What is known about the attack of hackers to Russia. MegaFon subscribers remained without communication what will happen next
Users from Moscow, Nizhny Novgorod, Penza, Saratov, Samara, Ryazan, Ufa and other Russian cities stated the impossibility of making a call - the network was not available.
First, in the official Twitter of the company, the Council appeared to set the type of network "only 3G" and restart the phone, and now all victims of clients are sent to the standard answer: "Currently massacreted with communication. Already correct. We apologize for any inconvenience caused". The company added that it does not have the data on the specific deadlines to correct the problem.
Unsuccessful dialing
MegaFon stated that the success of the dialing in Moscow and several other cities decreased by 30%, noting that calls were still possible with the help of messengers. Unfortunately, it did not satisfy many customers of the company who cannot use messengers without access to Wi-Fi.
According to the press service of MegaFon in its Telegram channel, the cause of the failure has become an accident on one of the elements of network equipment.
In addition, in one of the offices, the company also said that they had an accident, but the deadlines for the elimination of the consequences are still unknown. Wishing to receive compensation, employees offer to write a statement in the company's office. On the question of the causes of failure it is reported that the hacker attack is not excluded.
Some time after messages about the failures of MegaFon in the media, there were information that other mobile operators were also encountered with communication problems, such as Beeline. In a conversation with "Gazeta.Ru", the spokesman for the company stated that the network operates in normal mode without mass failures, and the distribution of a false message about the problems with the operator's network is associated with the response of technical support officer about the work of one base station Companies.
About the stable work "Gazeta.Ru" informed the press secretary: "The MTS network works in normal mode."
IN telephone conversation With a correspondent of leads, he said that on the day of the attack, many MegaFon office computers began to reboot and issue a message about the demand for redemption for deciphering data, and not only Moscow, but also other cities of Russia suffered.
Fortunately, the spread of the attack managed to slow down, and literally after a couple of hours was restored the work of the entire MegaFon call center, so that the subscribers could communicate with the support service. The company representative stressed that the Wannacry virus did not affect communication services, and the personal data of the operator's clients remained safe.
In January 2017, MegaFon users also complained about the unavailability of some services - "Multiple", "MegaFTV", as well as problems in the work of the site. The company fails to explain the accident at the data center (data center) caused by abnormal frosts in the region.
After some time, the services earned in normal mode. Then the representative mobile operator He told "Gazeta.Ru" that order in the system is not measured by the presence of failures, and the ability to quickly eliminate them. "This was done by specialists from the company as soon as possible. And at night on a festive day, "Dorokhina added.
Suddenly, a window with information that user files are encrypted are encrypted, and they will be able to decipher them, only by paying a ransom of $ 300 from the amount of 300 dollars. Make it takes for three days, otherwise the price will grow twice The week data will be removed permanently. Rather, physically they will remain on the disk, but it will be impossible to decipher. To demonstrate that the data can really decipher, it is proposed to use the "free demo version".
Example message about hacking a computer
What is encryption
You can encrypt any data on the computer. Since all of them are files, that is, the sequences of zeros and units, you can record the same zeros and units in a different sequence. Let's say, if you agree that instead of each sequence "11001100" we will write "00001111", then, after seeing in the encrypted file "00001111", we will know that in fact it is "11001100", and we can easily decipher the data. Information about what changes is called, called the cipher key, and, alas, the key in this case is only at hackers. He is individual for every victim and will be sent only after payment of the "services".
Can I catch hackers
In this case, the redemption needs to be paid with the help of bitcoins - electronic cryptocurrency. The essence of the use of bitcoins, if briefly, is that the payment data is transmitted over the server chain in such a way that each intermediate server does not know who is the initial sender and the pay recipient. Therefore, firstly, the final "benifier" is always completely anonyment, and secondly, the transfer of money cannot be challenged or canceled, that is, a hacker, receiving a ransom, does not risk anything. The possibility of quickly and impunity to receive large amounts of money well motivates hackers to search for new hacking methods.
How to protect yourself from hacking
In general, the extorter programs exist for ten years - as a rule, before it was " trojan Koni." That is, the encryption program installed the user itself for his own nonsense, for example, under the type of "Kryaka" for hacking expensive office package Or a set of new levels for a popular game, downloaded incomprehensible from. From such Trojans protects elementary computer hygiene.
