A virus is a type of malicious software that penetrates system memory areas, code of other programs, and boot sectors. It is capable of deleting important data from a hard drive, USB drive or memory card.
Most users do not know how to recover files after a virus attack. In this article, we want to tell you how to do it in a quick and easy way. We hope that this information will be useful to you. There are two main methods you can use to easily remove the virus and recover deleted data after a virus attack.
Delete the virus using the command prompt
1) Click the “Start” button. Enter CMD in the search bar. You will see the “Command Prompt” at the top of the pop-up window. Press Enter.
2) Run the Command prompt and type in: “attrib –h –r –s / s / d driver_name \\ *. *”
After this step, Windows will start recovering the virus-infected hard drive, memory card or USB. It will take some time for the process to be completed.
To start Windows recovery, click the “Start” button. Type Restore in the search bar. In the next window click “Start System Restore” → “Next” and select the desired restore point.
Another variant of the path is “Control Panel” → “System” → “System Protection”. A recovery preparation window will appear. Then the computer will reboot and a message will appear saying “System Restore completed successfully.” If it did not solve your problem, then try rolling back to another restore point. That’s all to be said about the second method.
Magic Partition Recovery: Restoring Missing Files and Folders after a Virus Attack
For reliable recovery of files deleted by viruses, use Magic Partition Recovery. The program is based on direct low-level access to the disk. Therefore, it will bypass the virus blocking and read all your files.
Download and install the program, then analyze the disk, flash drive or memory card. After the analysis, the program displays the list of folders on the selected disk. Having selected the necessary folder on the left, you can view it in the right section.
Thus, the program provides the ability to view the contents of the disk in the same way as with the standard Windows Explorer. In addition to existing files, deleted files and folders will be displayed. They will be marked with a special red cross, making it much easier to recover deleted files.
If you have lost your files after virus attack, Magic Partition Recovery will help you restore everything without much effort.
Recently, a new type of ransomware virus was discovered at 360 Internet Security Center, targeting both businesses and individuals in many countries and regions. 360 issued a timely emergency alert on May 12 following detection to remind users of the risks ahead. This ransomware is spreading at high speed all over the world. According to incomplete statistics, in just a few hours after the explosion, tens of thousands of devices in 99 countries were infected, and this network worm is still trying to expand its influence.
Typically, a ransomware virus is malware with the explicit intent of extortion. It encrypts the victim's files using an asymmetric cryptographic algorithm, makes them inaccessible and demands a ransom for decrypting them. If the ransom is not paid, the files cannot be recovered. This new species is codenamed WanaCrypt0r. What makes him so deadly is that he used the "EternalBLue" hacking tool that was stolen from the NSA. This also explains why WanaCrypt0r is capable of rapidly spreading around the world and inflicting heavy losses in a very short time. Following the network Worm breakout on May 12, Core Security at 360's Internet Security Center conducted extensive monitoring and in-depth analysis. We can now release a suite of detection, data protection and recovery solutions against WanaCrypt0r.
The 360 \u200b\u200bHelios Team is an APT (Advanced Persistent Attack) team dedicated to the research and analysis of the Core Security department, mainly dedicated to APT attack investigation and threat incident response. Security researchers have carefully analyzed the virus engine to find the most efficient and accurate method for recovering encrypted files. Using this method, 360 can become the first security vendor to release a data recovery tool - "360 Ransomware Infected File Recovery" to help its customers recover infected files quickly and completely. We hope this article will help you understand the tricks of this worm, as well as a broader discussion of the issue of recovering encrypted files.
Chapter 2 Analysis of Basic Encryption Processes
This Worm issues an encryption module to memory and directly loads a DLL into memory. The DLL then exports the TaskStart function, which should be used to activate the whole encryption process. The DLL dynamically accesses the file system and encryption-related API functions to avoid static detection.
1.Initial stage
It first uses "SHGetFolderPathW" to get the paths to the desktop and file folders. It will then call function "10004A40" to get the path to other users' desktops and file folders, and call the EncrytFolder function to encrypt the folders separately.
It traverses all drives twice from driver Z to C. The first scan is to start all local drives (except driver-CD). The second scan checks all mobile drives and calls the EncrytFolder function to encrypt the files.
