The alarming red and white screensaver appeared on thousands of computers across the planet in a matter of hours. An Internet virus called WannaCry (“I want to cry”) has encrypted millions of documents, photographs and archives. To regain access to their own files, users are asked to pay a ransom within three days: initially, $300, then the amount increases. Moreover, they require payment in virtual currency, in bitcoins, so as not to track the payment.

About a hundred countries were attacked. The ransomware virus started in Europe. In Spain - Telefonica company, Iberica bank, gas company Gas Natural, FedEx delivery service. WannaCry was later recorded in Singapore, Taiwan and China, after which it reached Australia and Latin America, as well as the Andhra Pradesh police in India.

In Russia, the virus tried to blackmail Megafon, VimpelCom, Sberbank and Russian Railways, and from government agencies - the Ministry of Health, the Ministry of Emergency Situations and the Ministry of Internal Affairs. However, they say everywhere that attacks were promptly tracked and repelled, and there were no data leaks.

"The virus has been localized, we are carrying out technical work to destroy it and update anti-virus protection tools. It is worth noting that the leak of proprietary information from information resources The Russian Ministry of Internal Affairs is completely excluded,” said Irina Volk, official representative of the Russian Ministry of Internal Affairs.

“The goals are very difficult to understand. I think they are not political goals, these are obvious scammers who were simply trying to make money from this business. That’s what they say, they demand money, this is a ransomware virus. We can assume that the goal is financial,” said said the President of the InfoWatch holding Natalya Kasperskaya.

But who are these scammers? Versions about the nature of the virus are put forward depending on the degree of freshness of mind or inflammation of the brain. Who would doubt that someone would immediately start looking for Russian hackers. They say that Russia was actively attacked like no other. So these are Russians. Well, the saying “I’ll freeze my ears to spite my mother” is, of course, from our folklore.

The virus was first detected in February. And even the Air Force says that its roots come from the American National Security Agency, where they developed methods for testing stability Windows systems, but the codes actually got to the scammers. Russian experts also talk about American origin. They just say that the roots are not in the NSA, but in the US CIA.

“There are some details that show that the virus is most likely not Russian. Firstly, we know that its original is fake, it is from the CIA’s military tools, and secondly, that even those who updated it and launched it into work, most likely, not Russians, because among the formats in which it works, there is no one of the most popular formats in our country - the 1C file. If these were real Russian hackers who would like to infect as many as possible, they. “We would use 1C, of ​​course,” says the general director of Ashmanov and Partners, a developer of artificial intelligence systems and information security Igor Ashmanov.

So, maybe the roots of the virus may be American, but the hack was still done by Russian scammers?

“You have to understand that this virus was posted, its code was leaked by WikiLeaks two months ago. It was sterilized there, but the hackers who took it revived it, sprinkled it with living water and posted it somewhere, for example, on a download site or sent by mail. Perhaps it was just an attempt to check whether these nasty military viruses work,” noted Igor Ashmanov.

Meanwhile, the well-known Edward Snowden claims that the American intelligence services, more precisely the NSA, are themselves involved in this cyber attack. According to another version of the same Air Force, the attack could have been carried out by ideological opponents of President Trump. If so, then these are “wonderful people.” In the struggle for the triumph of philanthropy, social facilities were also hit. In Brazil - according to the social security system.

And in Britain, the blow fell on the NHS - the National Health Care System. Operations have been stopped in many hospitals; only ambulance. Even Prime Minister Theresa May made a special address.

It seems that the virus was indeed aimed at corporate users. Be that as it may, you should not open a suspicious email, it is better to do backups important documents, photos and videos to external media. And advice from experts: you need to update.

“The fact that the virus spread like wildfire shows that users apparently do not update very much. At the same time, many organizations were infected. And in organizations, as you know, updates are very often centralized. This means that the administrators of these organizations did not monitor updating and closing vulnerabilities. Or somehow the process was structured this way. We can only state that this hole was not closed, although the patch for it was already ready,” noted Natalya Kasperskaya.

MegaFon's director of public relations, Petr Lidov, told Kommersant that the company's capital office was subject to a hacker attack. “The computers crashed and a lock screen appeared on them asking for $300 to unlock,” he said. Then information came that the same thing happened to subscribers of Telefonica and Vodafone operators in Spain.