However, now we are talking about a viral attack (WANNA DECRYPT0R 2.0 virus) using the vulnerability of operating windows systems And file transfer protocols over the network (SMB), due to which all computers are infected with the LAN. Antiviruses are silent, their developers do not yet know what to do, and only learn the situation. So the only way to protect is a regular creation of backup copies of important files and storing them on external hard disksdisconnected from the network. And you can also use less vulnerable operating systems - Linux or Mac OS.
"Today, our experts added an update - detection and protection against a new malware, known as Ransom: Win32.wannacrypt. In March, we also added security update, which provides additional protection against a potential attack. Our users free Antivirus and updated windows version protected. We work with users to provide additional help. "
Kristina Davydova
Microsoft RUSSIA spokesman
How to save files
If the files are already encrypted, and backup No, then alas, you have to pay. At the same time there is no guarantee that hackers will not encrypt them again.
To some global hacking cataclysm will not lead: without local accounting acts or reports, of course, it is hard, but the train will drive, and the MegaFon network works without failures - critically important data nobody trusts the usual office PC on windows database, and servers either have multistage protection against hacking (up to the hardware at the level of routers), or are generally fully isolated from the Internet and local networksTo which the computers of employees are connected. By the way, it is in case of the case of cyberak, important state structure data is stored on servers working on special cryptographic persistent Linux assemblies with appropriate certification, and in the Ministry of Internal Affairs, these servers also work on Russian processors "Elbrus", under the architecture of which attackers are definitely no compiled virus code .
What will happen next
The more people suffer from the virus, how neither paradoxically, will be better: it will become good lesson cybersecurity and remind you of the need for constant reserve copy data. After all, they can not only be destroyed by hackers (another 1000 and 1 way), but also lost at the physical loss of the carrier, on which they were stored, and then only to blame themselves. You will pay and pay 300, and $ 600 for the works of your life, let it be no one!
- 12 May 2017, 19:43 Computer systems of the Ministry of Internal Affairs and MegaFon have undergone viral attack
Internal computer system The Ministry of Internal Affairs of Rosie struck the virus, transfers "Varlamov.ru" with reference to several sources familiar with the situation.
The "media" source in the Ministry of Internal Affairs confirmed the fact of infection of departmental computers. According to him, we are talking about management in several regions.
Earlier, information about the possible infection of the virus appeared on the "Picaba" website and the Kaspersky Forum. According to some users, it's about the virus WCry. (also known as Wannacry. or Wannacryptor) - It encrypts the user files, changes their expansion and requires a special decrypt for bitcoins; Otherwise, the files will be deleted.
According to users on the Kaspersky Forum, the virus first appeared in February 2017, but "was updated and now looks different than previous versions."
In the press service of Kaspersky, they could not quickly comment on the incident, but promised to release a statement in the near future.
Company member Avast. Yakub Crawsec reported On Twitter, which is infected at least 36 thousand computers in Russia, in Ukraine and in Taiwan.
The site of Varlamov notes that information also appeared on infecting computers in public hospitals in several regions of Great Britain and the attack on the Spanish telecommunications company Telefonica.. In both cases, the virus also asks for payment.
The company noted that in March, additional protection against such viruses was already presented in the update.
"Users of our free antivirus and updated version of Windows are protected. We work with users to provide additional assistance, "added to the company.
Earlier "Kaspersky Lab" "MediaZone", which wannacrypt virus Uses the network vulnerability of Windows, closed Microsoft specialists in March.
MVD confirmed hacker attacks on their computers
The Ministry of Internal Affairs confirmed hacker attacks on their computers, reports RIA Novosti.
According to the press secretary of the Ministry of Internal Affairs Irina Wolf, Department information technologiesThe Communications and Protection of Information of the Ministry recorded a viral attack on the MVD computers with the Windows operating system.
"Thanks to the timely adopted measures, about thousands of infected computers were blocked, which is less than 1%," said the Wolf, adding that the MIA server resources were not infected because they work on other operating systems.
"IN currently The virus is localized, technical works are carried out on its destruction and updating of funds. anti-virus protection"," Said the press secretary of the ministry.
On the Bitcoin wallets of hackers, distributed Wannacry virus, transferred more than six thousand dollars
Wannacry Virus Wannacry Virus transferred at least 3.5 Bitcoin, writes "Medusa". According to the course of 1740 dollars for one Bitcoin at 22:00 Moscow time, this amount is $ 6090.
