The ransomware is not limited to China and universities. According to the data of National Network and Information Security Information Notification Center, tens of thousands of computers in more than 100 countries and regions are infected by ransomware.
The National Internet Emergency Center issued an emergency announcement, and ransomware penetrated and spread to end users, extorting bitcoin or other valuables, posing a serious attack threat. We have begun to monitor ransomware and related network attacks, and suggest that users update the security patches released by Windows in time, and do a good job in network boundary, intranet area, host assets and data backup.
A staff member of the Network Security Bureau of the Ministry of Public Security also said that he has paid attention to this matter and launched an investigation. So far, no report about this virus incident has been received. It is suggested that netizens use some network security tools to check their personal computers, and at the same time strengthen prevention to prevent poisoning losses.
Student computer receives "blackmail letter"
12 At 6 o'clock in the afternoon, CoCo Lee (a pseudonym), a junior at Nanchang University, turned on the computer and received a paper that her roommate helped to change the format. He found that the network was stuck, saved slowly, or even blank for half a minute.
"Then, a blackmail letter suddenly appeared on the computer screen. You can choose Chinese, Korean, Japanese and English. The general content is that if you want to unlock the file, you need to pay the equivalent of $300 in bitcoin. " CoCo Lee said that most of the documents could not be opened, including double-degree graduation thesis, PPT defense and some pictures with recorded information. Three students in the class met a similar situation.
Zhang Hongli, a junior in the School of New Media, recalled that he logged into the school mobile network 10 on the evening of 12 to download the paper and found that the computer was poisoned.
"At that time, the extension of the C disk file was changed. My first reaction is to copy the files that are still intact on the hard disk. I didn't expect the backup hard disk to be poisoned. " She said installing a Microsoft patch didn't help. "I hope to find a solution as soon as possible. There is really no way but to reinstall the system."
The Beijing News reporter learned that Shandong University, Zhejiang University, Nanchang University, Ningbo University and many other universities have "recruited" computers. The document in the student's computer was locked, and a hacker left contact information, indicating that bitcoin must be paid to recover the document.
A classmate of Huaiyin Institute of Technology said that when he was writing his graduation thesis, a pop-up window suddenly appeared on the computer. Later, the papers and the documents downloaded by HowNet became unreadable. He tried to go to Taobao to buy maintenance service, and finally chose to rewrite the paper because the maintenance price was too high.
Hundreds of countries have been "infected"
Many netizens said that gas stations in many parts of the country can't make online payment when refueling, so they can only use cash.
Yesterday afternoon, several staff members of PetroChina said that the Group was in emergency repair due to network failure, so it could only use cash and fuel card for consumption, and the fuel card could not use the deposit function.
A staff member of PetroChina Liaoyang Petrochemical Company revealed that after receiving the notice from the group, blackmailer viruses targeting the Windows operating system appeared one after another on 12 night, encrypting files and demanding ransom. At present, the company's network and system are suspended. If you find that the computer is infected with a virus, immediately shut down the computer and unplug the network cable. The company's network recovery time will be notified separately.
Virus attacks are not confined to our country. The National Network and Information Security Information Notification Center issued a notice: At 20: 00 on June 2, 65438, a new type of "worm" ransomware broke out, and tens of thousands of computers in more than 100 countries and regions were infected.
Yesterday morning, Weibo published "Those Things in Britain". More than an hour ago, the British 16 hospital was attacked by a large-scale network. The hospital's intranet was breached, the computer was locked, and the phone couldn't get through. Hackers demand a ransom of 300 bitcoins per hospital, otherwise all information will be deleted. 16 the external contact of the institution was basically interrupted, and the emergency plan was restored internally with paper and pen. The British National Cyber Security Department is investigating.
According to the data provided by Tencent's security department to the Beijing News, according to preliminary statistics, the "worm" has affected schools, hospitals, airports, banks, gas stations and other equipment in about hundreds of countries, making all files on these devices encrypted and causing heavy losses.
According to IT House, the infected areas are mainly concentrated in the central and southeast coastal areas of China, continental Europe and the Great Lakes region of the United States. China and continental Europe were the most affected.
Demystifying 1
The culprit is the "eternal blue" virus.
Yesterday morning, Zhou Fa Weibo, chairman of 360 Company, said that the ransomware was spread by the "eternal blue" hacker weapon leaked by NSA. "Eternal Blue" can remotely attack Windows port 445 (file * * *). If Microsoft's March patch is not installed in the system, users can execute arbitrary code and implant malicious programs such as ransomware in their computers as long as they open the Internet.
The National Internet Emergency Center said that ransomware and related cyber attacks have been detected. On June 38+03, from 9: 30 to 65: 438+02, about 65: 438+00 1. 1 10,000 IP addresses at home and abroad were attacked by "eternal blue", and the number of IP addresses that launched the attack attempt exceeded 9,300.