2.File traverse
The EncryptFolder function is a recursive function that can collect information about files by following the procedure below:
Remove paths or file folders during the cross process:
There is an interesting folder called “This folder protects against ransomware. Changing it will reduce protection. " When you do this, you will find that it corresponds to the protection folder of the ransomware protection software.
When crawling files, ransomware collects information about a file, such as file size, and then classifies files into different types according to their extension, following certain rules:
List of extension types 1:
List of extension types 2:
3.Priority encryption
To encrypt important files as quickly as possible, WanaCrypt0r has developed a complex priority queue:
Priority queue:
I. Encrypt type 2 files that also match extension list 1. If the file is less than 0X400, the encryption priority will be lowered.
II. Encrypt type 3 files that also match extension list 2. If the file is less than 0X400, the encryption priority will be lowered.
III. Encrypt other files (less than 0x400) and other files.
4 encryption logic
The entire encryption process is completed using both RSA and AES. Although the RSA encryption process uses Microsoft CryptAPI, the AES code is statically compiled into a DLL. The encryption process is shown in the figure below:
List of used keys:
File format after encryption:
Please note that during the encryption process, the ransomware virus will randomly select some files to encrypt using the built-in RSA public key to offer multiple files that victims can decrypt for free.
The path to free files can be found in the "f.wnry" file.
5 filling in random numbers
Once encrypted, WanaCrypt0r will populate files it deems important with random numbers until it completely destroys the file, then move the files to a temporary file directory for deletion. By doing this, it makes it quite difficult for file recovery tools to recover files. At the same time, it can speed up the encryption process.
Completed files must meet the following requirements:
- In the specified directory (desktop, my document, user folder)
- File less than 200 MB
- The file extension is in the list of extension types 1
File filling logic:
- If the file is less than 0x400, it will be covered with random numbers of the same length
- If the file is greater than 0x400, the last 0x400 will be covered with random numbers
- Move the file pointer to the file header and set 0x40000 as the data block to cover the file with random numbers to the end.
6.Deleting files
WanaCrypt0r will first move the files to a temporary folder to create a temporary file and then delete it in various ways.
When it goes through the drives to encrypt files, it will create a temporary file named “$ RECYCLE + auto increment + .WNCYRT” (eg: “D: \\ $ RECYCLE \\ 1.WNCRYT”) on the current drive. Especially if the current drive is the system drive (like driver-C), it will use the system temp directory.
Subsequently, the process launches taskdl.exe and deletes temporary files at a fixed interval.
Chapter 3 Data Recovery Capability
In analyzing the logic of its execution, we noticed that this Worm will overwrite files that meet the specified requirements with random numbers or 0x55 in order to destroy file structures and prevent their recovery. But this operation is only accepted for certain files or files with a certain extension. This means that there are still many files that have not been overwritten, which leaves room for file recovery.
During the deletion process, the worm moved the original files to the temporary files folder by calling the MoveFileEx function. Eventually temporary files are deleted in bulk. During the above process, the original files may be changed, but the current data recovery software on the market is not aware of this, so quite a few files cannot be recovered successfully. The need for files to recover victims is almost never met.
For other files, the worm simply executed the "move & delete" command. Since the processes of deleting files and moving files are separate, the two threads will compete with each other, which can cause file move failures due to differences in the user's system environment. As a result, the file will be deleted directly at its current location. In this case, there is a high probability that the file can be restored.
https://360totalsecurity.com/s/ransomrecovery/
Using our recovery methods, a large percentage of encrypted files can be perfectly recovered. Now, an updated version 360 of the file recovery tool has been developed in response to this need to help tens of thousands of victims mitigate losses and consequences.
May 14, 360 is the first security vendor to release a file recovery tool that saved many files from a ransomware virus. This new version takes another step in exploiting WanaCrypt0r logical vulnerabilities. It can remove the virus to prevent further infection. Using multiple algorithms, it can find hidden connections between free recoverable files and decrypted files for clients. This versatile recovery service can reduce the damage from a ransomware attack and protect the security of user data.
