As reported by Russian media, the work of departments of the Ministry of Internal Affairs in several regions of Russia has been disrupted due to a ransomware that has infected many computers and threatens to destroy all data. In addition, the communications operator Megafon was attacked.

We are talking about the WCry ransomware Trojan (WannaCry or WannaCryptor). He encrypts the information on the computer and demands a ransom of $300 or $600 in Bitcoin for decryption.

@[email protected], encrypted files, extension WNCRY. A utility and decryption instructions are required.

WannaCry encrypts files and documents with the following extensions by adding .WCRY to the end of the file name:

Lay6, .sqlite3, .sqlitedb, .accdb, .java, .class, .mpeg, .djvu, .tiff, .backup, .vmdk, .sldm, .sldx, .potm, .potx, .ppam, .ppsx, .ppsm, .pptm, .xltm, .xltx, .xlsb, .xlsm, .dotx, .dotm, .docm, .docb, .jpeg, .onetoc2, .vsdx, .pptx, .xlsx, .docx

WannaCry attack around the world

Attacks were recorded in more than 100 countries. Russia, Ukraine and India are experiencing the greatest problems. Reports of virus infection are coming from the UK, USA, China, Spain, and Italy. It is noted that the hacker attack affected hospitals and telecommunications companies around the world. An interactive map of the spread of the WannaCrypt threat is available on the Internet.

How does infection occur?

As users say, the virus gets onto their computers without any action on their part and spreads uncontrollably across networks. On the Kaspersky Lab forum they point out that even an enabled antivirus does not guarantee security.

It is reported that the WannaCry ransomware attack (Wana Decryptor) occurs through the Microsoft Security Bulletin MS17-010 vulnerability. Then a rootkit was installed on the infected system, using which the attackers launched an encryption program. All Kaspersky Lab solutions detect this rootkit as MEM:Trojan.Win64.EquationDrug.gen.

The infection supposedly occurred a few days earlier, but the virus only manifested itself after it had encrypted all the files on the computer.

How to remove WanaDecryptor

You will be able to remove the threat using an antivirus; most antivirus programs will already detect the threat. Common definitions:

Avast Win32:WanaCry-A , AVG Ransom_r.CFY, Avira TR/FileCoder.ibtft, BitDefender Trojan.Ransom.WannaCryptor.A, DrWeb Trojan.Encoder.11432, ESET-NOD32 Win32/Filecoder.WannaCryptor.D, Kaspersky Trojan-Ransom.Win32.Wanna.d, Malwarebytes Ransom.WanaCrypt0r, Microsoft Ransom:Win32/WannaCrypt, Panda Trj/RansomCrypt.F, Symantec Trojan.Gen.2, Ransom.Wannacry

If you have already launched the threat on your computer and your files have been encrypted, decrypting the files is almost impossible, since exploiting the vulnerability launches a network encryptor. However, several options for decryption tools are already available:

Note: If your files have been encrypted and backup missing, and existing decryption tools did not help, it is recommended to save the encrypted files before cleaning the threat from your computer. They will be useful if a decryption tool that works for you is created in the future.

Microsoft: Install Windows updates

Microsoft said that users with the company's free antivirus and Windows System Update enabled will be protected from WannaCryptor attacks.

Updates dated March 14 fix the system vulnerability through which the ransomware Trojan is distributed. Today detection was added to the Microsoft Security Essentials/Windows Defender antivirus databases to protect against a new malware known as Ransom:Win32.WannaCrypt.

• Make sure your antivirus is enabled and installed latest updates.
• Install a free antivirus if your computer does not have any protection.
• Install the latest system updates using Windows Update:
  • For Windows 7, 8.1 From the Start menu, open Control Panel > Windows Update and click Search for Updates.
  • For Windows 10 Go to Settings > Update & Security and click "Check for updates"..
• If you install updates manually, install the official Microsoft patch MS17-010, which addresses the SMB server vulnerability used in the WanaDecryptor ransomware attack.
• If your antivirus has ransomware protection, turn it on. We also have a separate section on our website, Ransomware Protection, where you can download free tools.
• Perform an anti-virus scan of your system.

Experts note that the easiest way to protect yourself from an attack is to close port 445.

• Type sc stop lanmanserver and press Enter
• Enter for Windows 10: sc config lanmanserver start=disabled , for others Windows versions: sc config lanmanserver start= disabled and press Enter
• Restart your computer
• At the command prompt, enter netstat -n -a | findstr "LISTENING" | findstr ":445" to make sure the port is disabled. If there are empty lines, the port is not listening.