The conclusion of the "Medusa" came on the basis of the history of transactions on the Bitcoin wallets, which the virus demanded to list the money. The address of the wallets were published in the report "Kaspersky Lab".
On three wallets spent 20 transactions for May 12. Basically, they were translated from 0.16-0.17 Bitcoin, which equals approximately 300 dollars. Such a sum of hackers demanded to pay in the pop-up window on infected computers.
Avast. counted 75 thousand attacks in 99 countries
IT company Avast. reported that the virus Wanacrypt0r. 2.0 infected 75 thousand computers in 99 countries, reported on the organization's website.
Mainly infected computers in Russia, in Ukraine and in Taiwan.
13 hours ago on a specialist blog in the field computer security Brian Krebshs appeared record about the transfer of bitcoins hackers for a total of 26 thousand US dollars.
Europol: 200 thousand computers in 150 countries have undergone viral attack
Infection with virus Wannacry. For three days, more than 200 thousand computers have undergone in 150 states, said in an interview to the British TV channel ITV. Director of the European Police Service Europol Rob Wainwright. His words quotes Sky News..
"The spread of the virus in the world is unprecedented. According to the latest estimates, we are talking about 200 thousand victims of at least 150 countries, and among these victims of the enterprise, including large corporations"," Said Wainwright.
He suggested that the number of infected computers would most likely grow significantly when people return to work to their computers on Monday. At the same time, Wainwright noted that while people translated "amazingly little" money to dissectors of the virus.
In China, the virus attacked computers 29 thousand institutions
Virus Wannacry. attacked computers more than 29 thousand institutions, the score of the affected computers is coming For hundreds of thousands, the Agency "Xinhua" data of the assessment center computer threats Qihoo 360..
According to researchers, computers were attacked in more than 4,340 universities and other educational institutions. Also, infection was marked on computers of railway stations, postal organizations, hospitals, shopping centers and government agencies.
"For us, no significant damage was not, for our institutions - nor for banking, nor for the health system, nor for others," he said.
"With regard to the source of these threats, then, in my opinion, Microsoft's management stated directly about this, they said that the primary source of this virus are the United States special services, Russia here is not at all. I am strange to hear something else in these conditions, "the president added.
Putin also called on to discuss the problem of cybersecurity "at a serious political level" with other countries. He stressed that it is necessary to "develop a system of protection against such manifestations."
Virusa Wannacry. There were clones
Virusa Wannacry.two modifications appeared, write "Vedomosti" with reference to the Kaspersky Lab. The company believes that both clones have created not the authors of the original extortion virus, but other hackers who are trying to take advantage of the situation.
The first modification of the virus began to spread in the morning of May 14. The Kaspersky Lab found three infected computers in Russia and Brazil. The second clone learned to bypass a piece of code, with the help of which stopped the first wave of infections, noted in the company.
About clones of the virus also writes Bloomberg.. Founder of the company Comae technologies.Having been engaged in cybersecurity, Matt Suish told that about 10 thousand computers were infected with the second modification of the virus.
According to the "Kaspersky Lab", today it was infected six times less computers than on Friday, May 12.
Virus Wannacry. Could create the North Korean group of hackers Lazarus.
Virus extortioner Wannacry. The hackers from the North Korean group of Lazarus could have been reported on the specialized site of the Kaspersky Lab.
Specialists of the company drew attention to the tweet of analyst Google Neil Meht. As concluded in the Kaspersky Lab, the message indicates similarity between the two samples - they have a common code. Cryptographic sample Wannacry. From February 2017 and sample group Lazarus. From February 2015.
"The detective is twisted all the strongest and now one and the same code found in # Wannacry. and in the Trojans from Lazarus.», —
In addition to telecommunication companies, victims of Hacker attacks, according to RBC sources, as well as Gazety.Ru and Mediazones, were the powerful departments of Russia - the Ministry of Internal Affairs and the Investigation Committee.
Interlocutor RBC B. MVD. spoke about the attack on the internal networks of the department. According to him, the Attack was mainly regional administrative departments. He clarified that the virus struck computers at least in three regions of the European part of Russia. The source added that at the work of the Ministry of Internal Affairs, this attack should not affect. Another source of RBC in the ministry told that hackers could access the databases of the Ministry of Internal Affairs, but it is not known whether they managed to download information from there. Attack on the Ministry of Internal Affairs touched only those computers that were not updated for a long time operating system, told the interlocutor in the department. The work of the ministry is not paralyzed by hackers, but is very difficult.