Chapter 4 Conclusion
Massive outbreak and spread of WannaCry worms using MS17-010, which makes it capable of self-replication and active spread, in addition to the functions of a common ransomware. Except for the attack payload, the technical structure of the ransomware virus plays the most important role in attacks. The ransomware virus encrypts the AES key using the asymmetric cryptographic algorithm RSA-2048. Then each file is encrypted using a random AES-128 symmetric encryption algorithm. This means, relying on existing calculations and methods, it is almost impossible to decrypt RSA-2048 and AES-128 without any public or private keys. However, the authors leave some bugs in the encryption process, which provides and increases the possibility of recovery. If the actions are performed quickly enough, most of the data can be saved back.
Also, since the ransom money is paid out in anonymous bitcoins, for which anyone can obtain an address without genuine certification, it is impossible to identify an attacker by addresses, let alone between different accounts of the same Owner Address. Therefore, due to the adoption of an unbreakable encryption algorithm and anonymous bitcoins, it is highly likely that this kind of lucrative ransomware outbreak will continue for a long time. Everyone should be careful.
360 Helios Team
360 Helios Team is an APT (Advanced Persistent Attack) research team at Qihoo 360.
The team is dedicated to investigating APT attacks, responding to threat incidents, and investigating the industrial chains of the underground economy.
Since inception in December 2014, the team has successfully integrated a huge 360 \u200b\u200bdatabase and created a fast reversal and correlation routine. To date, over 30 APT and underground economy groups have been identified and identified.
360 Helios also provides threat assessment and threat response solutions for enterprises.
Public reports
Contact
Email Post office: [email protected]
WeChat group: 360 Helios Team
Please download the QR code below to follow us on WeChat!
Petya Virus - Ransom Demand for Decryption
A few hours after the start of the attack, DATARC received the first request and we analyzed several affected servers. Main conclusion: yes non-zero probability of data recovery when attacked by the Petya virus - the virus often damages the file system, but does not encrypt data.
At the moment, the analyzed damage can be divided into categories.
100% data recovery possible
Probably, the virus contains errors - it does not always execute its algorithm, does not have time to encrypt data, and breaks the bootloader. We saw such damage options:
- Data is not encrypted, MBR is damaged
- Data not encrypted, corrupted MBR + NTFS bootloader
- Data is not encrypted, MBR + NTFS bootloader + MFT is damaged - the disk is detected as RAW
Data recovery is possible, loss is more than 0%
In cases where encryption occurs, some of the files may remain intact. We saw such damage options:
- Only the C: drive is encrypted - the rest of the logical drives remain in order
- Not all files on the C drive are encrypted:
- Only the MFT record is encrypted, the contents of the file remain unchanged.
Decryption from old version doesn't work
The current version of Petya is (presumably) a continuation of the 2016 attack (see https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/ and https://securelist.com/petya-the-two -in-one-trojan / 74609 /). For the old version, a decryption key guessing technique was created (see https://github.com/leo-stone/hack-petya). The 2017 virus has been changed and the old technique does not work.
For example, in the old version of the virus, the MBR was stored in sector 55 and was “encrypted” with XOR 0x37. In the new version, the MBR is stored in sector 34 and "encrypted" with XOR 0x07.
Encrypted MBR:
Decrypted MBR:
Petya virus - MBR after decryption
What to do if your computer is infected
Read how to recover files deleted by a virus attack using built-in Windows solutions or third-party programs. How to recover files encrypted by a virus. Has your computer been attacked by a virus? Do you want to recover files deleted by malware? In this article, we will try to tell you about standard ways to fix an unforeseen situation and various options for recovering deleted files.
Content:
Introduction
With the development of electronic technologies and means of communication, the range and volume of information used by users in performing various actions that are directly related to both professional and industrial activities and aimed at providing communication, communication, games and entertainment of the latter has significantly expanded.
Computing devices in various designs help to fully exercise full control over the incoming and outgoing data streams, to carry out their instant processing, regardless of the final volume, and to ensure secure storage.
Stationary personal computers and laptops, including any of their varied combinations (ultrabooks, netbooks, convertible laptops, nettops), tablets, smartphones and communicators, etc. fully meet the ever-growing needs of users when working with information, and meet the latest information standards.
The most widely, in the list of the most popular electronic devices among users, are personal computers and laptops. The rich internal content of computer devices (ultra-fast processors, highly functional motherboards, progressive memory sticks, capacitive storage devices, etc.), and modern high-performance software, rightfully, allows them to occupy a leading position in the processing and storage of information , in the world.
