“I want to cry”: the virus attacked the Ministry of Health, the Ministry of Emergency Situations, the Ministry of Internal Affairs, Russian Railways, Sberbank and Megafon. Malicious virus attack megaphone
In addition to telecommunications companies, Russian law enforcement agencies - the Ministry of Internal Affairs and the Investigative Committee - became victims of hacker attacks, according to sources from RBC, as well as Gazeta.Ru and Mediazona.
RBC's interlocutor in Ministry of Internal Affairs spoke about an attack on the department’s internal networks. According to him, mainly the regional departments of the ministry were attacked. He clarified that the virus affected computers in at least three regions of the European part of Russia. The source added that this attack should not affect the work of the Ministry of Internal Affairs. Another RBC interlocutor at the ministry said that hackers could have gained access to the Ministry of Internal Affairs databases, but it is not known whether they managed to download information from there. The attack on the Ministry of Internal Affairs affected only those computers on which the operating system had not been updated for a long time, a source at the department said. The work of the ministry is not paralyzed by hackers, but it is greatly hampered.
IN Germany hackers services of Deutsche Bahn, which is the country's main railway operator. This was reported by the ZDF TV channel with reference to the country's Ministry of Internal Affairs.
Ministry national security USA partners technical support and assistance in the fight against the WannaCry ransomware.
What kind of virus?
According to the message Kaspersky Lab , the virus in question is the WannaCry ransomware. “As the analysis showed, the attack occurred through a known network vulnerability Microsoft Security Bulletin MS17-010. Then a rootkit was installed on the infected system, using which the attackers launched an encryption program,” the company said.
“All Kaspersky Lab solutions detect this rootkit as MEM: Trojan.Win64.EquationDrug.gen. Our solutions also detect the ransomware that was used in this attack with the following verdicts: Trojan-Ransom.Win32.Scatter.uf, Trojan-Ransom.Win32.Fury.fr, PDM: Trojan.Win32.Generic (components used to detect this malware System Watcher must be enabled),” the company noted.
To reduce the risk of infection, Kaspersky Lab experts advise users to install the official patch from Microsoft, which closes the vulnerability used in the attack, and to prevent such incidents, use threat information services in order to receive timely data on the most dangerous attacks and possible infections.
The hacker attack was also commented on Microsoft . “Today our experts have added detection and protection against a new malware known as Ransom: Win32.WannaCrypt. In March, we also introduced additional protection against this type of malware with a security update that prevents malware from spreading across the network. Users of our free antivirus And updated version Windows are protected. We work with users to provide additional help"- says a statement from a Microsoft representative in Russia received by RBC.
Representative Solar Security told RBC that the company sees the attack and is currently examining a sample of the virus. “We are not ready to share details right now, but the malware was clearly written by professionals. It cannot yet be ruled out that it is something more dangerous than a ransomware. It is already obvious that the speed of its spread is unprecedentedly high,” the source said. According to him, the damage from the virus is “enormous”; it has affected large organizations in 40 countries, but it is impossible to give an accurate assessment yet, since the capabilities of the malware have not yet been fully studied and the attack is currently in development.
General manager Group-IB Ilya Sachkov told RBC that ransomware similar to the one used in the current attack is a growing trend. In 2016, the number of such attacks increased more than a hundred times compared to the previous year, he said.
Sachkov noted that, as a rule, infection of the device in this case occurs through email. Speaking about WannaCry, the expert noted that this encryption program has two features. “Firstly, it uses the ETERNALBLUE exploit, which was posted in open access hackers Shadow Brokers. A patch that closes this vulnerability for the OS Windows Vista and older, became available on March 9 as part of bulletin MS17-010. At the same time, a patch for older operating systems like Windows XP and Windows server There will be no 2003, since they are no longer supported,” he said.
“Secondly, in addition to encrypting files, it scans the Internet for vulnerable hosts. That is, if an infected computer gets into some other network, the malware will spread there too, hence the avalanche-like nature of infections,” Sachkov added.
Protection against such attacks, according to Sachkov, can be ensured by using “sandbox” solutions, which are installed on the organization’s network and scan all files sent to employees’ emails or downloaded from the Internet. In addition, the expert recalled, it is important to conduct explanatory conversations with employees about the basics of “digital hygiene” - do not install programs from unverified sources, do not insert unknown flash drives into the computer and do not follow dubious links, as well as update software on time and not use operating systems that are not supported by the manufacturer.
