Menu
Is free
registration
home  /  Firmware/ New virus ransomware protection. WannaCry: How to protect yourself from a ransomware virus

New virus ransomware protection. WannaCry: How to protect yourself from a ransomware virus

In short: To protect data from ransomware viruses, you can use an encrypted disk based on a crypto-container, a copy of which must be kept in the cloud storage.

  • The analysis of cryptolockers showed that they only encrypt documents and the file container from the encrypted disk is not of interest to Cryptolockers.
  • The files inside such a crypto container are inaccessible to the virus when the disk is disconnected.
  • And since the Encrypted Disk turns on only at the moment when it is necessary to work with files, there is a high probability that the cryptolocker will not have time to encrypt it or will find itself before that moment.
  • Even if a cryptolocker encrypts files on such a disk, you can easily restore a backup of the disk's crypto container from cloud storage, which is automatically generated every 3 days or more.
  • Storing a copy of your disk container in the cloud is safe and easy. The data in the container is securely encrypted, which means that Google or Dropbox will not be able to look inside. Due to the fact that a crypto container is one file, by uploading it to the cloud, you actually upload all the files and folders that are inside it.
  • A crypto-container can be protected not only with a long password, but also with a rutoken type electronic key with a very strong password.

Ransomware viruses such as Locky, TeslaCrypt, CryptoLocker and WannaCry cryptolocker are designed to extort money from the owners of infected computers, which is why they are also called ransomware. After infecting a computer, the virus encrypts files of all known programs (doc, pdf, jpg ...) and then extorts money for their reverse decryption. The injured party will most likely have to pay a couple hundred dollars to decrypt the files, since this is the only way to get the information back.

If the information is very expensive, the situation is hopeless, and is complicated by the fact that the virus includes a countdown and is able to self-destruct without giving you the opportunity to return the data if you think for a very long time.

Benefits of Rohos Disk Encryption to protect information from crypto-viruses:

  • Creates a Crypto container for reliable protection files and folders.
    The principle of on-the-fly scrambling and strong encryption algorithm AES 256 Bit are used.
  • Integrates with Google drive, Dropbox, Cloud Mail.ru, Yandex Disk.
    Rohos Disk allows these services to periodically scan the crypto-container and upload only changes to the encrypted data to the cloud, so the cloud stores several revisions of the crypto-disk.
  • The Rohos Disk Browser utility allows you to work with a crypto disk so that other programs (including viruses) do not have access to this disk.

Crypto container Rohos Disk

Rohos Disk creates a crypto container and a drive letter for it in the system. You work with such a disk as usual, all data on it is automatically encrypted.

When the crypto disk is disabled, it is inaccessible to all programs, including ransomware viruses.

Integration with cloud storage

Rohos Disk allows you to place a crypto container in the cloud storage service folder and periodically start the process of synchronizing a crypto container.

Supported services: Google Drive, Dropbox, Cloud Mail.ru, Yandex Disk.

If the crypto-disk was enabled, a virus infection occurred and the virus began to encrypt data on the crypto-disk, you have the opportunity to restore the image of the crypto-container from the cloud. For information - Google Drive and Dropbox are able to track changes in files (revisions), store only the changed parts of the file and therefore allow you to restore one of the versions of the crypto container from the recent past (usually 30-60 days, depending on the free space on Google Drive) ...

Rohos Disk Browser utility

Rohos Disk Browser allows you to open a crypto container in explorer mode without making the disk available at the driver level for the entire system.

The advantages of this approach:

  • Information from the disk is displayed only in Rohos Disk Browser
  • No other application can access the data from the disk.
  • Rohos Disk Browser user can add file or folder, open file and do other operations.

Complete data protection against malware:

  • The files are not available to other programs including Windows components.

The new ransomware WannaCry (also known as WannaCry Decryptor, WannaCrypt, WCry and WanaCrypt0r 2.0) made itself known to the world on May 12, 2017, when files on computers at several healthcare facilities in the UK were encrypted. As it soon became clear, companies in dozens of countries found themselves in a similar situation, and Russia, Ukraine, India, Taiwan suffered the most. According to Kaspersky Lab, the virus was detected in 74 countries on the very first day of the attack.

Why is WannaCry dangerous? The virus encrypts files different types(getting the extension .WCRY, the files become completely unreadable) and then demands a ransom of $ 600 for decryption. To speed up the money transfer procedure, the user is intimidated by the fact that after three days the ransom amount will increase, and after seven days, the files will not be decrypted at all.