In terms of the breadth of distribution and the number of devices used, smartphones and communicators are approaching them. Due to the high degree of mobility, miniature size, sufficiently high functionality, and an extensive set of available applications, smartphones strive to match and, if possible, replace computers and laptops when performing certain actions.
Development of the international information computer network "The Internet" accelerated the distribution and use of a variety of computer devices by users to solve any problems without necessarily binding to a specific device or workplace. The use of an extensive database, remote use and processing of information significantly popularized computer devices, and accelerated the process of transition to storing information in digital mode.
With the widespread transition to the digital format of information, most types of user data (personal, social, public and business) are stored, processed, transferred and served by various computer devices. In this regard, the most important requirement for all devices is a mandatory high degree of data security and their protection from unauthorized actions of third parties.
One of the most common types of malicious impact on user data is virus attacks by malicious software.
The range of action and functionality of such programs is unusually wide, and thanks to the international information network "The Internet", the level of their distribution has reached a global scale.
Infection of a user's computer device with a virus can lead to undesirable consequences, the most common of which is the deletion of user files. How to recover files after exposure to virus programs will be discussed later in our article.
Most computer users have heard, and many have directly encountered, the consequences of the negative impact of computer viruses, their effect on user files and the overall performance of a personal computer as a whole. Intentionally deleting or damaging user files, blocking access to certain elements of the operating system or computer, selectively encrypting files and changing their structure, wiping or deleting the partition table, transferring control over the personal computer to hackers, using the capabilities of the user's computer for remote hacking or other malicious actions, identity theft, spamming, etc. - only part of all actions that can lead to infection of a computer device with a virus.
The program was designed to recover data from hard and external drives, as well as any other storage devices. It combines a set of progressive algorithms that allow you to analyze and search for deleted information for its subsequent recovery, return data after system failures and various system errors, read information from damaged, unreadable, non-working or damaged disks with the subsequent provision of access to lost or inaccessible files. supports the full range of file systems used in the operating system "Windows" and fixes any errors in the logical structure of the hard drive to safely recover lost content.
A separate advantage of the program is the ability to recover information damaged, corrupted or blocked as a result of virus attacks. Thanks to a set of innovative algorithms, it is possible to recover files after any malicious viral impact that leads to the destruction of user data or lack of access to it.
Download the installation file of the program from the official website of the company "Hetman Software" and run it. A step-by-step software installation wizard, after configuring individual parameters, such as specifying the installation path or creating a shortcut on the desktop, will allow you to quickly and successfully install the program on the user's personal computer for further use.
After the installation is complete, open the installed program. The built-in tools of the program will perform an initial analysis of the system and display all data storage devices connected to a personal computer.
Select a hard disk partition or a complete physical drive by double-clicking its icon in the program window. The program activates the launch of the file recovery wizard, which will prompt users to determine the type of system analysis required at a particular moment. In case of loss of files due to a virus attack, select the full analysis option to search and restore all possible information on the selected disk by setting the indicator (dot) opposite the corresponding cell "Full analysis (search for all possible information)"... After selecting an analysis, press the button "Further" and start the recovery process.
Depending on the internal volume of the drive, the degree of damage to information, the file system and a number of other additional parameters, the procedure for analyzing and searching for deleted files may take a different amount of time: from several minutes to several hours. A linear progress bar will notify users of the percentage of completion of the overall recovery process, and optionally display the estimated total completion time.
At the end of the recovery process, the entire list of detected files and folders will be presented in the program window, the user interface of which is as close as possible to the file explorer appearance "Windows" for the convenience of end users. By clicking on each file, users can view its contents, which will be displayed in the preview window. By selecting the necessary files and placing them in the window "Recovery List" by normal dragging, you must press the button "Reestablish", located on the ribbon of the main menu of the program and presented in the form of a lifebuoy, for later saving the marked data.
The File Recovery Assistant will prompt users to decide on one of four possible ways to save the selected items: save to hard disk or any other stationary or removable media, write to an optical disk, create "ISO image" recovered files or unload data by "FTP protocol"... By specifying several additional necessary parameters, for example, the path to save the recovered files, users will be able to save their data according to the selected conditions.
