Recently, computer systems in nearly 100 countries and regions around the world have been attacked by a virus called WannaCry, and attackers have been asked to pay Bitcoin to unlock them.
On May 12, Avast, a security software manufacturer, said that the virus had observed more than 57000 infection cases in 99 countries. According to a report by China News Agency on May 14, the security agency has not effectively broken the malicious encryption behavior of the ransomware for the time being, and users can only prevent it, after the user is poisoned, the ransomware can be relieved by reloading the operating system, but the important data files of the user cannot be directly recovered.
On May 13, China’s national Internet Emergency Center issued a document saying that the above ransomware exploited the previously disclosed Windows SMB service vulnerabilities (corresponding to Microsoft vulnerability announcement: MS17-010), infiltrate and spread to end users, and extort Bitcoin or other value to users.
According to Zheng Wenbin, chief security engineer of China network security company 360, the main attack in China is the users of education network. This ransomware exploits the vulnerability of port 445 of Microsoft’s “windows” operating system. Some domestic network operators have previously blocked this port, but education network has not set limits. Microsoft has previously released relevant vulnerability patches, but some computers that have not been updated will be attacked.
Security experts analyzed that the global bitcoin ransomware was caused by the Windows SMB/RDP remote command execution vulnerability leaked by the National Security Agency (NSA). Using this vulnerability, hackers can remotely attack port 445 (file sharing) of Windows. If the Microsoft patch of March this year is not installed in the system, no user action is required. As long as you turn on the Internet, hackers can execute arbitrary code in the computer and implant malicious programs such as ransomware.
Considering the risk of SMB/RDP remote command execution vulnerabilities in the Windows system, many cloud service providers at home and abroad blocked port 445 in April. However, many personal computers and IDC physical data centers around the world still have a large number of machines exposed to port 445, which gives hackers a chance.
Security experts analyzed that the blackmail incident spread rapidly campus network and had a great impact. The main reason is that most schools are basically a large intranet-connected Lan, different services are not divided into security areas. For example, the student management system and educational administration system can be accessed through any connected device,
At the same time, the IP addresses assigned to laboratories, multimedia classrooms, and machines are mostly public IP addresses. If the school does not have relevant permission restrictions, all machines are directly exposed to the outside.
The anti-virus laboratory of an Internet company believes that the network commonly accessed by major universities is an educational and scientific research network serving education, scientific research and international academic exchanges. This backbone network is for academic purposes, most of them do not take precautions against port 445, which is one of the reasons why colleges and universities have become the hardest hit areas.
China News Service reported that, in addition, if a user’s computer opens a firewall, it will prevent the computer from receiving port 445 data. However, in Chinese colleges and universities, some students sometimes need to turn off the firewall in order to play LAN games, which is another reason why this incident spread wildly in Chinese colleges and universities.
According to China News Service, since the evening of May 12, teachers and students from many colleges and universities in China have found that files and programs in their computers cannot be opened one after another. Instead, a dialog box pops up asking for ransom such as bitcoin to be paid before recovery. The reporter noticed that more than a dozen colleges and universities including Shandong University, Nanchang University, Guangxi Normal University, Northeast University of Finance and Economics, and Zhongshan University of Electronic Science and Technology issued notices of virus attacks, reminding teachers and students to pay attention to prevention.
According to Xinhua News Agency, Zheng Wenbin told reporters that after the computer was infected by this ransomware, the files in it would be encrypted and locked. Only after paying the ransom demanded by hackers could the files be decrypted and recovered. It is reported that the amount of extortion is up to 5 bitcoins, currently worth more than 50000 yuan.
Zheng Wenbin said that the virus transmitted this time was mainly composed of two families named ONION and WINCRY. Monitoring showed that the former appeared first in China, while the latter appeared on the afternoon of 12th and spread rapidly in campus network.
1590
recently, computer systems in nearly 100 countries and regions around the world were attacked by a virus called WannaCry, and the attacker was asked to pay Bitcoin to unlock them. On May 12, security software manufacturer Avast said that the disease