What causes ransomware viruses?

What is the root cause of the global outbreak of ransomware?

Criminals want to make money

What is ransomware?

First of all, This time the virus only locks all your files through encryption and will not steal your things

Secondly, please read the following about this virus:

This time The global outbreak of ransomware exploits vulnerabilities in Windows systems and spreads through port 445.

In other words, if you have an unpatched Windows system with port 445 open, you have a very high chance of being infected as long as you are connected to the Internet.

1. If you have a mac system, a linux system, and an updated win10 system (win10 was patched for this vulnerability as early as March this year), don’t worry that you won’t get hit.

2. If you are using another system, but yours is a home machine and port 445 has been closed and updated, don’t worry that you won’t win.

3. If you are using another system and have not turned off port 445 and have not applied system update patches, there is a high chance that you will be infected.

When did the ransomware virus occur in my country

Try Tencent Computer Manager's anti-virus protection. Starting from version 4.5, the world's leading local anti-virus engine is introduced to greatly improve Trojan detection. ability. After you install Computer Manager, the dual-engine mode is turned on by default. You can decide whether to upgrade the dual-engine when you are killing viruses. If you like, you can easily experience the powerful dual-engine detection and killing capabilities of Trojans.

You can find some operation methods in the dual-engine area below the main interface of Computer Manager Trojan Killer. You can freely turn on or off the dual-engine, and you can also manually check for virus database updates.

Why you are infected with ransomware

Once the ransomware file enters the local area, it will automatically run and delete the ransomware samples to avoid detection and analysis. Next, the ransomware uses local Internet access to connect to the hacker's Camp;C server, then uploads local information and downloads the encrypted private key and public key, and uses the private key and public key to encrypt the file. It is almost impossible for anyone other than the virus developer himself to decrypt it. After the encryption is completed, the wallpaper will be modified, and a ransom note file will be generated in an obvious location such as the desktop to guide the user to pay the ransom. Moreover, the variant types are very fast and are immune to conventional anti-virus software. The attack samples are mainly exe, js, wsf, vbe and other types, which is a great challenge to security products that conventionally rely on feature detection.

In order to prevent users from being infected with this type of virus, we can start from two aspects: security technology and security management:

1. Do not open emails from strangers or unknown sources, and prevent email attachments attacks;

2. Try not to click on the office macro running prompt to avoid virus infection from office components;

3. Download the required software from the regular (official website), do not double-click Open .js, .vbs and other suffix files;

4. Upgrade Sangfor NGAF to the latest anti-virus and other security signature libraries;

5. Upgrade the anti-virus software to the latest anti-virus software Virus database to prevent attacks by existing virus samples;

6. Regularly back up important data and files in the computer off-site, so that they can be restored in case of a virus.

The global outbreak of ransomware viruses, how to prevent and deal with ransomware viruses

Beware of PI, this virus is too weak, there is no need at all. Just format the entire DEF disk for him.

Who created the ransomware?

The ransomware is said to have been leaked from the NSA (U.S. National Security Agency). Last year, hackers obtained multiple hacking tools from the NSA and obtained There are multiple vulnerabilities in the Windows system, including Eternal Blue. The ransomware virus uses this vulnerability to attack.

At present, this hacker organization is relatively mysterious, and its head is clearly the "Shadow Broker".

How to deal with the terrible "ransomware virus"

It is recommended that the poster download and install Tencent Computer Manager to perform anti-virus.

Restart the computer and press F8 to enter safe mode - open Tencent Computer Manager - Antivirus - Full Scan - Stubborn Trojans - In-depth Scan - Just restart the computer.

Tencent Computer Manager is the first in China to adopt the "4 1" core Professional anti-virus software with "core" anti-virus engine.

It uses Tencent's self-developed second-generation anti-virus engine "Eagle Eye".

It takes up less resources and can eradicate stubborn stubbornness based on CPU virtual execution technology. Viruses,

greatly improve the in-depth detection and killing capabilities.

Who created the ransomware virus, and who invented it?

