The ransomware virus is not limited to our country and universities. Tens of thousands of computers in more than 100 countries and regions have been infected by ransomware, according to the National Network and Information Security Information Notification Center.
The National Internet Emergency Response Center (NIERC) issued an emergency announcement that the ransomware virus penetrates and spreads to end-users and ransoms for bitcoins or other valuables, posing a more serious threat of attack. Has embarked on ransomware and related network attack activities to monitor, recommend that users update Windows has been released security patches, while doing a good job in the network boundaries, internal network areas, host assets, data backup.
A staff member of the Ministry of Public Security's Internet Security Bureau also said it had been concerned about the matter and had begun an investigation. No reports have been received on the virus incident, and netizens are advised to use some network security tools to check their personal computers while taking precautions to prevent losses from poisoning.
Student computers received a "ransom note"
12 6:00 pm, Nanchang University junior Li Min (a pseudonym) opened the computer to receive the roommate paper to help change the format, found that the network is very card, save is also very slow, and even a white screen for half a minute.
"Subsequently, the computer screen suddenly displayed a ransom letter, can choose Chinese, Korean, Japanese, English, etc., roughly, want to unlock the file, you need to pay 300 U.S. dollars equivalent of Bitcoin". Li Min said that most of the files could not be opened, including dual-degree thesis, defense PPT and some pictures with recorded information. Three students in the class were in a similar situation.
Zhang Hongli, a junior at the school's New Communication School, recalled that she logged on to the school's mobile network at 10 p.m. on the 12th to download her thesis and found her computer poisoned.
"At that time, the C disk file expansion name were changed, my first reaction was to use the hard disk to copy down the file is still intact, I did not expect the backup hard disk is also poisoned." She said that the installation of Microsoft patches will not help, "I hope to find a solution as soon as possible, really no way but to reinstall the system."
The Beijing News reporter learned that Shandong University, Zhejiang University, Nanchang University, Ningbo University and other colleges and universities computer "trick". Students computer documents are locked, a hacker left contact information, said to restore the document must pay bitcoin.
A student at the Huaiyin Institute of Technology said he was writing his thesis, the computer suddenly appeared pop-up window, and then the paper, know the downloaded documents have become unreadable. He tried to go to Taobao to buy repair services, and eventually chose to rewrite his thesis because the price of repair was too high.
Hundreds of countries have been "infected"
Many netizens have said that gas stations in many parts of the country are unable to pay for gasoline on the Internet and can only use cash.
Yesterday afternoon, a number of PetroChina staff said the group had a network failure, is being repaired, can only use cash and gas card consumption, and gas cards can not be used to circle the deposit function.
PetroChina Liaoyang Petrochemical Branch, a staff member disclosed, received a group notification, starting on the evening of the 12th, one after another for the Windows operating system extortionist virus, the file is encrypted, and demand a ransom. At present, the company's network and system services are suspended, if you find a computer infected with the virus, immediately shut down the computer, unplug the network cable. The company's network resumption time will be announced later.
Virus attacks are not limited to our country. National Network and Information Security Information Notification Center issued a circular: 12 20:00, a new "worm" ransomware virus outbreak, more than 100 countries and regions have tens of thousands of computers have been infected.
The microblogging microblogging "Britain those things" posted more than an hour ago, 16 hospitals in the United Kingdom were subjected to a wide range of cyberattacks, the hospital intranet was captured, the computer was locked, the phone can not be reached. Hackers demanded a ransom of 300 bitcoins per hospital, otherwise all information will be deleted. 16 organizations basically interrupted the external contact, the internal resumption of the use of pen and paper for emergency planning. Britain's national cybersecurity department is investigating.
Tencent's security department provided data to the Beijing News, preliminary statistics show that the "worm" has affected schools, hospitals, airports, banks, gas stations and other equipment in about hundreds of countries, so that all of the documents on these devices are encrypted, heavy losses.
According to IT news, the current infected areas are mainly concentrated in central and southeast coastal areas of China, mainland Europe, the United States Great Lakes region. China, mainland Europe region by the most serious infection.
Reveal 1
The culprit is the "Eternal Blue" virus
Yesterday morning, 360 Chairman Zhou Hongyi microblogging, said the ransomware virus is leaked by the NSA "Eternal Blue" hacking weapon The ransomware is a hacking weapon "Eternal Blue" leaked by the NSA. "Eternal Blue" can remotely attack Windows port 445 (file **** enjoy), if the system is not installed in March Microsoft patch, users as long as the computer is on the Internet, "Eternal Blue" will be able to execute arbitrary code in the computer, implant ransomware virus The company's website has been updated with the latest information on the company's website, including its website.
The National Internet Emergency Response Center (NIERC) has begun to monitor ransomware and related cyberattacks, and from 9:30 a.m. to 12:00 p.m. on the 13th, about 1,011,000 IP addresses inside and outside the country suffered from Eternal Blue attacks, and more than 9,300 IP addresses initiated attack attempts.