Who's to blame
It is not yet clear who is behind the large-scale cyber attack. Former NSA employee Edward Snowden said that a virus developed by the NSA could have been used in the global hacker attack that occurred on May 12. WikiLeaks previously announced this possibility.
In turn, the Romanian authorities said that behind the attempted attack could be an organization “associated with the cybercrime group APT28/Fancy Bear,” which is traditionally classified as “Russian hackers.”
The Telegraph suggests that the Shadow Brokers group, linked to Russia, may be behind the attack. They link this to hackers' claims in April that they had stolen a "cyber weapon" from the US intelligence community, giving them access to all Windows computers.
- 12 May 2017, 19:43 Computer systems of the Ministry of Internal Affairs and Megafon were subject to a virus attack
Internal computer system The Russian Ministry of Internal Affairs was struck by the virus, Varlamov.ru reports, citing several sources familiar with the situation.
Mediazona's source in the Ministry of Internal Affairs confirmed the fact of infection of departmental computers. According to him, we are talking about departments in several regions.
Previously, information about a possible virus infection appeared on the Pikabu website and the Kaspersky forum. According to some users, this is a virus WCry(also known as WannaCry or WannaCryptor) – it encrypts the user’s files, changes their extension and requires you to buy a special decryptor for bitcoins; otherwise the files will be deleted.
According to users on the Kaspersky forum, the virus first appeared in February 2017, but “has been updated and now looks different than previous versions.”
The Kaspersky press service was unable to promptly comment on the incident, but promised to release a statement in the near future.
Company employee Avast Jakub Kroustek reported on Twitter that at least 36 thousand computers in Russia, Ukraine and Taiwan are infected.
Varlamov’s website notes that information also appeared about the infection of computers in public hospitals in several regions of the UK and an attack on a Spanish telecommunications company Telefonica. In both cases, the virus also asks for payment.
The company noted that in March the update already provided additional protection against such viruses.
“Users of our free antivirus and updated Windows versions protected. We are working with users to provide additional assistance," the company added.
Earlier, Kaspersky Lab reported to Mediazone that the WannaCrypt virus exploits a Windows network vulnerability that was closed by Microsoft specialists back in March.
The Ministry of Internal Affairs confirmed hacker attacks on its computers
The Ministry of Internal Affairs confirmed hacker attacks on its computers, RIA Novosti reports.
According to the press secretary of the Ministry of Internal Affairs Irina Volk, the department information technology, Communications and Information Protection of the Ministry recorded a virus attack on the computers of the Ministry of Internal Affairs with the Windows operating system.
“Thanks to timely measures taken, about a thousand infected computers were blocked, which is less than 1%,” Volk said, adding that the server resources of the Ministry of Internal Affairs were not infected because they work on other operating systems.
“At the moment, the virus has been localized, technical work for its destruction and renewal of funds antivirus protection", said the ministry's press secretary.
More than six thousand dollars were transferred to the Bitcoin wallets of the hackers who spread the WannaCry virus.
At least 3.5 bitcoins were transferred to the hackers who spread the WannaCry ransomware virus, Meduza writes. According to the rate of $1,740 per bitcoin at 10:00 p.m. Moscow time, this amount is $6,090.
Meduza came to this conclusion based on the history of transactions on Bitcoin wallets to which the virus demanded money be transferred. The wallet addresses were published in a Kaspersky Lab report.
Three wallets carried out 20 transactions on May 12. Basically, 0.16-0.17 bitcoins were transferred to them, which equals approximately $300. The hackers demanded to pay this amount in a pop-up window on infected computers.
Avast counted 75 thousand attacks in 99 countries
IT company Avast reported that the virus WanaCrypt0r 2.0 infected 75 thousand computers in 99 countries, according to the organization’s website.
Mostly computers are infected in Russia, Ukraine and Taiwan.
13 hours ago in the blog of a specialist in the field computer security Brian Krebs has a record of transferring bitcoins to hackers totaling 26 thousand US dollars.
Europol: 200 thousand computers in 150 countries were attacked by a virus
Virus infection WannaCry in three days, more than 200 thousand computers in 150 countries were already exposed, he said in an interview with the British TV channel ITV Europol Director of European Policing Rob Wainwright. His words are quoted Sky News.
“The spread of the virus around the world is unprecedented. According to the latest estimates, we are talking about 200 thousand victims in at least 150 countries, and among these victims are enterprises, including large corporations' Wainwright said.
He suggested that the number of infected computers would likely increase significantly when people returned to work on their computers on Monday. At the same time, Wainwright noted that so far people have transferred “surprisingly little” money to the spreaders of the virus.