Computers based on operating rooms are at risk of being infected with WannaCry ransomware Windows systems... If you use licensed versions of Windows and regularly update the system, then you can not worry that the virus will enter your system in this way.

MacOS, ChromeOS and Linux users, as well as iOS and Android mobile operating systems, shouldn't be afraid of WannaCry attacks at all.

What if you are a victim of WannaCry?

The British National Crime Agency (NCA) recommends that small businesses that have fallen victim to ransomware and are concerned about the spread of the virus on the network take the following actions:

  • Isolate your computer, laptop or tablet from the corporate / internal network immediately. Disable Wi-Fi.
  • Change drivers.
  • Without connecting to Wi-Fi networks, connect your computer to the internet directly.
  • Update operating system and all the rest of the software.
  • Update and run the antivirus program.
  • Reconnect to the network.
  • Monitor network traffic and / or run a virus scan to make sure the ransomware is gone.

Important!

Files encrypted by the WannaCry virus cannot be decrypted by anyone but intruders. Therefore, do not waste time and money on those "IT geniuses" who promise to save you from this headache.

Is it worth paying money to cybercriminals?

The first questions asked by users faced with the new WannaCry ransomware virus are - how to recover files and how to remove a virus... Not finding free and effective solutions, they are faced with a choice - to pay money to the extortionist or not? Since users often have something to lose (personal documents and photo archives are stored in the computer), the desire to solve the problem with money does arise.

But the NCA urges notpay money... If you do decide to do this, then keep in mind the following:

  • First, there is no guarantee that you will have access to your data.
  • Secondly, your computer can still remain infected with a virus even after payment.
  • Third, you will most likely just donate your money to cybercriminals.

How to protect yourself from WannaCry?

What actions to take to prevent infection with a virus, explains Vyacheslav Belashov, head of the information security systems implementation department at SKB Kontur:

The peculiarity of the WannaCry virus is that it can penetrate the system without human intervention, unlike other ransomware viruses. Previously, the virus required the user to be inattentive - clicked on a dubious link from an email that was not actually intended for him, or downloaded a malicious attachment. In the case of WannaCry, a vulnerability is exploited directly in the operating system itself. Therefore, in the first place in the risk group were computers on Windows based that did not have the March 14, 2017 updates installed. One infected workstation from the local network so that the virus spreads to others with the existing vulnerability.

Users affected by the virus have one main question - how to decrypt their information? Unfortunately, while guaranteed solution no, and hardly foreseen. Even after paying the specified amount, the problem is not solved. In addition, the situation can be aggravated by the fact that a person, in the hope of recovering his data, risks using supposedly "free" decryptors, which in reality are also malicious files... Therefore, the main advice that can be given is to be careful and do everything possible to avoid such a situation.

What exactly can and should be done on this moment:

1. Install the latest updates.

This applies not only to operating systems, but also to anti-virus protection. Information on updating Windows can be found.

2. Make backup copies of important information.

3. Be careful when working with mail and the Internet.

Pay attention to incoming emails with questionable links and attachments. To work with the Internet, it is recommended to use plugins that allow you to get rid of unnecessary advertisements and links to potentially malicious sources.

It continues its depressing march across the Web, infecting computers and encrypting important data. How to protect against ransomware, protect Windows from ransomware - have any patches or patches been released to decrypt and disinfect files?

New ransomware virus 2017 Wanna cry continues to infect corporate and private PCs. Have The damage from a virus attack totals $ 1 billion... In 2 weeks, the ransomware virus infected at least 300 thousand computers despite warnings and safety measures.

What is ransomware 2017?- as a rule, you can "pick up", it would seem, on the most innocuous sites, for example, bank servers with user access. Once on HDD victims, the ransomware "settles" in system folder System32... From there, the program immediately disables the antivirus and gets into "Autostart". After each reboot, the ransomware runs into the registry starting your dirty deed. The ransomware starts downloading similar copies of programs like Ransom and Trojan... It also often happens ransomware self-replication... This process can be momentary, or it can take weeks - until the victim notices that something was wrong.

The cryptor is often disguised as ordinary pictures, text files , but the essence is always one - it is an executable file with extension .exe, .drv, .xvd; sometimes - library.dll... Most often, the file has a completely harmless name, for example " document. doc", or " picture.jpg", Where the extension is written manually, and true file type is hidden.

After the encryption is completed, the user sees instead of familiar files a set of "random" characters in the name and inside, and the extension changes to a hitherto unknown - .NO_MORE_RANSOM, .xdata other.