I believe you have read a lot of articles these days. In short, this worm ransomware attacks users by targeting a vulnerability in Windows, implements high-strength encryption on documents, pictures, etc. in the computer, and demands a ransom paid in Bitcoin from the user, otherwise it will be "revoked" after seven days. , the data cannot be recovered even if the ransom is paid. The encryption method is very complex, and each computer has a different encryption serial number. With current technical means, it is almost "impossible" to decrypt it.

In today’s world of global network interconnection, the victims are of course not limited to China.

According to statistics from the 360 ??Threat Intelligence Center, since the outbreak on the 12th, more than 100,000 organizations and institutions in nearly 100 countries around the world have been compromised, including 1,600 American organizations, 11,200 Russian organizations, and China. More than 29,000 IPs were infected. In Spain, the network systems of many companies including telecommunications giant Telefonica, power company Iberdrola, and energy supplier Gas Natural were paralyzed; Portugal Telecom, U.S. transportation giant FedEx, a local government in Sweden, and Russia's second largest mobile communications operator Megafon all Exposed to be under attack. According to Europol, this attack has affected 150 countries and regions. As the virus version is updated and iterated, the specific number may increase.

So, here comes the question: Who did this? !

Black Hand

No answer.

In the words of Zheng Wenbin, head of the 360 ??core security team, tracing the source of ransomware has always been a difficult problem. The FBI once offered a reward of US$3 million to find the author of the ransomware virus, but to no avail. Currently, no country in the world has been found to identify the author of the ransomware virus. However, judging from the method of extortion, after the computer is infected with the virus, extortion prompts in fifteen languages ??including Chinese will appear, and the entire payment is carried out through Bitcoin and anonymous networks that are extremely difficult to trace. It is very likely that it is under the black industry chain. organizational behavior.

Ransomware is a new virus model that only began to appear in 2013. Since 2016, this virus has entered an outbreak period. Up to now, more than 100 ransomware viruses have profited from this behavioral model. For example, last year, a variant of the CryptoWall virus family received a ransom of 2.3 billion. In recent years, different types of ransomware viruses have appeared on Apple computers, Android and iPhone phones.

Although the perpetrator has not yet been found, the tools he used clearly point to an agency—NSA (National Security Agency), the National Security Agency of the United States. This agency, also known as the National Secret Service, is affiliated with the U.S. Department of Defense and is the largest intelligence department among the U.S. government agencies. It is responsible for collecting and analyzing foreign and domestic communications data. The "Eternal Blue" used by hackers is a cyber weapon developed by the NSA to target the Microsoft MS17-010 vulnerability.

Here’s the thing: The NSA itself holds a large number of developed cyber weapons, but in June 2013, more than a dozen weapons including “Eternal Blue” were stolen by the hacker organization “Shadow Brokers” (ShadowBreakers) Steal.

In March this year, Microsoft released a patch for this vulnerability. However, firstly, some users did not have the habit of patching in time, and secondly, there are still many users around the world using Windows XP, etc., which have stopped updating services. For lower versions, patches cannot be obtained, thus causing widespread spread around the world. Coupled with the constant scanning characteristics of "worms", it is easy to carry out repeated infections on the international Internet and the intranets of campuses, enterprises, and government agencies without interruption.

Another question arises: Why did the NSA know about Microsoft's vulnerabilities and create specialized cyber weapons, and then some of these weapons fell into the hands of hackers?

NSA

To be honest, as one of the operating systems, Windows is composed of hundreds of millions of lines of code. It is impossible for one person to have the final say in the logical relationship between them, so loopholes appear. It is difficult to eliminate. And Windows is the most commonly used operating system in the world, so it is "normal" for hackers to study vulnerabilities and exploit them for profit.

But as the National Security Agency of the United States, it only focuses on the vulnerabilities of this system, and it also specializes in weapons. What's the point?

In fact, Microsoft itself did not know that the vulnerability existed before the hacker group exposed it. In other words, only the NSA knows that the vulnerability exists, and only they know how long they have known about it. According to network security experts on Xiake Island, it is very likely that the NSA has known about this vulnerability for a long time...could it be the cause of the ransomware virus? Money Making Treasure

These two are not related, right?