In China, the virus attacked the computers of 29 thousand institutions
Virus WannaCry attacked the computers of more than 29 thousand institutions, the number of affected computers is in the hundreds of thousands, the Xinhua agency cites data from the Computer Threat Assessment Center Qihoo 360.
According to researchers, computers at more than 4,340 universities and other educational institutions. Infections were also observed on computers at railway stations, postal organizations, hospitals, shopping centers and government agencies.
“There was no significant damage for us, for our institutions - neither for banking, nor for the healthcare system, nor for others,” he said.
“As for the source of these threats, in my opinion, Microsoft management directly stated this, they said that the primary source of this virus is the intelligence services of the United States, Russia has absolutely nothing to do with it. It’s strange for me to hear something different under these conditions,” the president added.
Putin also called for discussing the problem of cybersecurity “at a serious political level” with other countries. He stressed that it is necessary to “develop a system of protection against such manifestations.”
The virus WannaCry clones appeared
The virus WannaCry two modifications have appeared, Vedomosti writes with reference to Kaspersky Lab. The company believes that both clones were created not by the authors of the original ransomware virus, but by other hackers who are trying to take advantage of the situation.
The first modification of the virus began to spread on the morning of May 14. Kaspersky Lab discovered three infected computers in Russia and Brazil. The second clone learned to bypass a piece of code that was used to stop the first wave of infections, the company noted.
He also writes about virus clones Bloomberg. Founder of the company Comae Technologies, engaged in cybersecurity, Matt Suish said that about 10 thousand computers were infected with the second modification of the virus.
According to Kaspersky Lab, six times fewer computers were infected today than on Friday, May 12.
Virus WannaCry could have been created by a North Korean hacker group Lazarus
Ransomware virus WannaCry could have been created by hackers from the North Korean group Lazarus, according to the specialized website of Kaspersky Lab.
Company specialists drew attention to the analyst’s tweet Google Neela Mehta. As Kaspersky Lab concluded, the message indicates similarities between the two samples - they have a common code. The tweet provides a cryptographic sample WannaCry dated February 2017 and sample group Lazarus dated February 2015.
“The detective story is getting tighter and tighter and now the same code has been found in # WannaCry and in the Trojans from Lazarus», —
MegaFon's director of public relations, Petr Lidov, told Kommersant that the company's capital office was subject to a hacker attack. “The computers crashed and a lock screen appeared on them asking for $300 to unlock,” he said. Then information came that the same thing happened to subscribers of Telefonica and Vodafone operators in Spain.
According to Peter Lidov, specialists had to turn off the networks at some stage to prevent the virus from spreading further. “A number of regions were affected; the rest had to be temporarily shut down as a precaution. This affected retail and customer support services, because operators naturally use PCs to access databases. Call centers have been fixed. Get in touch and personal accounts this had no effect,” said Mr. Lidov.
As Boris Ryutin, a researcher from Digital Security, told Kommersant, MalwareHunterTeam experts and other independent researchers agree that this is a malicious program of the ransomware type, that is, a ransomware virus. “The danger of infection is that, depending on the implementation, the user’s files may be irretrievably lost,” he clarified.
“We see an attack, and the virus is very complex,” Solar Security told Kommersant. at the moment we are developing recommendations for countermeasures.” “The virus is very complex, and it cannot yet be ruled out that it is something more dangerous than a simple ransomware. It is already obvious that the speed of its spread is unprecedentedly high,” the company added.
Microsoft representative Kristina Davydova told Kommersant that specialists have added detection and protection against a new malware known as Ransom:Win32.WannaCrypt. "In March, we also introduced additional protection against malware of this nature along with a security update that prevents malware from spreading across the network," she said.
Malicious software- the name for all software products whose purpose is known to cause damage to the end user.
Attackers keep coming up with new ones cunning ways distribution malware, most of which are developed for the Android operating system. At the same time, you can “catch” a virus not only on some dubious site, but also by receiving a message with a link from a person you know (friend, relative, colleague).
One of the modifications of malware for smartphones and tablets based on the operating system Android system, once on your mobile device, the first thing it will do is send out a link with a friendly message “Check out the link!” or “My photo for you” across your entire contact list. Anyone who follows the link will receive the virus on their smartphone.
But most often, criminals pass off Trojans as useful applications.
What is the threat of the virus?
The resulting Trojan program can not only send SMS to your friends, but also drain your account. Banking Trojans are among the most dangerous. All owners of gadgets using banking applications may suffer. Users of Android smartphones are most at risk - 98% of mobile banking Trojans are created for this purpose. operating system.