If necessary, open the port back:

• Run Command Prompt (cmd.exe) as administrator
• Enter for Windows 10: sc config lanmanserver start=auto , for other versions of Windows: sc config lanmanserver start= auto and press Enter
• Restart your computer

Note: Port 445 is used by Windows for file sharing. Closing this port does not prevent the PC from connecting to other remote resources, but other PCs will not be able to connect to the system.

Today, perhaps, only people very far from the Internet are unaware of the mass infections of computers with the WannaCry (“I want to cry”) encryption Trojan that began on May 12, 2017. And I would divide the reaction of those who know into 2 opposite categories: indifference and panic. What does this mean?

And the fact that fragmentary information does not provide a complete understanding of the situation gives rise to speculation and leaves behind more questions than answers. In order to understand what is really happening, to whom and what it threatens, how to protect yourself from infection and how to decrypt files damaged by WannaCry, today’s article is devoted to it.

Is “devil” really that scary?

I don't understand what all the fuss is aboutWannaCry? There are many viruses, new ones appear constantly. What's special about this one?

WannaCry (other names WanaCrypt0r, Wana Decrypt0r 2.0, WannaCrypt, WNCRY, WCry) is not an ordinary cyber malware. The reason for his notoriety is the gigantic amounts of damage caused. According to Europol, it disrupted the work of more than 200,000 computers under Windows control in 150 countries around the world, and the damage suffered by their owners amounted to more than $1,000,000,000. And this is only in the first 4 days of distribution. Most of the victims are in Russia and Ukraine.

I know that viruses enter PCs through adult websites. I don’t visit such resources, so I’m not in danger.

Virus? I have a problem too. When viruses appear on my computer, I run the *** utility and after half an hour everything is fine. And if it doesn’t help, I reinstall Windows.

Virus is different from virus. WannaCry is a Trojan ransomware, a network worm that can spread through local networks and the Internet from one computer to another without human intervention.

Most malware, including ransomware, starts working only after the user “swallows the bait,” that is, clicks on a link, opens a file, etc. A To get infected with WannaCry, you don't need to do anything at all!

Once on a Windows computer, the malware encrypts the bulk of user files in a short time, after which it displays a message demanding a ransom of $300-600, which must be transferred to the specified wallet within 3 days. In case of delay, he threatens to make decryption of files impossible in 7 days.

At the same time, the malware looks for loopholes to penetrate other computers, and if it finds it, it infects the entire local network. This means that backup copies of files stored on neighboring machines also become unusable.

Removing a virus from a computer does not decrypt files! Reinstalling the operating system too. On the contrary, if infected with ransomware, both of these actions may deprive you of the ability to recover files even if you have a valid key.

So yes, “damn” is quite scary.

How WannaCry spreads

You're lying. A virus can only get onto my computer if I download it myself. And I'm vigilant.

Many malware programs can infect computers (and mobile devices, by the way, too) through vulnerabilities - errors in the code of operating system components and programs that open up the opportunity for cyber-attackers to use a remote machine for their own purposes. WannaCry, in particular, spreads through a 0-day vulnerability in the SMB protocol (zero-day vulnerabilities are errors that were not fixed at the time they were exploited by malware/spyware).

That is, to infect a computer with a ransomware worm, two conditions are sufficient:

• Connections to a network where there are other infected machines (Internet).
• The presence of the above-described loophole in the system.

Where did this infection even come from? Is this the work of Russian hackers?

According to some reports (I am not responsible for the authenticity), the US National Security Agency was the first to discover a flaw in the SMB network protocol, which is used for legal remote access to files and printers in Windows. Instead of reporting it to Microsoft so that they could fix the error, the NSA decided to use it themselves and developed an exploit for this (a program that exploits the vulnerability).

Visualization of the dynamics of WannaCry distribution on the website intel.malwaretech.com

Subsequently, this exploit (codenamed EternalBlue), which for some time served the NSA to penetrate computers without the knowledge of the owners, was stolen by hackers and formed the basis for the creation of the WannaCry ransomware. That is, thanks to the not entirely legal and ethical actions of the US government agency, virus writers learned about the vulnerability.

I disabled installation of updatesWindows. What for is it necessary when everything works without them.

