Source: The window that pops up on the computer after being attacked by the ransomware virus. Tencent Anti-Virus Labs
1. Can you avoid getting infected by simply shutting down your computer?
It is possible to avoid being infected, but sooner or later the computer will have to be used, it is recommended to update the patch as soon as possible, open the firewall and close port 445.
2. Is the banking system infected?
Cases of ATMs being infected have been discovered, and there are many devices using Windows inside banks that are at risk of being infected by the ?WannaCry? ransomware if they don't have proper protection.
3. Is it possible to get poisoned while surfing the web without a cable?
There is no guarantee that the wireless network operator has blocked the relevant ports, or that other nodes using a unified wireless router have not been infected before. Therefore, regardless of how you access the Internet, you should always patch security holes and harden your security policy.
4. Is it safer to have a hotspot on my phone for my computer?
If a cell phone is turned on as a hotspot, the cell phone is an external gateway that allows the computer to get an internal IP address that is not directly scanned by the external infected node. However, this can also lead to other security risks when the phone device is exposed.
5. Are home networks at risk? Is it only for businesses and educational networks, etc.?
From the spreading strategy of the virus analyzed so far, there is no clear directionality, which means that as long as your terminal may be scanned by the nodes infected by the virus, you will be infected.
6. Have users reported that their phones are infected?
As of 3pm on May 13th, Anthem has not monitored any mobile versions of this family of viruses.
7. Can the ransomware worm spread from USB flash drives?
Based on the analysis so far, we think the accurate expression is: as the ransomware worm runs, it may put a program module that displays an extortion message ? @WanaDecryptor@.exe? is copied to the USB flash drive inserted into the computer at that time, but this program does not lead to secondary distribution.
There are cybersecurity companies like 360, Anthem, and Kingsoft that are working overtime today.
A virus called ?WannaCry? began a worldwide outbreak. Ninety-nine countries around the world suffered attacks, and more than 10W+ attacks were monitored in 24 hours. The hardest hit areas in China were campus systems, healthcare systems, the energy industry, and public security office systems.
A portion of the domestic eaters have already felt the impact of WannaCry firsthand.
Some people in the police station in Beijing to do business in line for more than an hour, the results were told that the system was paralyzed by the attack; some people in the gas station found self-service payment system disconnected, Alipay, WeChat Pay and other networked payments can not be used, but he did not have cash on him. Zhejiang Media University, China College of Metrology and many other domestic universities campus network also suffered attacks.
Several security companies have said that this virus is preventable and not solvable. Only 360 has announced a first-aid decryption program that can partially decrypt encrypted files, though there is a probability.
For about this reason, the virus publisher behaved very wildly. He left a smug ransom note for users who had been hit, asking for payment within 3 days, doubling the cost for more than 3 days, and never recovering the encrypted data for more than a week.
Most companies don't seem to have gotten his way yet. In one of the bitcoin collection accounts left behind by the hacker, there are currently *** 30 completed transactions for 4.62 bitcoins. At the current bitcoin price, that totals about 47,500 yuan. However, there is a clear trend of accelerating the frequency of user payments, with eight new transactions in an hour from May 13 after 9:30 pm. Some industry sources believe that the peak of ransom payments has not yet arrived, and that there will be a significant increase in the size of the ransom from 14 onwards.
According to the outflow of the hacker and the attacked company's counteroffer email, the hacker is also very clear about China's current political events, and quite ? political awareness.
For this WannaCry attack, there are two groups of people who are safer. One is the Mac users, this attack was carried out against the windows system. The second is the majority of individual windows users, which excludes users who access the network through LANs such as campus networks.
For the reason why the intranet was the hardest hit, most of the security companies blamed it on port 445. The situation in China is that most of the 445 network ports for individual users have been blocked by network operators, but there are still a lot of open ports in large LANs and corporate intranets.
So what is 445?The main feature of port 445 is that it supports file **** sharing. The access to *** enjoy folders and *** enjoy printers that you see in corporate intranets and campus networks is port 445 in action. But it also exposes a great crisis to hackers, who can *** enjoy, encrypt, and format your hard disk after a successful intrusion.
Building on this, security big data firm MicroStep Online gave a more detailed explanation. After analyzing the sample, they found that there is a secret switch in the current sample that is the first step in the attack.
After the WannaCry sample is launched in the user's computer, the first step will be to first request the following domain name: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com.
If the request fails, file encryption is executed; if the request succeeds, the encryption is abandoned and exits directly. They also remind users not to block access to the above domain at firewalls, IPS, and other devices.
On May 12, this switching domain was taken over by security agencies. However, after that, a large number of computers were still being executed with encryption. The reason given by MicroStep Online is that these machines did not have access to the extranet, so WannaCry failed to request the switch domain, triggering the encryption behavior.
Plus, WannaCry also has worm functionality, which can easily cause a ripple effect in an intranet. If the intranet does not have Internet access, the loss of one machine is likely to cause all machines to be compromised.
An engineer from Marvel Team, a 360 cloud security team, explained that the secret switch can be interpreted as a control valve set by the hacker, or one of his locks. If the domain had not been taken over, it would have triggered an even bigger bloodbath once he shut it down, causing all user requests to fail.
He revealed that the 360 security department collective overnight last night. Premiere of the current network's first ransom worm file recovery tool, the link is /recovery/RansomRecovery.exe . It is possible to restore a certain percentage of files first aid program, the probability of success will be affected by multiple factors such as the number of files.
Warren Buffett said just a week ago at the Berkshire Hathaway shareholders meeting, ? I am pessimistic about weapons of mass destruction, but I think the likelihood of a nuclear war is less likely than a biochemical weapon versus a cyber attack.?
Unfortunately, he hit the nail on the head. Perhaps one day, the scene in Fast and Furious 8 where self-driving vehicles are attacked in a concentrated manner will become a reality.