According to Peter Lidov, specialists had to turn off the networks at some stage to prevent the virus from spreading further. “A number of regions were affected; the rest had to be temporarily shut down as a precaution. This affected retail and customer support services, because operators naturally use PCs to access databases. Call centers have been fixed. Get in touch and personal accounts this had no effect,” said Mr. Lidov.

As Boris Ryutin, a researcher from Digital Security, told Kommersant, MalwareHunterTeam experts and other independent researchers agree that this is a malicious program of the ransomware type, that is, a ransomware virus. “The danger of infection is that, depending on the implementation, the user’s files may be irretrievably lost,” he clarified.

“We see an attack, and the virus is very complex,” Solar Security told Kommersant. at the moment we are developing recommendations for countermeasures.” “The virus is very complex, and it cannot yet be ruled out that it is something more dangerous than a simple ransomware. It is already obvious that the speed of its spread is unprecedentedly high,” the company added.

Microsoft representative Kristina Davydova told Kommersant that specialists have added detection and protection against a new malware known as Ransom:Win32.WannaCrypt. "In March, we also introduced additional protection against malware of this nature along with a security update that prevents malware from spreading across the network," she said.

Malicious software- name for everyone software products, the purpose of which is obviously to cause damage to the end user.

Attackers are coming up with new and cunning ways to distribute malware, most of which are developed for the Android operating system. At the same time, you can “catch” a virus not only on some dubious site, but also by receiving a message with a link from a person you know (friend, relative, colleague).

One of the modifications of malware for smartphones and tablets based on the operating system Android system, once on your mobile device, the first thing it will do is send out a link with a friendly message “Check out the link!” or “My photo for you” across your entire contact list. Anyone who follows the link will receive the virus on their smartphone.

But most often, criminals pass off Trojans as useful applications.

What is the threat of the virus?

The resulting Trojan program can not only send SMS to your friends, but also drain your account. Banking Trojans are among the most dangerous. All owners of gadgets using banking applications may suffer. Users of Android smartphones are most at risk - 98% of mobile banking Trojans are created for this operating system.

When you launch a banking application, the Trojan displays its own interface on top of the real one mobile banking. And thus steals all the data that the user enters. The most advanced malware can spoof the interfaces of dozens of different mobile banks, payment systems and even messaging systems.

Another important step when stealing money is intercepting SMS with one-time passwords for making payments and transfers. Therefore, Trojans usually need access rights to SMS, and this is why you should be especially careful with applications that request such rights.

Signs that your phone is infected

There are several signs that your phone is infected with malware:

• Hidden SMS sending to your contact list - friends, acquaintances and colleagues who have received dubious messages begin to contact you;
• Fast spending cash— funds are debited from the Personal Account faster than usual;
• Unauthorized debits from a bank card;
• Lack of SMS from the bank - when you activated the “SMS-informing” service, you stopped receiving SMS notifications about debiting funds from your account;
• The battery drains faster.

How to protect yourself?

• Monitor your operating system regularly for security updates. mobile device and install them in a timely manner;
• Install anti-virus software on your smartphone, tablet, after installation, update it and check your mobile device;
• Use anti-virus software that provides on-line protection and update it regularly;
• Download and run applications only from official stores - Play Store, App Store, Google Play and so on;
• Be careful when granting permissions to applications - programs that ask for access rights to process SMS messages should be treated especially suspiciously;
• Think before you click on a link. Do not be vigilant, do not open links from letters or SMS, or messages in social networks, if you are not sure that the message came from a known addressee and is safe;
• If you receive a suspicious SMS with a link from your friend, call him to find out if he sent the message. If not, warn that his smartphone or tablet is infected with a virus;
• Be careful in public Wi-Fi networks, and when connecting to the network, make sure that it is legitimate;
• Use complex passwords;
• In the Settings menu, click Data Usage, under Wireless & Networks ( Wireless communication) you can see how much data each application uses and set a limit for working with data;
• Enable “SMS notification” about debiting funds from your account - not all Trojans intercept SMS.

What to do if money is stolen?

The first thing to do is contact the bank as quickly as possible.