The reason for such a rapid and widespread spread of the epidemic was the absence at that time of a “patch” - a Windows update that could close the Wanna Cry loophole. After all, it took time to develop it.

Today such a patch exists. Users who update the system automatically received it within the first hours of release. And those who believe that updates are not needed are still at risk of infection.

Who is at risk from the WannaCry attack and how to protect against it

As far as I know, more than 90% of computers infectedWannaCry, operated byWindows 7. I have “ten”, which means I’m not in danger.

All operating systems that use network protocol SMB v1. This:

• Windows XP
• Windows Vista
• Windows 7
• Windows 8
• Windows 8.1
• Windows RT 8.1
• Windows 10 v 1511
• Windows 10 v1607
• Windows Server 2003
• Windows Server 2008
• Windows Server 2012
• Windows Server 2016

Today, users of systems that do not have the critical security update MS17-010(available for free download from technet.microsoft.com linked to). Patches for Windows XP, Windows Server 2003, Windows 8 and other unsupported operating systems can be downloaded from this page support.microsoft.com. It also describes ways to check for the presence of a life-saving update.

If you don't know the OS version on your computer, press the Win+R key combination and run the winver command.

To enhance security, and if it is not possible to update the system now, Microsoft provides instructions for temporarily disabling the SMB protocol version 1. They are located and. Additionally, but not necessarily, you can close TCP port 445, which serves SMB, through the firewall.

I have the best antivirus in the world ***, with it I can do anything and I’m not afraid of anything.

The spread of WannaCry can occur not only by the self-propelled method described above, but also in the usual ways - through social media, email, infected and phishing web resources, etc. And there are such cases. If you download and run malware manually, then neither an antivirus nor patches that close vulnerabilities will save you from infection.

How the virus works, what it encrypts

Yes, let him encrypt what he wants. I have a friend who is a programmer, he will decipher everything for me. As a last resort, we will find the key using brute force.

Well, it encrypts a couple of files, so what? This will not prevent me from working on the computer.

Unfortunately, it will not decrypt, since there are no ways to crack the RSA-2048 encryption algorithm that Wanna Cry uses and will not appear in the foreseeable future. And it will encrypt not just a couple of files, but almost everything.

I won’t give a detailed description of how the malware works; anyone interested can read its analysis, for example, on the blog of Microsoft expert Matt Suiche. I will note only the most significant moments.

Files with the following extensions are encrypted: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks , .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, . xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z , .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, . djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl , .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, . ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds , .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der.

As you can see, there are documents, photos, video-audio, archives, mail, and files created in various programs... The malware tries to reach every directory in the system.

Encrypted objects receive double extension with postscript WNCRY, for example, "Document1.doc.WNCRY".

After encryption, the virus copies an executable file to each folder @[email protected] – supposedly for decryption after ransom, as well as a text document @[email protected] with a message for the user.

Next he tries to destroy shadow copies and dots Windows recovery. If the system is running UAC, the user must confirm this operation. If you reject the request, there is still a chance to restore data from copies.

WannaCry transmits the encryption keys of the affected system to command centers located on the Tor network, after which it deletes them from the computer. To search for other vulnerable machines, it scans the local network and arbitrary IP ranges on the Internet, and once found, penetrates everything it can reach.

Today, analysts know of several modifications of WannaCry with different distribution mechanisms, and we should expect new ones to appear in the near future.

What to do if WannaCry has already infected your computer

I see files changing extensions. What's happening? How to stop this?

Encryption is not a one-time process, although it does not take too long. If you managed to notice it before the ransomware message appears on your screen, you can save some of the files by immediately turning off the computer’s power. Not by shutting down the system, but by unplugging the plug from the socket!

When Windows boots in normal mode, encryption will continue, so it is important to prevent it. The next start of the computer must occur either in safe mode, in which viruses are not active, or from another bootable media.

My files are encrypted! The virus demands a ransom for them! What to do, how to decrypt?

Decrypting files after WannaCry is only possible if you have a secret key, which the attackers promise to provide as soon as the victim transfers the ransom amount to them. However, such promises are almost never fulfilled: why should malware distributors bother if they already got what they wanted?

In some cases, the problem can be solved without ransom. To date, 2 WannaCry decryptors have been developed: WannaKey(by Adrien Guinet) and WanaKiwi(by Benjamin Delpy) The first one works only in Windows XP, and the second one, created on the basis of the first one, works in Windows XP, Vista and 7 x86, as well as in northern systems 2003, 2008 and 2008R2 x86.