Now you can open the folder with the recovered files and check their full functionality.
Today, when the development of information technology is at a tremendous pace, almost every computer user knows about the danger of a virus infection, the importance of eliminating it and maintaining the system at the proper level of security. However, there are some nuances when it comes to cleaning the system from malicious infection.
When a virus hits the system, it begins to multiply and harm user data and the operating system as a whole, negatively affecting its performance. Therefore, the best solution would be to prevent the virus from entering the system and to use an antivirus program that has a powerful level of protection against malicious penetration of malware.
However, if the infection has already occurred, then the natural desire to immediately clean the operating system from the virus can have negative consequences. The antivirus program, while removing the virus, can also delete some useful files from the user's computer, in accordance with the algorithm used. And as a result, it can lead to additional damage and deletion of more files from the user's computer or irrecoverable loss of some data. Therefore, it is best to complete the data recovery process completely before starting the virus cleaning procedure.
Conclusion
The widespread use of computer devices, their ease of use and wide functionality provide them with a leading position in the processing and storage of various information. Considering the high popularity of computer devices together with the development of the information computer network "The Internet" and the mandatory conversion of most types of data into digital format, significantly increases the risk of being exposed to malicious programs aimed at damaging user data or stealing it for fraudulent purposes.
Viruses are developed every day, their numbers are growing at an enormous pace and cause significant harm to users and their data. The use of powerful advanced antivirus programs significantly reduces the possible risk of infecting computer devices, but due to the wide range of search for system vulnerabilities used by virus algorithms, it does not provide a full guarantee of data security. As a result, users' information can be damaged or completely lost.
However, the operating system "Windows" has built-in tools for backing up and restoring system performance, which in most cases will help users recover lost data.
In some cases, the protective tools of the system "Windows" not enough. Therefore, it is important to have professional file recovery software available that can recover any user information lost due to virus infection and other various reasons.
Today, perhaps, only a person who is very far from the Internet does not know about the mass infections of computers with the WannaCry ("I want to cry") ransomware Trojan that began on May 12, 2017. And I would divide the reaction of those who know into 2 opposite categories: indifference and panic. What does this mean?
And the fact that fragmentary information does not give a complete understanding of the situation, give rise to speculation and leave behind more questions than answers. In order to understand what is really happening, to whom and what it threatens, how to protect against infection and how to decrypt files corrupted by WannaCry, today's article is devoted.
Is "devil" really so scary
I don't understand what kind of fuss aroundWannaCry? There are many viruses, new ones appear constantly. What's special about this one?
WannaCry (other names WanaCrypt0r, Wana Decrypt0r 2.0, WannaCrypt, WNCRY, WCry) is not an ordinary cyber-malware. The reason for his notoriety is the enormous amount of damage caused. According to Europol, it disrupted the work of more than 200,000 Windows computers in 150 countries around the world, and the damage suffered by their owners amounted to more than $ 1,000,000,000. And this is only in the first 4 days of distribution. Most of the victims are in Russia and Ukraine.
I know that viruses enter PCs through adult sites. I do not visit such resources, so I am not in danger.
Virus? This is also a problem for me. When viruses start up on my computer, I run the utility *** and after half an hour everything is fine. And if it doesn't help, I reinstall Windows.
Virus to virus - strife. WannaCry is a ransomware Trojan, a network worm capable of spreading over local networks and the Internet from one computer to another without human intervention.
Most malicious programs, including ransomware, start working only after the user “swallows the bait,” that is, clicks on a link, opens a file, etc. you don't have to do anything to get infected with WannaCry!
Once on a computer with Windows, the malware encrypts the bulk of user files in a short time, after which it displays a message demanding a ransom in the amount of $ 300-600, which must be transferred to the specified wallet within 3 days. In case of delay, he threatens to make decryption of files impossible in 7 days.
At the same time, the malware looks for loopholes to penetrate other computers, and if it finds it, it infects the entire local network. This means that backup copies of files stored on neighboring machines also become unusable.
Removing a virus from your computer does not decrypt files! Reinstalling the operating system is the same. On the contrary, if infected with ransomware, both of these actions can make it impossible for you to recover files even if you have a valid key.
