Hospital employees said that windows popped up on their computer screens. The message from the hacker said that the computer in the hospital has been controlled and ransom must be paid to prevent all files from being deleted.
The same attack spread rapidly, and Italy and Russia were attacked by ransomware one after another.
Who made ransomware? Who sent the blackmail virus?
The virus publisher used Eternal Blue, a Windows hacking tool designed by the National Security Agency (NSA) that was stolen last year, to upgrade a ransomware in February 2065438+2007. Infected Windows users must pay Bitcoin as ransom within 7 days, otherwise the computer data will be completely deleted and cannot be repaired. The ransomware requires users to pay the equivalent of $300 in bitcoin within three days after being infected, and the "ransom" will double after three days. The NHS officially announced that the ransomware that attacked the system was called WannaCry or Wanna Decryptor.
At home, the campus network has become the hardest hit area of blackmail virus.
At home, campus network has become a place where ransomware is rampant. 12 At around 20 pm on May 20th, some domestic college students reported that their computers were attacked by viruses and their files were encrypted. The attacker said that he had to pay bitcoin to unlock it. At present, Hezhou College, Guilin University of Electronic Technology, Guilin Institute of Aerospace Industry, Dalian Maritime University and Shandong University are affected. During the graduation season, Beichen reminded college students to back up their graduation thesis in time, improve the computer security level and avoid losses.
According to the analysis of 360 Security Center, the campus network blackmail virus was spread by the "eternal blue" hacker weapon leaked by NSA. "Eternal Blue" can remotely attack Windows port 445 (file * * *). If the Microsoft patch of March this year is not installed in the system, the user does not need any operation. As long as the computer is turned on, Eternal Blue can execute arbitrary code and implant malicious programs such as ransomware in the computer.
Why has the campus network become the hardest hit area?
The monitoring data of ransomware events in 360 campus network shows that onion virus first appeared in China, with an average attack of about 200 times per hour, reaching more than 1000 times per hour at night peak; WNCRY ransomware was a new global attack in the afternoon of May 12, which spread rapidly in the campus network of China, attacking about 4,000 times per hour in the evening rush hour.
Because many worms have been spreading through port 445 in China, some operators have blocked port 445 for individual users. But the education network does not have this restriction. There are a large number of machines with port 445 exposed, so it has become the hardest hit area for criminals to use NSA hacking weapons. During the graduation season of colleges and universities, the blackmail virus caused some recent graduates' papers to be encrypted and tampered with, which directly affected the graduation defense.
At present, the ransomware spread by "Eternal Blue" is mainly composed of onion and WNCRY family. The disk file of the victim machine will be tampered with the corresponding suffix, and all kinds of materials such as pictures, documents, videos and compressed packages cannot be opened normally. Only by paying the ransom can they be decrypted and restored.
How to deal with ransomware?
Microsoft released a patch in March this year for Windows system vulnerabilities exploited by NSA hacking weapons. Previously, the 360 Security Center has also launched the "NSA arsenal immunization tool". (nsa arsenal immunization tool: /nsa/nsatool.exe) The immunization tool can close the exploited port and prevent the computer from being implanted with malicious programs such as ransomware by NSA hackers. It is recommended that computer users use 360“NSA Arsenal Immune Tool "for defense as soon as possible.
Bitcoin black production chain?
Security experts have found that onion blackmail virus will also spread with mining (computing to generate virtual currency) and remote control Trojans, forming a Trojan virus "spree" that integrates mining, remote control, extortion and other malicious acts. Specially select high-performance servers to mine for profit. Ordinary computers will encrypt files to extort money and maximize the economic value of the injured machines.
According to foreign media reports, the bitcoin account connected with ransomware made a lot of money. Due to extortion payment, it also highlights the characteristics that Bitcoin cannot be tracked by the regulatory authorities.