The operating algorithm of both decryptors is based on searching for secret keys in the memory of the encryptor process. This means that only those who did not have time to restart the computer have a chance of decryption. And if not too much time has passed since encryption (the memory has not been overwritten by another process).

So if you Windows user XP-7 x86, the first thing to do after the ransom message appears is to disconnect the computer from local network and the Internet and run the WanaKiwi decryptor downloaded on another device. Before removing the key, do not perform any other actions on the computer!

You can read a description of the work of the WanaKiwi decryptor in another blog by Matt Suiche.

After decrypting the files, run an antivirus to remove the malware and install a patch that closes its distribution paths.

Today, WannaCry is recognized by almost all antivirus programs, with the exception of those that are not updated, so almost any will do.

How to live this life further

This self-propelled epidemic took the world by surprise. For all kinds of security services, it turned out to be as unexpected as the onset of winter on December 1 for utility workers. The reason is carelessness and randomness. The consequences are irreparable loss of data and damages. And for the creators of the malware, this is an incentive to continue in the same spirit.

According to analysts, WanaCry brought very good dividends to distributors, which means that attacks like this will be repeated. And those who are carried away now will not necessarily be carried away later. Of course, if you don't worry about it in advance.

So, so that you don't ever have to cry over encrypted files:

• Do not refuse to install operating system and application updates. This will protect you from 99% of threats that spread through unpatched vulnerabilities.
• Keep it on.
• Create backup copies of important files and store them on another physical medium, or better yet, on several. In corporate networks, it is optimal to use distributed data storage databases; home users can use free cloud services like Yandex Drive, Google Drive, OneDrive, MEGASynk, etc. Do not keep these applications running when you are not using them.
• Choose reliable operating systems. Windows XP is not like that.
• Install a comprehensive class antivirus Internet Security and additional protection against ransomware, such as Kaspersky Endpoint Security. Or analogs from other developers.
• Increase your level of literacy in countering ransomware Trojans. For example, the antivirus vendor Dr.Web has prepared for users and administrators various systems training courses. A lot of useful and, importantly, reliable information is contained in the blogs of other A/V developers.

And most importantly: even if you have suffered, do not transfer money to the attackers for decryption. The probability that you will be deceived is 99%. Moreover, if no one pays, the extortion business will become meaningless. Otherwise, the spread of such an infection will only grow.

In this article, you will learn about what to do if your computer is attacked by the Wanna Cry virus, as well as what actions to take to avoid losing your files on your hard drive.

Wcrypt virus is ransomware that locks all files on infected computers or networks and demands a ransom in exchange for a data recovery solution.

The first versions of this virus appeared in February 2017, and now it has various names such as WannaCry, Wcry, Wncry, WannaCryptor, WannaCrypt0r, WanaCrypt0r 2.0, Wana Decrypt0r, Wana Decrypt0r 2.0 or even DarkoderCrypt0r.

Once this dangerous program sneaks into a computer system, it encrypts all the data stored on it in a matter of seconds. During this procedure, the virus may add .Wcrypt file extensions to affected files.

Other versions of this virus are known to add .wcry or .wncry file extensions. The purpose of this encryption procedure is to render the victim's data useless and demand a ransom. The victim can easily ignore the ransomware tool in case he has a backup of his data.

However, in most cases, computer users forget to create these copies of data in a timely manner. In this case, the only way to recover the encrypted files is to pay the cyber criminals, but we strongly recommend that you do not do this.

Remember that scammers usually have no interest in interacting with the victim after receiving the ransom as money is all they are looking for. Instead, we suggest removing the ransomware using anti-malware tools such as Reimage or Plumbytes according to the Wcrypt removal guide we have provided below.

After encrypting all the files of the target system, the virus changes the desktop wallpaper to a black image with some text that says that the data stored on the computer has been encrypted.

Image, similar latest versions Cryptolocker, explains how to recover a file @WanaDecryptor.exe, If antivirus program places him in quarantine. The malware then launches a message to the victim that says: “Oh, your files were encrypted!” And provides Bitcoin wallet address, ransom price (from $300) and instructions for buying Bitcoin. The virus only accepts ransom in Bitcoin cryptocurrency.

However, the victim must pay it within three days of infection. The virus also promises to delete all encrypted files if the victim does not pay within a week. Therefore, we suggest you remove Wcrypt as soon as possible so that it does not damage the files on your computer or laptop.