The emergency center announced that ransomware used the previously disclosed Windows SMB service vulnerability attack method to penetrate and spread to end users, extorting bitcoin or other values. Many domestic users, including universities, energy and other important information systems, have been attacked, posing a serious security threat to the Internet in China.
According to Xinhua News Agency, no hacker organization has claimed the attack. However, the understanding of the industry is that the virus originated from the virus database of the National Security Bureau of the United States. Last month, the NSA was leaked and its virus arsenal was exposed. The US National Security Bureau has not yet responded, and the computer emergency team of the US Department of Homeland Security said that it is paying close attention to this hacking incident that has spread around the world.
Secret 2
Encrypt computer files to extort high "ransom"
Tencent security experts pointed out that the incident was actually a worm attack. Once the worm attacks a machine that users can link to the public network, it will use the built-in "Eternal Blue" attack code to automatically find the machine that opens port 445 for penetration. Once a vulnerable machine is found, it will not only continue to spread worms, but also spread ransomware, resulting in all files on the user's machine being encrypted.
360 security guards experts pointed out that the "eternal blue" ransomware is mainly composed of ONION and WNCRY families, and the disk files of the victim machine will be tampered with to the corresponding suffixes, as well as pictures, documents, videos, compressed packages and so on. Can't open normally. Only by paying the ransom can they be decrypted and restored. The ransom amounts of the two types of viruses are 5 bitcoins (about 50,000 yuan) and 300 dollars respectively.
According to the data provided by 360 Company, onion virus first appeared in China, with an average attack of about 200 times per hour, and the peak time at night reached more than 1000 times per hour. WNCRY ransomware is a new global attack of 12, which spreads rapidly in China campus network, and attacks about 4000 times per hour in the evening rush hour.
An executive of a well-known bitcoin company in China reminded that it is not clear whether the attacked computer can be unsealed after paying bitcoin. At present, many domestic bitcoin exchanges are unable to withdraw bitcoin. If you want to buy a bitcoin unsealed computer, you need to choose an exchange that can withdraw money, otherwise you will suffer a second loss.
Secret 3
Related ports expose colleges and universities as "hardest hit areas"
According to the National Internet Emergency Center, the attack was mainly based on port 445, which was exposed by more than 9 million IP hosts on the Internet (the port was open), and there were more than 3 million in Chinese mainland.
The Network Information Security Working Group of Education Informatization Branch of China Higher Education Society issued a statement. After a preliminary investigation, this kind of ransomware exploited SMB vulnerabilities based on port 445 propagation, and some schools were infected with more sets, and a large number of important information was encrypted.
Zuo Xiaodong, vice president of China Information Security Research Institute, said that many worms have been spreading through port 445 in China, so some operators blocked the port for individual users. However, the Education Network does not have this restriction, and a large number of machines expose this port and become the hardest hit area.
Fan Yuan, founder and president of Hangzhou Anheng Information Technology Co., Ltd. said that some specific industry networks did not restrict port 445, so the attack became "effective" and many schools and a few medical institutions were affected. "It can be prevented by updating the patch released by Microsoft, but it is still a problem for the attacked users." According to its introduction, sporadic ransomware has been detected some time ago, and most units may not pay enough attention to it.
Tsinghua University "took refuge" because of the ban. On April 6th, 5438+5th, the school blocked TCP ports 139, 445 and 3389 to prevent the internal hosts of the campus network from being attacked. Yesterday, the school announced that the recent two global large-scale network security epidemics did not cause large-scale harm to campus networks and users.
skill
Six steps to resist "ransomware"
The security working group put forward two preventive measures: the treatment method of not upgrading the operating system (not recommended, temporarily alleviating): enabling and opening the Windows firewall, entering advanced settings, and disabling the related rules of "file and printer sharing" in the inbound rules; How to upgrade the operating system (recommended): It is recommended that teachers and students use automatic update to upgrade to the latest version of Windows.
For schools and other units, it is suggested to switch the routing equipment at the border exit, and prohibit the external network from connecting to the campus network port135/137/139/445. At the same time, switch the routing equipment at the core backbone network of the campus network, and prohibit the connection of the above ports.
Tencent security experts pointed out that Microsoft has supported all patches of mainstream systems, and users are advised to use computer housekeepers for patch repair and open housekeepers for defense.
The National Internet Emergency Center advises users to update the security patches released by Windows in time and do the following work:
1. Turn off the external network access right of port 445 (other associated ports such as 135, 137, 139), and turn off the unnecessary service ports on the server;
2. Strengthen the access audit of internal network areas such as port 445. , timely discover unauthorized behavior or potential attacks;
3. Update the operating system patch in time;
4. Install and update antivirus software in time;
5. Don't open emails of unknown origin easily;
6. Regularly back up information system business and personal data on different storage media.