• 12 May 2017, 19:43 Computer systems of the Ministry of Internal Affairs and Megafon were subject to a virus attack

Internal computer system The Russian Ministry of Internal Affairs was struck by the virus, Varlamov.ru reports, citing several sources familiar with the situation.

Mediazona's source in the Ministry of Internal Affairs confirmed the fact of infection of departmental computers. According to him, we are talking about departments in several regions.

Previously, information about a possible virus infection appeared on the Pikabu website and the Kaspersky forum. According to some users, this is a virus WCry(also known as WannaCry or WannaCryptor) – it encrypts the user’s files, changes their extension and requires you to buy a special decryptor for bitcoins; otherwise the files will be deleted.

According to users on the Kaspersky forum, the virus first appeared in February 2017, but “has been updated and now looks different than previous versions.”

The Kaspersky press service was unable to promptly comment on the incident, but promised to release a statement in the near future.

Company employee Avast Jakub Kroustek reported on Twitter that at least 36 thousand computers in Russia, Ukraine and Taiwan are infected.

Varlamov’s website notes that information also appeared about the infection of computers in public hospitals in several regions of the UK and an attack on a Spanish telecommunications company Telefonica. In both cases, the virus also asks for payment.

The company noted that in March the update already included additional protection from such viruses.

"Users of our free antivirus And updated version Windows are protected. We are working with users to provide additional assistance," the company added.

Previously, Kaspersky Lab Mediazone, which WannaCry virus pt exploits a Windows network vulnerability that was closed by Microsoft back in March.

The Ministry of Internal Affairs confirmed hacker attacks on its computers

The Ministry of Internal Affairs confirmed hacker attacks on its computers, RIA Novosti reports.

According to the press secretary of the Ministry of Internal Affairs Irina Volk, the department information technology, Communications and Information Protection Ministry recorded a virus attack on the computers of the Ministry of Internal Affairs with operating system Windows.

“Thanks to timely measures taken, about a thousand infected computers were blocked, which is less than 1%,” Volk said, adding that the server resources of the Ministry of Internal Affairs were not infected because they work on other operating systems.

"IN present moment The virus has been localized, technical work is being carried out to destroy it and update anti-virus protection tools,” said the ministry’s press secretary.

More than six thousand dollars were transferred to the Bitcoin wallets of the hackers who spread the WannaCry virus.

At least 3.5 bitcoins were transferred to the hackers who spread the WannaCry ransomware virus, Meduza writes. According to the exchange rate of $1,740 for one bitcoin at 22:00 Moscow time, this amount is $6,090.

Meduza came to this conclusion based on the history of transactions on Bitcoin wallets to which the virus demanded money be transferred. The wallet addresses were published in a Kaspersky Lab report.

Three wallets carried out 20 transactions on May 12. Basically, 0.16-0.17 bitcoins were transferred to them, which equals approximately $300. The hackers demanded to pay this amount in a pop-up window on infected computers.

Avast counted 75 thousand attacks in 99 countries

IT company Avast reported that the virus WanaCrypt0r 2.0 infected 75 thousand computers in 99 countries, according to the organization’s website.

Mostly computers are infected in Russia, Ukraine and Taiwan.

13 hours ago in the blog of a specialist in the field computer security Brian Krebs has a record of transferring bitcoins to hackers totaling 26 thousand US dollars.

Europol: 200 thousand computers in 150 countries were attacked by a virus

Virus infection WannaCry in three days, more than 200 thousand computers in 150 countries were already exposed, he said in an interview with the British TV channel ITV Europol Director of European Policing Rob Wainwright. His words are quoted Sky News.

“The spread of the virus around the world is unprecedented. The latest estimates are that there are 200,000 victims in at least 150 countries, including businesses, including large corporations,” Wainwright said.

He suggested that the number of infected computers would likely increase significantly when people returned to work on their computers on Monday. At the same time, Wainwright noted that so far people have transferred “surprisingly little” money to the spreaders of the virus.

In China, the virus attacked the computers of 29 thousand institutions

Virus WannaCry attacked the computers of more than 29 thousand institutions, the number of affected computers is in the hundreds of thousands, the Xinhua agency cites data from the Computer Threat Assessment Center Qihoo 360.

According to researchers, computers at more than 4,340 universities and other educational institutions. Infections were also observed on computers at railway stations, postal organizations, hospitals, shopping centers and government agencies.

