Shulou(Shulou.com)06/01 Report--

Blackmail virus WannaCry (Eternal Blue)

A few days ago, "Eternal Blue" swept the world, and 90 countries have been hit. The domestic education network is the hardest hit. However, at a time when computers with relatively old versions of Windows were generally attacked, many computers and Macs with linux derivative operating systems escaped. Many netizens expressed their gratitude on the Internet and praised the security of linux or Apple. But in fact, it is not that these operating systems are technically more secure than Windows, but they are not specifically targeted at them.

Overview of virus extortion incidents

Since May 12, the blackmail virus has broken out around the world.

The first to be hit was the British Empire. As many as 25 hospitals and medical organizations across the UK have been hit by a wide range of networks. The hospital network is compromised, the computer is locked, and the phone can't get through. * ask each hospital for a ransom of 300 bitcoins (nearly 4 million yuan). If it is not paid within 3 days, the ransom will be doubled, and if it is not paid within 7 days, all data will be deleted.

Since then, the area has continued to expand, and a large number of colleges and universities in China have also been infected. The computer files of many teachers and students are encrypted by the virus and can only be recovered by paying a ransom. Shandong University, one of the 985 colleges and universities, did not survive.

At present, the main blackmail viruses in transmission are ONION and WNCRY families. After poisoning, the disk files of the injured machines will be tampered with into corresponding suffixes, pictures, documents, videos, compression packages and other materials can not be opened normally, and can only be decrypted and restored by paying a ransom. For these two types of blackmail viruses, the amount of extortion is five bitcoins and $300, equivalent to more than 50, 000 yuan and more than 2000 yuan, respectively.

The origin of the extortion incident originated from the rip-off of two top organizations:

NSA's strongest group, equations, and Shadow Brokers, a top organization that specializes in selling blockbuster information.

Event Timeline

1. In August 2016, a Shadow Brokers group claimed to have stolen a large number of classified documents and published some of them on the Internet. Formula (Equation Group) is said to be an organization of the National Security Agency (NSA) with extremely high technical skills.

This part of the public documents include a number of hidden underground tools. In addition, "Shadow Brokers" retains some documents and intends to sell them to the highest bidder in the form of a public auction. "Shadow Brokers" expects a price of 1 million bitcoins (worth nearly $500 million). And "Shadow Brokers" tools have never been sold.

two。 On April 8, 2017, Beijing time, "Shadow Brokers" released the unzipped password of the reserved part, which was uploaded to the Github website for download.

3. On the evening of April 14, 2017, Beijing time, after the last public decompression password, "Shadow Brokers" released some of the files retained in the second wave on Twitter. The discovery includes 23 new tools. These * * tools are named OddJob,EasyBee,EternalRomance,FuzzBunch,EducatedScholar,EskimoRoll,EclipsedWing,EsteemAudit,EnglishMansDentist,MofConfig,ErraticGopher,EmphasisMine,EmeraldThread,EternalSynergy,EternalBLUE,EwokFrenzy,ZippyBeer,ExplodingCan,DoublePulsar and so on.

The next thing is that EternalBLUE (Eternal Blue) is used for blackmail.

So it comes down to this:

The Shadow Brokers organization has released some NSA tools, and Eternal Blue is just one of them using port 445. These tools were used by people, which led to an outbreak of the virus.

The mechanism of blackmailing the virus? 1. WannaCrybaby processes

2. WannaCry*** mechanism

The blackmail virus is spread by the NSA-leaked "Eternal Blue" weapon. Eternal Blue can remotely * Windows port 445 (file sharing). If the system does not install the Microsoft patch in March this year, without any user action, Eternal Blue can execute arbitrary code on the computer and plant malicious programs such as blackmail viruses.

The disk files of the injured machine will be tampered with to the corresponding suffix, pictures, documents, videos, compression packages and other materials can not be opened normally, only the payment of ransom can be decrypted and restored.

Why are most of the victims of the virus in colleges and universities, hospitals and other institutions?

As mentioned earlier, the virus uses port 445 for *. Due to the emergence of worms spread through port 445 many times in China, some operators have blocked port 445 to individual users. However, the Education Network does not have this restriction, and there are a large number of machines exposed with port 445, so it has become a hardest-hit area for lawbreakers to use NSA*** weapons.

How to relieve the poisoning?

I'm sorry, there's almost no solution at the moment.

Not to mention the high amount of extortion, some netizens said that even if the amount of extortion was paid, it could not be lifted.

How to prevent blackmail virus? 1. Back up important files

The virus uses encrypted files as a means of blackmail, and if important files have been backed up, users can be fearless.

two。 Update patch

Microsoft has released a new system patch to help users guard against this widespread virus, and even the abandoned Windows XP system has been updated, which proves from the side how bad the impact of this incident is.

3. Shut down the network port (emergency)

3.1Keyboard Win + R run, type "CMD", start the command line window, note that users of Win 8 and above need to press Win + X and select "Command prompt (Administrator) A". Then enter the netstat-an command to check whether there is a port 445 in the open port.

3.22. If the above pattern appears, you need to shut down port 445 and enter the following commands in turn:

Net stop rdrnet stop srvnet stop netbt

4. Set up for a domain name (emergency)

Security personnel found that the virus will try to visit the www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com URL before the blackmail begins, and once the virus cannot access the URL, it will begin the blackmail behavior. The good news is that the domain name is now registered, so the spread of the virus is expected to stop.

Due to well-known reasons, it is suggested that you modify HOST and point this URL to the target URL that can be accessed stably in China. Of course, this method will expire after it takes a few minutes to modify the access domain name, so it is recommended that you take the first two methods.

What are the implications of this incident?

1. Information security is an eternal topic, which is always evolving. As virtue rises one foot and vice rises ten are constantly deepening in the process of fighting.

two。 Thanks to the three major operators, port 445 of individual users was blocked as soon as the vulnerability was leaked (March), otherwise it would not be limited to college users.

3. For some people, it is really necessary to migrate to other operating systems such as Linux, even if it is just to protect their data security.

4. In the future IT learning road, the indispensable learning module must be security. Although the Linux has not been affected, there are bound to be more and more in the future, and security will become more and more important.

If you want to know more, you can read other articles: "reverse Analysis of parent Master Program of Wannacry ransomware", "Tencent Security team deeply analyzes wannacry Worm"

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.