What enlightenment can the ransomware virus WannaCry bring to us?

The recent ransomware virus WannaCry has swept the world with a fierce momentum, and many institutions and enterprises have been seriously affected.

Problems related to many companies or institutions have also been exposed in China. Even PetroChina has had more than 20,000 gas stations attacked.

Why is this ransomware virus WannaCry able to cause trouble all over the world so brazenly? Who should be responsible for this?

It all starts with the National Security Agency (NSA) of the United States. Initially, the NSA developed a hacking toolkit "Eternal Blue" in the name of national security needs. This hacking toolkit The role is to assist the National Security Bureau in its own work.

"Eternal Blue" contains multiple Windows vulnerability exploitation tools. As long as the Windows server opens one of the ports 139, 445, etc., it may be hacked. This can help the NSA obtain useful information when necessary. information.

But the terrible thing is that this NSA hacker toolkit was stolen one day... The toolkit that fell into the hands of hackers will naturally not be used for charity, but will naturally be used for blackmail and profit. .

Since the NSA has not reported the relevant vulnerabilities to Microsoft, it was not until March this year that Microsoft began to push relevant security patches to all versions of Windows on all platforms, but it was too late.

The virus has spread like a worm on the Internet through port 445, and new variants have emerged, which has infected more than 200,000 PCs in more than 150 countries.

In the infected PC, important file data will be directly encrypted and the original files will be deleted. The ransomware will ask the PC owner for a fixed amount of Bitcoin as reward, otherwise these encrypted files will no longer be able to be opened. (Even if the most powerful computer on earth is used to decrypt it, it would take tens of thousands of years).

Reflections from individual users: Smart people will suffer if they play too much

Before the large-scale outbreak of the WannaCry ransomware virus, Microsoft had already pushed relevant security patches in March this year, and Even Windows XP and Windows Server 2003, which have long since ended their life cycles, have received updates, so why are so many users still being attacked?

The reason is very simple. In fact, these PCs have already turned off automatic system updates, and often turn a blind eye to system update prompts. The hardest hit area for this ransomware virus is Windows 7, which is also the system most used by those who consider themselves "computer masters". Windows 10 is the least affected system, because Win10 system updates cannot be turned off through conventional methods and can only be turned off through group policy, which means that most Win10 users have always maintained automatic updates.

In the eyes of many people, as long as you maintain good Internet habits and computer usage, you can ensure the security of your computer from being intruded. Updating the system is a "conspiracy of operating system manufacturers."

But what people don’t know is that real hackers have hundreds of ways to make your computer a plaything in their hands, and the caution of ordinary users is completely meaningless.

There is another voice that is the mainstream on the Internet, and that is "I, a small commoner, have something worthy of being hacked by others?" But the fact is that you never know where the bottom line of hackers is. Although this time WannaCry did not attack computers in home network environments, computer users who were used to letting it go in company offices were still hit. If someone's work report is encrypted and blackmailed, the boss should not blame others.

No one is absolutely safe, and no one will definitely be missed. It was just a fluke in the past. Don’t think that using group policy to turn off Win10 automatic updates is awesome. You should update honestly. Bar.

Reflection of the enterprise: Sooner or later something will happen if employees prepare their own systems

Secondly, at the enterprise level, this time enterprises and institutions, including the *** department, are undoubtedly the hardest hit areas for ransomware viruses. , the main reason is that the system version is outdated, security management is negligent, or even the use of pirated systems.

Due to various reasons, many enterprises’ internal operating system versions have not kept pace and are still using versions with low security performance or even those that have ended their life cycle (such as Windows XP). Since this type of system has lost Microsoft's security updates, it is the easiest line of defense for all viruses to break through. Various security vulnerabilities have opened the door to new viruses.

However, this time Microsoft did push relevant security patches for decommissioned operating systems such as Windows XP and Windows Server 2003, but it still fell victim to the attack. This is how the entire enterprise or institution internally... ....gt;gt;