Is there a protection against the ransomware today? Not. As sad as it sounds, it really is. There is no real protection and, apparently, there will not be. But do not be upset, there are a number of simple rules, adherence to which will help reduce the risk of infecting your computer. Before I give a list of recommendations, I want to say in advance that in this article I do not advertise any antiviruses, but simply describe my own experience, since this malware has been caught twice in the office. After these cases, we got a list of recommendations.
So, the first step is to make sure that you have an up-to-date antivirus with fresh databases on board. My colleagues and I conducted experiments with various products of antivirus companies, based on the results obtained, I can safely say that the distribution kit from Kaspersky Lab showed the best result. We worked with Kaspesky Endpoint Security for Business Standard. The number of responses to the ransomware was over 40%. Therefore, feel free to install an antivirus, do not disdain such programs.
The second point is to prohibit the launch of programs from the% AppData% folder. Again, it is not a fact that the ransomware is working from this folder, but as a preventive measure it justifies itself by reducing the number of possible attack vectors. The malware can also run from:
- % TEMP%
- % LOCALAPPDATA%
- % USERPROFILE%
- % WinDir%
- % SystemRoot%
The most important point and a red thread through the entire article is the point that it is necessary and extremely important to make backups. If at home you can safely use the free cloud for data storage, then not everyone has such an opportunity in the workplace. If you're a sysadmin, come up with and run a backup. If you are not part of the IT department, check with your system administrator for availability Reserve copy critical data. You can also duplicate them in the cloud. Fortunately, there are a lot of free options: Yandex Disk, Mail cloud, DropBox, Google Disk, etc.
It is practically impossible to protect oneself from the ransomware by technical means. Therefore, the first line of defense in this case is the user himself. Only knowledge and care can help avoid infection. Most importantly, never click on links or open attachments in emails from senders you don't know. Otherwise, with a high degree of probability, you risk losing your data.
Be very careful to check the return address in the letter, as well as the attachment. If you are expecting a letter with an attachment from a friend or business partner, when you receive such a letter, make sure that the letter is from the one you expect from. It may take some time, but the time spent on verification can ultimately save you a day of data recovery.
If you have the slightest suspicion of a compromising letter, immediately contact your IT service. Believe me, they will only thank you for this.
Some types of ransomware use command servers on the Tor network. Before starting encryption, they download the virus body from these servers. The Tor network has a number of exit nodes on the “big” Internet, which are called nodes. There are public nodes, and there are hidden ones. As part of preventive measures, you can block known exit nodes on your router, if it allows, in order to complicate the work of the virus as much as possible. A list of such addresses can be found on the Internet, now there are about seven thousand of them.
Of course, everything described above does not give any guarantees that you will not be included in the list of victims, but these recommendations will help reduce the risk of infection. Until a real protection against the ransomware has been developed, our main weapon is attentiveness and caution.
New malware The WannaCry ransomware (also known as WannaCry Decryptor, WannaCrypt, WCry and WanaCrypt0r 2.0) made itself known to the world on May 12, 2017, when files on computers in several healthcare institutions in the UK were encrypted. As it soon became clear, companies in dozens of countries found themselves in a similar situation, and Russia, Ukraine, India, and Taiwan suffered the most. According to Kaspersky Lab, on the first day of the attack alone, the virus was detected in 74 countries.
Why is WannaCry dangerous? The virus encrypts files different types(getting the extension .WCRY, the files become completely unreadable) and then demands a ransom of $ 600 for decryption. To speed up the money transfer procedure, the user is intimidated by the fact that after three days the ransom amount will increase, and after seven days, the files will not be decrypted at all.
Computers running operating theaters are at risk of being infected with WannaCry ransomware Windows systems... If you are using licensed Windows versions and regularly update the system, you can not worry that the virus will penetrate your system in this way.
MacOS, ChromeOS and Linux users, as well as mobile operating systems iOS systems and Android, WannaCry attacks shouldn't be feared at all.
What if you are a victim of WannaCry?
The British National Crime Agency (NCA) recommends that small businesses that have fallen victim to ransomware and are concerned about the spread of the virus on the network take the following actions:
- Isolate your computer, laptop or tablet from the corporate / internal network immediately. Disable Wi-Fi.
- Change drivers.
- Without connecting to Wi-Fi networks, connect your computer to the internet directly.
- Update your operating system and all other software.
- Update and run the antivirus program.
- Reconnect to the network.
- Monitor network traffic and / or run a virus scan to make sure the ransomware is gone.
Important!
Files encrypted by the WannaCry virus cannot be decrypted by anyone but intruders. Therefore, do not waste time and money on those "IT geniuses" who promise to save you from this headache.
Is it worth paying money to cybercriminals?
The first questions asked by users faced with the new WannaCry ransomware virus are - how to recover files and how to remove a virus... Not finding free and effective ways decisions, they are faced with a choice - to pay money to the extortionist or not? Since users often have something to lose (personal documents and photo archives are stored on the computer), the desire to solve the problem with money does arise.
But the NCA urges notpay money... If you do decide to do this, then keep in mind the following:
- First, there is no guarantee that you will have access to your data.
- Secondly, your computer can still remain infected with a virus even after payment.
- Third, you will most likely just donate your money to cybercriminals.
How to protect yourself from WannaCry?
What actions to take to prevent virus infection, explains Vyacheslav Belashov, head of the information security systems implementation department at SKB Kontur:
The peculiarity of the WannaCry virus is that it can penetrate the system without human intervention, unlike other ransomware viruses. Previously, the virus required the user to be inattentive - clicked on a dubious link from an email that was not actually intended for him, or downloaded a malicious attachment. In the case of WannaCry, a vulnerability is exploited directly in the operating system itself. Therefore, the first and foremost at risk were Windows-based computers on which the updates of March 14, 2017 were not installed. One infected workstation from the local network so that the virus spreads to others with the existing vulnerability.
Users affected by the virus have one main question - how to decrypt their information? Unfortunately, so far there is no guaranteed solution and is unlikely to be foreseen. Even after paying the specified amount, the problem is not solved. In addition, the situation can be aggravated by the fact that a person, in the hope of recovering his data, risks using supposedly "free" decryptors, which in reality are also malicious files. Therefore, the main advice that can be given is to be careful and do everything possible to avoid such a situation.
What exactly can and should be done at the moment:
1. Install the latest updates.
This applies not only operating systems, but also anti-virus protection. Information on updating Windows can be found.
2. Make backup copies of important information.
3. Be careful when working with mail and the Internet.
Pay attention to incoming emails with questionable links and attachments. To work with the Internet, it is recommended to use plugins that allow you to get rid of unnecessary advertisements and links to potentially malicious sources.