IN Germanyhackers Deutsche Bahn services, which is the main railway operator of the country. This was announced by the TV channel ZDF with reference to the Ministry of Internal Affairs of the country.
US Department of National Security Partners technical support And assistance in the fight against the "Extortive Program" Wannacry.
What kind of virus?
According to the report "Kaspersky Lab" , virus, about which this is speech- Wannacry encryption manager. "As the analysis showed, the attack took place through a well-known network vulnerability. Microsoft Security Bulletin MS17-010. Then a rootkit was installed on the infected system, using which, attackers launched the encryption program, "they told in the company.
"All solutions" Kaspersky Lab "detect this rootkit as mem: trojan.win64.equationdrug.gen. Also, our solutions detect the encryption programs that were used in this attack, the following verdicts: Trojan-Ransom.win32.scatter.uf, Trojan-ransom.win32.fury.fr, PDM: Trojan.win32.Genic (for detecting this malware component System Watcher must be included), "the company noted.
To reduce the risks of infection, the Kaspersky Lab specialists advise users to install the official patch from Microsoft, which closes the vulnerability used in the attack, and to prevent such incidents to use threat information services in order to obtain data on the most dangerous attacks and possible infesses.
Hacker attack commented on and in Microsoft. . "Today, our specialists added detection and protection against a new malware, known as Ransom: Win32.wannacrypt. In March, we also presented additional protection against malicious for a similar nature along with a security update, which prevents the dissemination of malware on the network. Users of our free antivirus and updated version of Windows are protected. We work with users to provide additional assistance, "the Microsoft representative of the representative of Microsoft in Russia arrived in RBC.
Representative Solar Security RBC said that the company sees the attack and currently examines the sample of the virus. "Now we are not ready to share details, but the malware is clearly written by professionals. So far, it is impossible to exclude that it is something more dangerous than encrypter. It is already obvious that its spread speed is unprecedented high, "the interlocutor said. According to him, the damage from the virus is "huge", it hurts large organizations in 40 countries around the world, but it is impossible to give an accurate assessment yet, since the possibilities of malware are not yet fully studied and the attack is now in development.
CEO Group-ib. Ilya Sachkov told RBC that encryption programs similar to the one that was used for the current attack is a growing trend. In 2016, the number of such attacks increased more than a hundred times compared with the previous year, he clarified.
Sachkov noted that, as a rule, the device infection in this case occurs through email. Speaking of Wannacry, the expert noted that this program-encrypter has two features. "First, she uses EternalBlue exploit, which was laid out in open access Haecra Shadow Brokers. Patch covering this vulnerability for OS Windows Vista. And older, it became available on March 9 as part of the MS17-010 bulletin. At the same time, a patch for old OS like Windows XP and Windows Server 2003 will not, as they are derived from under support, "he told.
"Secondly, in addition to encrypting files, it performs an Internet scanning for vulnerable hosts. That is, if the infected computer got into some other network, the malicious software will spread in it, too, - hence the avalanche-shaped character of infection, "added Sachkov.
Protection against such attacks, according to Sachkov, can be provided using the Sandbox class solutions that are installed in the organization's network and check all the files coming to the mail to employees or those downloaded by them from the Internet. In addition, the expert recalled, it is important to conduct explanatory conversations with employees about the foundations of "digital hygiene" - not to install programs from unverified sources, do not insert unknown flash drives to the computer and do not move on dubious links, as well as update the software on time and not to use OS, which Not supported by the manufacturer.
Who is guilty
Who is behind a large-scale kiberatka, not yet clear. Ex-employee of the National Academy of Sciences Edward Snowden, which, with a global hacker attack, which happened on May 12, a virus developed by the NSA could be used. About such an opportunity earlier stated Wikileaks.
In turn, the authorities of Romania that an organization, "APT28 / Fancy Bear", which is traditionally ranked with Russian Hackers, can stand at the attack attempt.
The Telegraph suggests that the attack may stand the Shadow Broker group associated with Russia. They associate this with the statements of hackers, who sounded in April, that they allegedly stole a "cyber weapon" of the US intelligence community, which gives them access to all computers from Windows.