The Emergency Response Center issued a briefing that the ransomware used the previously disclosed Windows SMB service vulnerability attack means to end-users to infiltrate and spread, and extort bitcoin or other value. Including universities, energy and other important information systems, including a number of domestic users were attacked, posing a more serious security threat to China's Internet.
According to Xinhua News Agency, no hacker organization has yet claimed the attack. But industry **** knowledge is that the virus originated from the U.S. National Security Agency's virus arsenal. Last month, the NSA suffered a leak that exposed the virus arsenal it had developed. The NSA has yet to respond, and the U.S. Department of Homeland Security's Computer Emergency Response Team says it is closely monitoring the hacking attack, which has global reach.
Mystery 2
Encrypting computer files for ransom
Tencent security experts pointed out that the incident was actually a worm attack. Once the worm attacks a user's machine that can link to the public network, it will utilize the built-in "Eternal Blue" attack code to automatically look for a machine that opens port 445 for infiltration. Once the vulnerability of the machine is found, not only continue to spread the worm, but also spread the extortionist virus, resulting in all documents on the user's machine is encrypted.
360 security experts pointed out that the "Eternal Blue" ransomware virus to ONION and WNCRY two families, the victim machine's disk files will be tampered with the appropriate suffix, pictures, documents, videos, compressed packages, etc. can not be opened normally, only to pay the ransom in order to decrypt the recovery. The two types of virus ransom amount is 5 bitcoin (about RMB 50,000 yuan) and 300 U.S. dollars respectively.
Data provided by the 360 company shows that the first to appear in the country is the ONION virus, an average of about 200 attacks per hour, the peak of the night up to more than 1,000 times per hour; WNCRY ransomware virus is a new global attack on the 12th, and in China's campus network spread rapidly, the peak of the night about 4,000 attacks per hour.
A well-known domestic bitcoin company executive warned that it is not yet clear whether the attacked computer can be unblocked after paying bitcoin. At present, many domestic bitcoin exchanges are not able to withdraw bitcoins, if you want to buy bitcoins to unblock the computer, you need to choose an exchange that can withdraw coins, or you will suffer secondary losses.
Reveal 3
Related port exposure universities into the "hardest hit"
National Internet Emergency Response Center notice, the attack is mainly based on port 445, the Internet *** more than 9 million hosts IP exposure of the port (port open), more than 3 million in mainland China. .
Chinese Society of Higher Education Education Informatization Branch Network Information Security Working Group issued a statement, after a preliminary investigation, this kind of ransomware virus exploits the SMB vulnerability based on the propagation and proliferation of port 445, some schools infected with the number of stations is higher, a large amount of important information is encrypted.
Zuo Xiaodong, vice president of the China Institute for Information Security Research, said that there have been many times in China to utilize port 445 to spread the worm, so some operators to individual users to block the port. However, there is no such restriction on educational networks, and there are a large number of machines that expose this port, making them the hardest hit by attacks.
Fan Yuan, founder and president of Hangzhou ACE Information Technology Co., Ltd. said the attack became "effective" because port 445 was not restricted on certain industry-specific networks, affecting many schools and a small number of medical institutions. "It can be prevented by updating the patch released by Microsoft, but for users who have been attacked, the solution is still difficult." Its introduction, some time ago has been detected sporadic ransomware virus, most units may not pay enough attention.
Tsinghua University has "taken refuge" in the blocking measures.On April 15, the school blocked TCP ports 139, 445 and 3389 to prevent attacks on internal hosts of the campus network.Yesterday, the university issued a notice saying that the two recent large-scale global cyber-security outbreaks had not jeopardized the campus network and users on a large scale. users.
Tips
6 steps to protect against ransomware
The Security Working Group has proposed two preventive measures: for those who have not upgraded their operating systems (not recommended, but a temporary mitigation): Enable and turn on the Windows Firewall, go to "Windows Firewall", and then go to "Windows Firewall", and then go to "Windows Firewall", and then go to "Windows Firewall". Windows.
For schools and other organizations, it is recommended to prohibit the connection of external networks to ports 135/137/139/445 of the campus network in the border exit switching and routing equipment, and at the same time, prohibit the connection of the above ports in the core backbone switching and routing equipment of the campus network.
Security experts from Tencent pointed out that Microsoft has supported patches for all mainstream systems, and suggested that users use computer housekeepers to fix patches and turn on housekeepers for defense.
The National Internet Emergency Response Center suggests that users update the security patch updates that have been released for Windows in a timely manner, and at the same time, do the following:
1. Close the external network access to ports such as 445 (other associated ports, such as 135, 137, and 139), and shut down unnecessary ports of the above services on the servers;
2. 445 and other ports of the internal network area access audit, timely detection of unauthorized behavior or potential attacks;
3. Timely update of operating system patches;
4. Installation and timely update of antivirus software;
5. Do not readily open e-mails from unknown sources;
6. Regularly back up the information system operations on different storage media and personal data.