How does the Wcrypt virus spread?

Wcrypt, which is also known as WansCry ransomware, shocked the virtual community on May 12, 2017. On this day, a massive cyber attack was carried out against users Microsoft Windows. The attackers used the EternalBlue exploit to infect computer systems and capture all of the victim's files.

Additionally, the benefit itself works as a job that searches for connected computers and replicates to them. Although on at the moment While it appears that the ransomware is no longer targeting new victims (since a security researcher accidentally stopped the cyber attack), experts report that it is too early to rejoice.

Malware authors may be hiding another way to spread the virus, so computer users should take all possible measures to protect their computer from such a cyber attack. Although we usually recommend installing software to protect your PC from malware and regularly update all programs on it.

Worth noting that we, like everyone else, recommend creating a copy of your valuable data and transferring it to external device data storage.

How to remove Wcrypt virus? What should I do if Wcrypt appears on my computer?

For the reasons mentioned above, you need to remove the Wcrypt virus as soon as possible. It is not safe to keep a computer on the system as it can quickly replicate on other computers or portable devices if someone connects them to a compromised PC.

The safest way to complete Wcrypt removal is to perform a full system scan using antivirus software. To run it, you must first prepare your computer. Follow these instructions to completely remove the virus.

Method 1: Uninstall WCrypt in Safe Mode via Network

• Step 1: Restart your computer in Safe Mode using Networking.

Windows 7/Vista/XP

1. Click Start → Turn off → Restart → OK.
2. When the screen appears, start tapping F8 .
3. Select from the list Safe Mode with Boot network drivers.

Windows 10/Windows 8

1. Shift "Reboot."
2. Now select "Troubleshooting" → « Additional options» → "Startup Settings" and press .
3. "Turn on safe mode with loading network drivers" in the window "Boot Options".

• Step 2: Remove WCrypt

Login to your infected account and launch your browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files.

If WCrypt blocks Safe Mode from loading network drivers, try a different method.

Method 2: Uninstall WCrypt using System Restore

• Step 1: Restart your computer in Safe Mode using command line.

Windows 7/Vista/XP

1. Click Start → Shutdown → Reboot → OK.
2. When your computer becomes active, start clicking F8 several times until you see a window "Advanced boot options".
3. Select "Safe Mode with Command Line Support" from the list.

Windows 10/Windows 8

1. Press the power button on the Windows login screen. Now press and hold Shift, which is on your keyboard, and press "Reboot".
2. Now select "Troubleshooting" → "Advanced options" → "Startup Settings" and press .
3. Once your computer is active, select "Enable Safe Mode with Command Line Support" in the window "Boot Options".

• Step 2: Restore system files and settings.

1. When the command prompt window appears, type cd restore and press Enter.

2. Now enter rstrui.exe and press again Enter.

3. When a new window appears, click "Next" and select a restore point prior to the WCrypt infiltration. After that click "Next."

4. Now click "Yes" to continue the process.

5. After that, click on the button "Ready" to start System Restore.

• After restoring your system to a previous date, boot and scan your computer with Reimage and ensure that WCrypt removal is successful.

We hope that this article helped you solve the problem with the WCrypt virus!

Video: Wanna Cry virus continues to infect computer systems around the world

May 2017 will go down in the annals of history as a dark day for the information security service. On this day, the world learned that a secure virtual world can be fragile and vulnerable. A ransomware virus called Wanna decryptor or wannacry has captured more than 150 thousand computers around the world. Cases of infection have been recorded in more than a hundred countries. Of course, the global infection has been stopped, but the damage is in the millions. Waves of ransomware are still affecting some individual machines, but the plague has so far been contained and stopped.

WannaCry – what is it and how to protect yourself from it

Wanna decryptor belongs to a group of viruses that encrypt data on a computer and extort money from the owner. Typically, the amount of ransoming your data ranges from $300 to $600. Within a day, the virus managed to infect a municipal network of hospitals in the UK, a large television network in Europe, and even part of the computers of the Russian Ministry of Internal Affairs. They stopped it thanks to a happy coincidence of circumstances by registering a verification domain that was built into the virus code by its creators to manually stop the spread.

A virus infects a computer in the same way as in most other cases. Sending letters, social profiles and simply surfing essentially - these methods give the virus the opportunity to penetrate your system and encrypt all your data, but it can penetrate without your explicit actions through a system vulnerability and an open port.