2017 Wanna Cry ransomware virus - how to protect yourself... I would like to note right away that Wanna Cry is rather a collective term for all ransomware and ransomware viruses, since it has infected computers most of all recently. So, we will talk about s Protect from Ransom Ware ransomware, of which there are a great many: Breaking.dad, NO_MORE_RANSOM, Xdata, XTBL, Wanna Cry.

How to protect Windows from the ransomware.EternalBlue via SMB protocol ports.

Protecting Windows from ransomware 2017 - basic rules:

  • Windows update, timely transition to a licensed OS (note: XP version is not updated)
  • updating antivirus databases and firewalls on demand
  • utmost care when downloading any files (cute "cats" can result in the loss of all data)
  • backup important information on removable media.

Ransomware virus 2017: how to cure and decrypt files.

Hoping for antivirus software, you can forget about the decoder for a while... In laboratories Kaspersky, Dr. Web, Avast! and other antiviruses so far no solution found to cure infected files... At the moment it is possible to remove the virus using an antivirus, but there are no algorithms to return everything to square one yet.

Some people try to use decoders like the RectorDecryptor utility but it won't help: an algorithm for decrypting new viruses has not yet been drawn up... It is also absolutely unknown how the virus will behave if it is not removed after using such programs. Often this can result in the erasure of all files - for the edification of those who do not want to pay cybercriminals, the authors of the virus.

At the moment, the most effective way to return the lost data - this is an appeal to those. supplier support antivirus software which you are using. To do this, you should send a letter, or use the form for feedback on the manufacturer's website. Be sure to add an encrypted file to the attachment and, if there is one, a copy of the original. This will help programmers to compose the algorithm. Unfortunately, for many, a virus attack comes as a complete surprise, and no copies are found, which greatly complicates the situation.

Cardinal methods of curing Windows from the ransomware... Unfortunately, sometimes you have to resort to full formatting of the hard drive, which entails a complete change of OS. Many people would think of a system restore, but this is not an option - even if there is a "rollback" will get rid of the virus, the files will still remain encrypted.

The world of cybercrime is evolving from quantity to quality, with fewer new malicious programs, but more sophistication. The state intelligence services have joined the race of hacker technologies, which was confirmed by the largest incident of 2016-2017, related to the leak of cyber weapons from the NSA. It took hackers a matter of days to exploit the open access development of special services for fraudulent purposes. High-profile incidents in the field of information security have drawn attention to the problem of data protection, and the global market for information security products continues to grow at a high rate.

At the moment, the increase in cybercrime in general is not as significant as it was in 2007-2010. “At that time, the number of created malicious programs really grew exponentially, hundreds and thousands of times higher than in previous years. In recent years, we have reached a plateau, and the annual figures for the last three years have been stable, ”says Yuri Namestnikov, head of the Russian research center at Kaspersky Lab. “At the same time, several interesting processes are observed at once, which together give a feeling of a greater scope for hackers' actions,” notes the source of CNews.

Among the trends of 2016-2017. First of all, it should be noted that there has been a significant increase in the number of "state-sponsored" attacks that target espionage or critical damage to infrastructure. In the field of traditional cybercrime, sophisticated targeted attacks against large companies and financial institutions that are tailored to the unique IT landscape of a particular organization. In addition, ransomware that demands a ransom for decrypting data is very popular with cybercriminals. “In sum, these processes give a feeling of a greater scope for hackers' actions,” comments Yuri Namestnikov.

NSA leak leads to epidemic

Of the events in the field of information security, first of all, the scandal associated with the interference of hackers in the elections in the United States attracted attention. The information security market is influenced not only by the economy, but also by the geopolitical situation in the world, asserts Ilya Chetvertnev, Deputy Technical Director of Informzashita: “A striking example was the last US presidential election, which showed how hacking information systems can affect the country as a whole. Therefore, at present, the critical infrastructure of enterprises with the aim of industrial espionage has been added to the classic targets of attacks. "

In addition, in 2016, hackers from the Shadow Brokers group stole secret hacking tools from the American NSA (National Security Agency) computer networks, with the source of the leak so far. Some of the developments were made publicly available, which led to dire consequences. In May 2017, an outbreak of the WannaCry worm broke out, spreading by the NSA's EternalBlue exploit, which exploits a previously unknown vulnerability in Windows. WannaCry encrypts data on the infected computer and demands a ransom in cryptocurrency. In total, hundreds of thousands of computers around the world have been infected.