“There was no significant damage for us, for our institutions - neither for banking, nor for the healthcare system, nor for others,” he said.

“As for the source of these threats, in my opinion, Microsoft management directly stated this, they said that the primary source of this virus is the intelligence services of the United States, Russia has absolutely nothing to do with it. It’s strange for me to hear something different under these conditions,” the president added.

Putin also called for discussing the problem of cybersecurity “at a serious political level” with other countries. He stressed that it is necessary to “develop a system of protection against such manifestations.”

The virus WannaCry clones appeared

The virus WannaCry two modifications have appeared, Vedomosti writes with reference to Kaspersky Lab. The company believes that both clones were created not by the authors of the original ransomware virus, but by other hackers who are trying to take advantage of the situation.

The first modification of the virus began to spread on the morning of May 14. Kaspersky Lab discovered three infected computers in Russia and Brazil. The second clone learned to bypass a piece of code that was used to stop the first wave of infections, the company noted.

He also writes about virus clones Bloomberg. Founder of the company Comae Technologies, engaged in cybersecurity, Matt Suish said that about 10 thousand computers were infected with the second modification of the virus.

According to Kaspersky Lab's estimates, today there were six times more infections fewer computers than on Friday, May 12.

Virus WannaCry could have been created by a North Korean hacker group Lazarus

Ransomware virus WannaCry could have been created by hackers from the North Korean group Lazarus, according to the specialized website of Kaspersky Lab.

Company specialists drew attention to the analyst’s tweet Google Neela Mehta. As Kaspersky Lab concluded, the message indicates similarities between the two samples - they have a common code. The tweet provides a cryptographic sample WannaCry dated February 2017 and sample group Lazarus dated February 2015.

“The detective story is getting tighter and tighter and now the same code has been found in # WannaCry and in the Trojans from Lazarus», —

Users from Moscow, Nizhny Novgorod, Penza, Saratov, Samara, Ryazan, Ufa and others Russian cities They stated that it was impossible to make a call - the network was unavailable.

First, the company’s official Twitter posted advice to set the network type to “3G only” and reboot the phone, and now a standard response is sent to all affected customers: “Currently, there are massive communication difficulties. We are already fixing it. We apologize for the inconvenience caused." The company added that it does not have data on a specific time frame for fixing the problem.

Unsuccessful dialing

Megafon said that the success of dialing in Moscow and several other cities decreased by 30%, noting that calls are still possible using instant messengers. Unfortunately, this did not satisfy many of the company's clients, who cannot use instant messengers without access to Wi-Fi.

As the press service of Megafon reports on its Telegram channel, the cause of the failure was an accident on one of the elements of network equipment.

In addition, one of the company’s offices also said that they had an accident, but the time frame for eliminating the consequences is still unknown. Employees who wish to receive compensation are asked to write a statement at the company office. When asked about the reasons for the failure, it is reported that a hacker attack cannot be ruled out.

Some time after reports of Megafon failures, information appeared in the media that other mobile operators, such as Beeline, also encountered communication problems. In a conversation with Gazeta.Ru, the company's press secretary said that the network is operating normally without massive failures, and the dissemination of a false message about problems with the operator's network is associated with the response of a technical support employee about the operation of one base station companies.

ABOUT stable work The press secretary also informed Gazeta.Ru: “The MTS network is operating as normal.”

IN telephone conversation with a correspondent, Lidov said that on the day of the attack, many Megafon office computers began to reboot and display a message demanding a ransom for decrypting data, and not only Moscow, but also other Russian cities were affected.

Fortunately, the spread of the attack was slowed down, and literally a couple of hours later, the entire Megafon call center was restored so that subscribers could communicate with the support service. A company representative emphasized that the WannaCry virus did not affect communication services in any way, and the personal data of the operator’s clients remained safe.

In January 2017, Megafon users also complained about the unavailability of some services - Multifon, MegafonTV, as well as problems with the site. The company explained the failure as an accident in the data center (DPC), caused by abnormal frosts in the region.

After some time, the services started working normally. Then the representative mobile operator told Gazeta.Ru that order in the system is measured not by the presence of failures, but by the ability to quickly eliminate them. “This was done by the company’s specialists in as soon as possible. And at night on a holiday,” added Dorokhina.

Operation