According to photos posted by users on social media, ransomware asked for $300 worth of bitcoin after locking the computer and displayed "Ouch, your file is encrypted!" (No, your file is encrypted! ) and so on.
It is understood that this is an extremely popular attack method that relies on strong encryption algorithm for extortion in recent years.
Different from previous attacks, this ransomware spread in the form of a worm, using the vulnerability MS 17-0 10 recently leaked by the National Security Agency (NSA), so the victim can launch an attack without downloading, viewing or opening any files.
Computers in many universities in China have been invaded by viruses.
China National Internet Emergency Center also said that the ransomware attack involved domestic users (many university case reports have been received), which has constituted a serious attack threat.
From the evening of May 12, teachers and students in many universities in China found that files and programs in their computers could not be opened, but a dialog box popped up, asking for a ransom such as bitcoin to be restored.
At present, more than a dozen colleges and universities such as Shandong University, Nanchang University, Guangxi Normal University, Dongbei University of Finance and Economics, and Zhongshan College of University of Electronic Science and Technology of China have issued virus attack notices to remind teachers and students to take precautions.
Some colleges and universities have reported that many colleges and universities in China have been infected with onion blackmail virus recently, and the disk files will be encrypted by the virus. Onion suffix Only by paying a high ransom can the recovered documents be decrypted, which has caused serious losses to study materials and personal data. According to the Cyber Security Bureau, this is a virus attack initiated by criminals using the "eternal blue" leaked from the NSA hacker arsenal.
The computers attacked at home and abroad are all the same virus.
In the documents leaked by NSA, the exploit code of WannaCry transmission mode is called "eternal blue", so some media reports call this attack "eternal blue".
However, this WanaCry2.0 series attack is actually a worm attack with the same power as conficker. Once the worm attacks the machines that users can connect to the public network, it will use the attack code with EnternalBlue built in to automatically find the machines with port 445 open in the intranet to penetrate.
China National Internet Emergency Center said that when the user's host system was invaded by the ransomware, important data files on the user's host, such as photos, pictures, documents, compressed packages, audio, video, executable programs and other files, were maliciously encrypted, and the suffix was changed to "". WNCRY”。
Why did domestic colleges and universities attack the "hardest hit" this time?
It is reported that the network that major universities usually access is an educational research network that serves education, scientific research and international academic exchanges. For academic purposes, most of this backbone network did not take precautions against port 445, which is one of the reasons why colleges and universities have become the hardest hit areas this time.
In addition, if the user's computer opens the firewall, it will also prevent the computer from receiving data on port 445. In domestic colleges and universities, some students sometimes need to close the firewall in order to play LAN games, which is another reason why this incident spreads wildly in domestic colleges and universities.
However, the relevant network operators habitually prohibit the data transmission of port 445 in the ISP strategy of backbone network, which plays an important role in preventing the spread of viruses such as worms. In this vulnerability incident, the risk brought by this vulnerability was indirectly reduced.
What if the computer is infected with ransomware?
According to the census results of the Secretariat of the National Information Security Vulnerability Sharing Platform (CNVD) in China, there are more than 9 million IP hosts on the Internet with port 445 exposed (the port is open), while there are more than 3 million IP hosts in Chinese mainland.
According to foreign media reports, a network security researcher claimed that he had found a way to stop the spread of the virus, but warned that it was only temporary.
China National Internet Emergency Center said that at present, the security industry has not been able to effectively crack the malicious encryption of ransomware. Once the user's host is infiltrated by ransomware, it can only be removed by reinstalling the operating system, and the user's important data files cannot be directly recovered.
This virus, like previous blackmail attacks, uses a high-intensity encryption algorithm, so it is very difficult to recover files afterwards, and the focus is on prevention in advance.
Update in time
Windows has released a security patch.
When the vulnerability of MS 17-0 10 was just exposed in March, Microsoft had provided security updates for systems such as Win7 and Win 10. After this incident broke out, Microsoft also quickly provided official support for Windows.
XP and other systems have released special patches.
It is best to install security software on the computer and keep the real-time monitoring function on, which can intercept the invasion of Trojan virus.
Windows 7 system users can open the control panel, click Firewall-Advanced Settings-Inbound Rules-New Rules-Tick Ports-Tick Protocols and Ports, tick "Specific Local Ports", fill in 445, click Next, and continue to click "Block Links" until the next step, and the naming rules will complete the closing of 445 ports.
Close port 445 (other related ports, such as:
135, 137, 139), and close unnecessary service ports on the server;
Enhanced port 445 (other associated ports such as:
135, 137, 139) internal network area access audit, and timely discover unauthorized behaviors or potential attacks;
Because Microsoft stopped the security update of some operating systems, it is recommended to update the Window.
Check XP and Windows server 2003 hosts (update of MS 17-0 10 is no longer supported) and use an alternative operating system; Do a good job in information system business and personal data backup.