Lack of digital hygiene

According to Maxim Filippova, Business Development Director of Positive Technologies in Russia, after the publication of a new exploit, it takes only 2-3 days before it is used by cybercriminals: more often and modified by intruders, including for more effective "covering up" traces. "

“Attackers are shifting focus from application vulnerabilities to operating system vulnerabilities,” says Security Code CTO Dmitry Zryachikh... - Information about these vulnerabilities is obtained by special services and then leaked to the free market. Moreover, the problem remains even after the release of updates for the basic software: three months before the WannaCry outbreak, Microsoft released a patch that prevents infection, but despite this, WannaCry infected more than 500 thousand computers worldwide. "

The problem is that many users ignore updates and do not install them on time. Director of the Information Security Center "Jet Infosystems" Alexey Grishin notes the negative impact of the human factor: “Companies often forget about basic security, so-called digital hygiene: managing updates and vulnerabilities, antivirus protection, minimization of user rights, reasonable management of access rights, etc. In such conditions, they do not even save latest systems security ".

In addition, modern companies do not always manage to properly organize the access rights of certain users. “Uncontrolled access by privileged users (both internal and external: contractors, support services, auditors, etc.) can lead to serious consequences. Customers shared cases when their infrastructures practically got out of their influence due to the omnipotence of contractors and the lack of proper organization of their work, "says Oleg Shaburov, Head of Cybersecurity Department, Softline Group.

Ransomware boom

WannaCry was not the only ransomware that became known in 2016-2017. Earlier, malicious utilities Petya and BadRabbit were widespread, which also encrypt data on a PC and require a ransom in bitcoins for access to them. At the same time, attacks using BadRabbit were of a more targeted nature, affecting mainly computers at infrastructure facilities in Ukraine.

According to Kaspersky Lab, 32% of Russian companies were attacked by encryption programs over the past year, and 37% of them encrypted significant amounts of data. Have lost all their valuable data or have not been able to restore access to a significant part of it, 31% of companies. And 15% of the companies surveyed preferred to pay the ransom (although this does not guarantee the return of the files). “The main problem with ransomware and ransomware today is that victims often agree to pay cybercriminals because they see no other way to regain access to their valuable data,” comments Yury Namestnikov.

Investment in information security is growing

The last one and a half to two years have been rich in incidents in the region information security, which contributed to the growth of investments in the protection of information systems. According to IDC, at the end of 2017, global revenue from the supply of information security products will increase by 8.2% to $ 81.7 billion. Similar figures are given by analysts at Gartner, they predict an increase of 7% to $ 86.4 billion by the end of the year. At the same time, the information security segment is developing faster than the IT market as a whole: according to Gartner, global spending on IT by the end of 2017 will increase by only 2.4%. Similar dynamics is demonstrated by Russian market: According to the CNews Security rating, at the end of 2016, domestic IS supplies increased by 8% in dollars and by 18%.

The volume of the global information security market in 2016 and the forecast for 2017, in$ billion

On April 12, 2017, information appeared about the rapid spread of a ransomware virus called WannaCry, which can be translated as "I want to cry", around the world. Users have questions about the Windows update from the WannaCry virus.

The virus on the computer screen looks like this:

The bad WannaCry virus that encrypts everything

The virus encrypts all files on the computer and demands a ransom to the Bitcoin wallet in the amount of $ 300 or $ 600 to supposedly decrypt the computer. Computers in 150 countries of the world were infected, the most affected is Russia.

Megafon, Russian Railways, the Ministry of Internal Affairs, the Ministry of Health and other companies have come face to face with this virus. Among the victims there are ordinary users The Internet.

Almost everyone is equal before the virus. The difference, perhaps, is that in companies the virus spreads across the entire local network within the organization and instantly infects as many computers as possible.

The WannaCry virus encrypts files on computers running Windows. Microsoft released MS17-010 updates back in March 2017 for different versions Windows XP, Vista, 7, 8, 10.

It turns out that those who have it configured automatic update Windows are out of the risk zone for the virus, because they received the update in a timely manner and were able to avoid it. I don’t presume to say that this is how it really is.

Rice. 3. Message when installing update KB4012212

Updating KB4012212 after installation required a laptop reboot, which I didn't really like, because I don't know how it could end, but where should the user go? However, the reboot went fine. This means that we live in peace until the next virus attack, and that such attacks will be - alas, there is no reason to doubt.


In any case, it is important to have a place to recover the operating system and your files from.

Windows 8 update from WannaCry

For a laptop with licensed Windows 8, update KB 4012598 was installed, because