So yes, "damn" is quite scary.
How WannaCry spreads
You're lying. The virus can penetrate my computer only if I download it myself. And I'm alert.
Many malicious programs can infect computers (and mobile devices, by the way, too) through vulnerabilities - errors in the code of operating system components and programs that open up the opportunity for cyber-attackers to use a remote machine for their own purposes. WannaCry, in particular, spreads through the 0-day vulnerability in the SMB protocol (zero-day vulnerabilities are errors that were not fixed by malware / spyware at the time of their exploitation).
That is, to infect a computer with an encryption worm, two conditions are sufficient:
- Connections to a network where there are other infected machines (Internet).
- The presence of the above loophole in the system.
Where did this infection come from? Are these the tricks of Russian hackers?
According to some reports (I am not responsible for the reliability), the US National Security Agency was the first to discover the flaw in the SMB network protocol, which is used for legal remote access to files and printers in Windows. Instead of reporting it to Microsoft in order to fix the bug, the NSA decided to use it themselves and developed an exploit for this (a program that exploits the vulnerability).
Visualization of WannaCry propagation dynamics on intel.malwaretech.com Subsequently, this exploit (codenamed EternalBlue), which served for some time by the NSA to infiltrate computers without the knowledge of the owners, was stolen by hackers and formed the basis for the creation of the ransomware WannaCry. That is, thanks to the not entirely legal and ethical actions of the US government, the virus writers learned about the vulnerability.
I disabled the installation of updatesWindows. Nafig is necessary when everything works without them.
The reason for such a rapid and large-scale spread of the epidemic is the absence at that time of a "patch" - a Windows update that could close the Wanna Cry loophole. After all, it took time to develop it.
Today such a patch exists. Users who update the system automatically received it in the first hours after release. And those who believe that updates are unnecessary are still at risk of infection.
Who is at risk of a WannaCry attack and how to defend against it
As far as I know, more than 90% of computers infectedWannaCry, ran under controlWindows 7. I have a ten, which means that nothing threatens me.
All operating systems that use the SMB v1 network protocol are at risk of WannaCry infection. It:
- Windows XP
- Windows Vista
- Windows 7
- Windows 8
- Windows 8.1
- Windows RT 8.1
- Windows 10 v 1511
- Windows 10 v 1607
- Windows Server 2003
- Windows Server 2008
- Windows Server 2012
- Windows Server 2016
Users of systems on which they have not been installed are at risk of picking up malware over the network. critical Security Update MS17-010 (available for free download from technet.microsoft.com, which is linked). Patches for Windows XP, Windows Server 2003, Windows 8 and other unsupported OS can be downloaded from this page support.microsoft.com ... It also describes how to check for a rescue update.
If you don't know the OS version on your computer, press the Win + R key combination and run the winver command.
To strengthen protection, as well as if it is impossible to update the system now, Microsoft provides instructions for temporarily disabling the SMB version 1 protocol. They are located and. Optionally, but not necessarily, you can close the TCP port that serves SMB through firewall 445.
I have the best antivirus in the world ***, with it I can do anything and I am not afraid of anything.
WannaCry can spread not only by the above-described self-propagation, but also in the usual ways - via social networks, email, infected and phishing web resources, etc. And there are such cases. If you download and run the malicious program manually, then neither antivirus nor patches that close vulnerabilities will save you from infection.
How does the virus work, what does it encrypt
Yes, let him encrypt what he wants. My friend is a programmer, he will decipher everything for me. As a last resort, we find the key by brute force.
Well will encrypt a couple of files, so what? It won't stop me from working on my computer.
Unfortunately, it will not decrypt, because there are no ways to break the RSA-2048 encryption algorithm that Wanna Cry uses and will not appear in the foreseeable future. And it will not encrypt a couple of files, but almost everything.
I will not give a detailed description of the malware's operation; anyone interested can get acquainted with its analysis, for example, in the blog of Microsoft expert Matt Suiche. I will only mention the most significant moments.
Files with the following extensions are encrypted: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks , .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt,. xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z , .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg,. djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl , .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf,. ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx , .der.
As you can see, there are documents, photos, video and audio, archives, mail, and files created in various programs ... The malware tries to reach every directory on the system.