WannaCry penetrates through port 445, using a vulnerability in the Windows operating system, which was recently closed by released updates. So if this port is closed for you or you recently updated Windows from the office. site, then you don’t have to worry about infection.

The virus works according to the following scheme - instead of data in your files, you receive incomprehensible squiggles in Martian language, but to get a normal computer again, you will have to pay the attackers. Those who unleashed this plague on computers ordinary people, use bitcoins to pay, so it will not be possible to identify the owners of the evil Trojan. If you do not pay within 24 hours, the ransom amount increases.

The new version of the Trojan translates as “I want to cry” and the loss of data may bring some users to tears. So it is better to take preventive measures and prevent infection.

The ransomware exploits a vulnerability in Windows system, which Microsot has already fixed. You just need to update your operating system to security protocol MS17-010 dated March 14, 2017.

By the way, only those users who have a licensed operating system can update. If you are not one of these people, then simply download the update package and install it manually. You just need to download from trusted resources so as not to catch an infection instead of prevention.

Of course, protection can be of the highest level, but a lot depends on the user himself. Remember not to open suspicious links that come to you by email or on your social profile.

How to cure Wanna decryptor virus

Those whose computers have already been infected should prepare for a long treatment process.

The virus runs on the user's computer and creates several programs. One of them begins to encrypt data, the other provides communication with ransomware. An inscription appears on your work monitor, explaining to you that you have become a victim of a virus and offering to quickly transfer money. At the same time, you cannot open a single file, and the extensions consist of incomprehensible letters.

The first action that the user tries to take is data recovery using the services built into Windows. But when you run the command, either nothing will happen, or your efforts will be in vain - getting rid of Wanna Decryptor is not so easy.

On May 12, several companies and departments in different countries of the world, including Russia, were exposed to a ransomware virus. Information security specialists identified the virus WanaCrypt0r 2.0 (aka WCry and WannaCry), which encrypts certain types of files and changes their extensions to .WNCRY.

Computers infected with WannaCry are locked with a message window stating that the user has 3 days to pay the ransom (usually the equivalent of $300 in Bitcoin), after which the price will be doubled. If you do not pay the money within 7 days, the files will supposedly be impossible to recover.

WannaCry only targets Windows-based computers. It exploits a vulnerability that was patched by Microsoft in March. Those devices that did not have the latest security patch installed were attacked. Computers of ordinary users, as a rule, are updated promptly, but in large organizations special specialists are responsible for updating systems, who are often suspicious of updates and postpone their installation.

WannaCry belongs to the category of ransomware viruses; it is an encryptor that, in the background, unbeknownst to the user, encrypts important files and programs and changes their extensions, and then demands money for decryption. The lock window shows a countdown to when files will be permanently locked or deleted. A virus can get onto a computer using a remote attack through something known to hackers and not closed in operating system vulnerability. The virus code is automatically activated on the infected machine and contacts the central server, receiving instructions on what information to display. Sometimes it is enough for hackers to infect just one computer, and it spreads the virus across the local network to other machines.

According to The Intercept, WannaCry is based on leaked tools that were used by the US National Security Agency. Probably, to inject the virus onto computers, hackers used a vulnerability in Windows that was previously known only to American intelligence agencies.

The WannaCry virus is dangerous because it can recover even after formatting the hard drive, that is, it probably writes its code in an area hidden from the user.

An early version of this virus was called WeCry, it appeared in February 2017 and extorted 0.1 Bitcoin ($177 at current exchange rates). WanaCrypt0r is an improved version of this malware, in which attackers can specify any amount and increase it over time. The developers of the virus are unknown and it is not certain that they are behind the attacks. They may well sell the malware to anyone who wants it, receiving a one-time payment.

It is known that the organizers of the attack on May 12 received a total of at least 3.5 bitcoins, that is, a little more than 6 thousand dollars, from two dozen victims. It is unknown whether users were able to unlock their computers and return encrypted files. Most often, victims of hackers who pay a ransom do receive a key or a file decryption tool, but sometimes they receive nothing in return.

On May 12, Microsoft released a security patch to detect and neutralize the Ransom:Win32/Wannacrypt virus. It can be installed via Windows Update. To protect your computer from WannaCry, you need to install all Windows updates and make sure that the built-in Windows antivirus Defender. In addition, it would be a good idea to copy all valuable data to the cloud. Even if they are encrypted on your computer, you can still recover them from cloud storage or its recycle bin, where deleted files go.

---