When you launch a banking application, the Trojan displays its own interface on top of the interface of a real mobile bank. And thus steals all the data that the user enters. The most advanced malware can spoof the interfaces of dozens of different mobile banks, payment systems and even messaging systems.
Another important step when stealing money is intercepting SMS from one-time passwords for making payments and transfers. Therefore, Trojans usually need access rights to SMS, and this is why you should be especially careful with applications that request such rights.
Signs that your phone is infected
There are several signs that your phone is infected with malware:
- Hidden sending of SMS to your contact list - friends, acquaintances and colleagues who have received dubious messages begin to contact you;
- Fast spending of funds - funds are debited from the Personal Account faster than usual;
- Unauthorized debits from a bank card;
- Lack of SMS from the bank - when you activated the “SMS-informing” service, you stopped receiving SMS notifications about debiting funds from your account;
- The battery drains faster.
How to protect yourself?
- Monitor your operating system regularly for security updates. mobile device and install them in a timely manner;
- Install anti-virus software on your smartphone, tablet, after installation, update it and check your mobile device;
- Use anti-virus software that provides on-line protection and update it regularly;
- Download and run applications only from official stores - Play Store, App Store, Google Play and so on;
- Be careful when granting permissions to applications - programs that ask for access rights to process SMS messages should be treated especially suspiciously;
- Think before you click on a link. Do not be vigilant, do not open links from letters or SMS, or messages in social networks, if you are not sure that the message came from a known addressee and is safe;
- If you receive a suspicious SMS with a link from your friend, call him to find out if he sent the message. If not, warn that his smartphone or tablet is infected with a virus;
- Be careful in public Wi-Fi networks, and when connecting to the network, make sure that it is legitimate;
- Use complex passwords;
- In the Settings menu, click Data Usage, under Wireless & Networks ( Wireless communication) you can see how much data each application uses and set a limit for working with data;
- Enable “SMS notification” about debiting funds from your account - not all Trojans intercept SMS.
What to do if money is stolen?
The first thing to do is contact the bank as quickly as possible.
Users from Moscow, Nizhny Novgorod, Penza, Saratov, Samara, Ryazan, Ufa and other Russian cities stated that they were unable to make a call - the network was unavailable.
First, the company’s official Twitter posted advice to set the network type to “3G only” and reboot the phone, and now a standard response is sent to all affected customers: “Currently, there are massive communication difficulties. We are already fixing it. We apologize for the inconvenience caused." The company added that it does not have data on a specific time frame for fixing the problem.
Unsuccessful dialing
Megafon said that dialing success in Moscow and several other cities had decreased by 30%, noting that calls are still possible using instant messengers. Unfortunately, this did not satisfy many of the company's clients, who cannot use instant messengers without access to Wi-Fi.
As the press service of Megafon reports on its Telegram channel, the cause of the failure was an accident on one of the elements of network equipment.
In addition, one of the company’s offices also said that they had an accident, but the time frame for eliminating the consequences is still unknown. Employees who wish to receive compensation are asked to write a statement at the company office. When asked about the reasons for the failure, it is reported that a hacker attack cannot be ruled out.
Some time after reports of Megafon failures, information appeared in the media that other mobile operators, for example Beeline, also encountered communication problems. In a conversation with Gazeta.Ru, the company's press secretary said that the network is operating normally without massive failures, and the dissemination of a false message about problems with the operator's network is associated with the response of a technical support employee about the operation of one base station companies.
The press secretary also informed Gazeta.Ru about the stable operation: “The MTS network is operating as normal.”
In a telephone conversation with a correspondent, Lidov said that on the day of the attack, many office computers MegaFon began to reboot and display a message demanding a ransom for decrypting data, and not only Moscow, but also other Russian cities suffered.
Fortunately, the spread of the attack was slowed down, and literally a couple of hours later, the entire Megafon call center was restored so that subscribers could communicate with the support service. A company representative emphasized that the WannaCry virus did not affect communication services in any way, and the personal data of the operator’s clients remained safe.
In January 2017, Megafon users also complained about the unavailability of some services - Multifon, MegafonTV, as well as problems with the site. The company explained the failure as an accident in the data center (DPC), caused by abnormal frosts in the region.
After some time, the services started working normally. Then the representative mobile operator told Gazeta.Ru that order in the system is measured not by the presence of failures, but by the ability to quickly eliminate them. “This was done by the company’s specialists in the shortest possible time. And at night on a holiday,” added Dorokhina.