Encrypted objects get double expansion with the postscript WNCRY, for example, "Document1.doc.WNCRY".
After encryption, the virus copies an executable file to each folder @[email protected] - ostensibly for decryption after ransom, as well as a text document @[email protected] with a message to the user.
Next, it tries to wipe out shadow copies and Windows restore points. If the system is running UAC, the user must confirm this operation. If you deny the request, there will be a chance to restore data from copies.
WannaCry transmits the encryption keys of the affected system to command centers located in the Tor network, and then deletes them from the computer. To find other vulnerable machines, it scans the local network and arbitrary IP ranges on the Internet, and once found, it penetrates everything it can get to.
Today, analysts know several modifications of WannaCry with different distribution mechanisms, and in the near future, we should expect new ones to appear.
What to do if WannaCry has already infected your computer
I can see the files change extensions. What's happening? How do you stop this?
Encryption is not a one-step process, although not too long. If you managed to notice it before the ransomware message appears on the screen, you can save some of the files by immediately turning off the computer power. Not shutting down the system, but by pulling out the plug!
When you boot Windows in normal mode, encryption will continue, so it is important to prevent it. The next start of the computer must occur either in safe mode, in which viruses are not active, or from another bootable media.
My files are encrypted! The virus demands a ransom for them! What to do, how to decrypt?
Decryption of files after WannaCry is possible only if there is a secret key, which the attackers promise to provide as soon as the victim transfers them the ransom amount. However, such promises are almost never fulfilled: why should malware distributors bother if they already got what they wanted?
In some cases, the problem can be solved without a ransom. To date, 2 WannaCry decoders have been developed: WannaKey(by Adrien Guinet) and WanaKiwi(by Benjamin Delpy). The first works only in Windows XP, and the second, created on the basis of the first, - in Windows XP, Vista and 7 x86, as well as in northern systems 2003, 2008 and 2008R2 x86.
The algorithm of operation of both decryptors is based on the search for secret keys in the memory of the encryption process. This means that only those who did not have time to restart their computer have a chance to decrypt. And if not too much time has passed after encryption (the memory has not been overwritten by another process).
So, if you are a Windows XP-7 x86 user, the first thing to do after the ransom message appears is to disconnect the computer from the local network and the Internet and run the WanaKiwi decryptor downloaded on another device. Do not perform any other actions on the computer before removing the key!
You can read the description of the work of the WanaKiwi decryptor in another blog by Matt Suiche.
After decrypting the files, run an antivirus to remove the malware and install a patch that closes its distribution paths.
Today, WannaCry recognizes almost all antivirus programs except those that are not updated, so almost any will do.
How to live this life further
The self-propelled epidemic took the world by surprise. For all kinds of security services, it turned out to be as unexpected as the onset of winter on December 1 for public utilities. The reason is carelessness and maybe. Consequences - irreparable loss of data and losses. And for the creators of malware - an incentive to continue in the same spirit.According to analysts, WanaCry has paid distributors very good dividends, which means that attacks like this will be repeated. And those who are carried away now will not necessarily be carried away later. Of course, if you don't worry about it in advance.
So, so that you don't ever have to cry over encrypted files:
- Do not refuse to install updates to the operating system and applications. This will protect you from 99% of threats that spread through unpatched vulnerabilities.
- Keep on.
- Create backup copies of important files and store them on another physical medium, or better - on several. In corporate networks, it is optimal to use distributed storage databases; home users can adopt free cloud services like Yandex Drive, Google Drive, OneDrive, MEGASynk, etc. Do not keep these applications running when you are not using them.
- Choose reliable operating systems. Windows XP is not.
- Install a comprehensive anti-virus of the Internet Security class and additional protection against ransomware, for example, Kaspersky Endpoint Security. Or analogues of other developers.
- Improve your literacy level in countering Trojan-ransomware. For example, the anti-virus vendor Dr.Web has prepared training courses for users and administrators of various systems. A lot of useful and, importantly, reliable information is contained in the blogs of other A / V developers.
And most importantly: even if you have suffered, do not transfer money to cybercriminals for decryption. The probability that you will be deceived is 99%. Moreover, if no one pays, the extortion business will become meaningless. Otherwise, the spread of such an infection will only grow.
