What is the principle of ransomware virus attack

In recent days, many people have been attacked by a ransomware called WannaCry (also called WannaDecryptor), a "worm-like" ransomware that locks and encrypts various types of computers. File, when the user opens it, a pop-up window asking for Bitcoin will pop up. The ransom amount is 300-600 US dollars. Some users have not decrypted it after paying the ransom, which makes people panic. Moreover, there is a variant and upgraded version of the ransomware virus. So what is the principle of ransomware attack? Woolen cloth? Here the editor will introduce to you the principle of Bitcoin virus.

1. Principle of the 5.12 ransomware virus

The WannaCry ransomware virus is spread by criminals using the dangerous vulnerability "EternalBlue" leaked by the NSA (National Security Agency, US National Security Agency) , the ransomware virus mainly attacks Windows system devices that have not been updated to the latest version, such as xp, vista, win7, win8, etc.

The malware scans the TCP445 port (ServerMessageBlock/SMB) on the computer, spreads in a worm-like manner, attacks the host and encrypts files stored on the host, and then demands payment in the form of Bitcoin. ransom. The extortion amount ranges from $300 to $600.

When the user's host system is invaded by the ransomware, a ransomware dialog box pops up, prompting the purpose of the ransom and asking for Bitcoins from the user. For important files on the user's host computer, such as photos, pictures, documents, compressed packages, audio, video, executable programs, and almost all types of files, the encrypted file suffix names are uniformly changed to ".WNCRY". At present, the security industry has not been able to effectively break the malicious encryption behavior of the ransomware. Once the user's host is penetrated by the ransomware, the ransomware behavior can only be relieved by reinstalling the operating system, but the user's important data files cannot be directly restored.

WannaCry mainly exploits vulnerabilities in Microsoft's "Windows" system to gain the ability to automatically spread and can infect all computers in a system within a few hours. After the ransomware is remotely executed by the vulnerability, a compressed package will be released from the resource folder. This compressed package will be decrypted and released in the memory with the password: WNcry@2ol7. These files include the exe that pops up the ransomware box, the bmp of the desktop background image, the ransomware fonts in various languages, and two exe files that assist in the attack. These files will be released to the local directory and set to hidden. (Note: "Eternal Blue" is the name of the exploit tool leaked by the NSA, not the name of the virus. "Eternal Blue" refers to the dangerous vulnerability "EternalBlue" leaked by the NSA. This vulnerability was exploited by the ransomware virus WannaCry. Of course, other viruses may also spread through the "Eternal Blue" vulnerability, so it is necessary to patch the system)

On May 12, 2017, the WannaCry worm passed through MS17- The 010 vulnerability broke out around the world and infected a large number of computers. After the worm infects the computer, it will implant a blackmailer virus into the computer, causing a large number of files on the computer to be encrypted. After the victim's computer is locked by the hacker, the virus will prompt that the payment value is considerable. The WannaCry hidden switch (KillSwitch) domain name was accidentally discovered by a British researcher on the evening of May 13, 2017. Unexpectedly, the further large-scale spread of the virus was curbed. When researchers analyzed the Wannacrypt ransomware, they found that it did not perform such "deep processing" on the original file, but directly deleted it. This seems to be a relatively low-level ". This time, 360 took advantage of the blackmailer's "misstep" and achieved partial file recovery.

On May 14, 2017, monitoring found that the WannaCry ransomware virus had a variant: WannaCry2. 0. The difference from the previous version is that this variant cancels KillSwitch and cannot turn off the spread of the variant ransomware by registering a domain name. This variant may spread faster. Internet users are advised to upgrade and install Windows operating system-related patches as soon as possible. If the machine is infected with the virus, please disconnect it from the Internet immediately to avoid further spreading of the infection.

2. Types of ransomware virus attacks

Commonly used Office files (extensions .ppt, .doc, .docx, .xlsx, .sxi)

Not commonly used, but office file formats (.sxw, .odt, .hwp) used in certain countries

Compressed documents and media files (.zip, .rar, .tar, .mp4, . mkv)

E-mail and mail databases (.eml, .msg, .ost, .pst, .deb)

Database files (.sql, .accdb, .mdb, . dbf, .odb, .myd)

Source code and project files used by developers (.php, .java, .cpp, .pas, .asm)

Keys and Certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes)

Files used by graphic designers, artists, and photographers (.vsd, .odg, .raw , .nef, .svg, .psd)

Virtual machine files (.vmx, .vmdk, .vdi)

3. How to deal with ransomware viruses

How to prevent Windows ransomware viruses? Download patches to prevent infection with ONION and WNCRY ransomware

How to prevent being infected by ransomware when booting? 360 boot-up guide to prevent ransomware

How to quickly close ports 135, 137, 138, 139, 445 in Win7 to prevent Bitcoin ransomware< /p>

How to recover data through DiskGenius after a computer is infected with a ransomware virus

Windows devices that have not been updated with patches in time are extremely vulnerable to ransomware attacks, so in order to prevent your computer from being infected, everyone must do a good job Necessary updates and preventive work.