ã€Global Science Reporter Xinyue Tao Zongyao】When it comes to "WannaCrypt" (Eternal Blue), we believe that everyone is not unfamiliar. Since the sudden outbreak of the virus on May 12, it has caused at least 150 countries around the world to be infected. Over 100,000 machines in the world have been infected, resulting in the destruction of government, medical care, teaching, infrastructure, and other systems, including the British medical system, express delivery company FedEx, the Russian telecom company Megafon, and many college campus networks in China, as well as many energy companies and governments. Institutions have not been spared and have been attacked. It is reported that after infected WannaCrypt virus, the corresponding device's disk file will be changed to the corresponding suffix, including documents, pictures, videos and archives, including all kinds of information will not be able to open properly, if you want to recover all types of encrypted data, The ransom must be paid 5 Bitcoin or 300 US Dollars ransom (approximately 50,000 and more than 2,000 yuan). In addition, according to blackmailers, if they do not pay within a week, they will completely delete the encrypted file. So what are the hidden truths of ransomware that has produced such significant influence and consequences? The safety of velvet fire has been revealed for everyone. Let's take a look: 1. How do small white users defend against this ransomware virus? Please do not worry too much about users. Installing “Fire Plus Security Software†can protect against this ransomware and emerging variants. At the same time, please upgrade the operating system and install patches (see below for details). At noon on May 13th, “Firesoft Security Software†has completed an emergency upgrade. You can download and download software from Fireweave's official website to upgrade to the latest version to defend against and kill the virus. The phoenix team is working day and night to keep track of new virus variants. Once new variants are encountered, they will be upgraded at any time. The hot velvet products are automatically upgraded by default, so please feel free to use them without any settings. Users on the intranet should download the Fireweave products from the external network to the latest version, and then install the Intranet computer. 2. Which users are vulnerable to infection. Why are government agencies and universities the hardest hit areas? We have found that the current virus is spread through the shared port. In addition to attacking the intranet IP, it also attacks the public network. However, only computers that are directly exposed on the public network and do not have corresponding operating system patches will be affected. Therefore, individual users who use route dialing will not be directly attacked through the public network. If the corporate network also accesses the public network through the general route exit, then the computers in the enterprise network will not be directly attacked by the public network, but it does not rule out the possibility that more viruses will appear in future versions of the virus. Many campus networks or other networks have computers that are directly connected to the public network, and the internal network is similar to a large local area network. Therefore, once the computers exposed on the public network are compromised, the entire LAN may be infected. According to the data of the “Hengrong Threat Intelligence Systemâ€, there are not many individual Internet users infected. 3, has been infected users, can restore encrypted locked file? Conclusion: This is very difficult and almost impossible. Even if you pay the ransom, you may not be able to get the decryption key. Compared to previous ransomware viruses, the WannaCry virus has a fatal flaw. The virus author cannot clearly determine which victims paid the ransom, so it is difficult to give the corresponding decryption key (the key is for each computer , there is no universal key). Please do not pay ransom (Bitcoin) easily. As mentioned above, even if a ransom is paid, the virus author cannot distinguish who pays the ransom and gives the corresponding key. There are some "decryption methods" circulated on the Internet. Some people even say that the virus conscience found out that the decryption key has been published. These are all rumors. This ransomware is like the vast majority of ransomware viruses in the past and cannot be deciphered. Please do not trust any lies that can be deciphered and prevent you from being deceived. Some security companies have also released decryption tools. In fact, they are "file repair tools." They can recover some deleted files in a limited way, but they still cannot decrypt locked files. 4. What systems does the ransomware attack? A: The impact of the virus outbreak is indeed very large and it is rare in recent years. The virus spreads through the serious flaw of NSA's "Blue of Eternity". Almost all Windows systems will be attacked if they are not patched. Microsoft released the MS17-010 security update in March of this year. The following systems can protect against this virus if automatic update is enabled or a corresponding update patch is installed: Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, Windows 10, Windows Server 2012 R2, Windows Server 2016. The most secure is the Windows 10 user. This system is automatically turned on by default and cannot be turned off, so it will not be affected by the virus. In addition, due to the huge impact of this incident, Microsoft once again provided an emergency security patch update for Windows XP, Windows 8, and Windows Server 2003 that are no longer in maintenance. 5, in addition to the Windows system computer, mobile phones, Pad, Mac and other terminals will be attacked? A: No, the virus only attacks computers in Windows systems. Terminals such as mobile phones will not be attacked, and systems such as Unix, Linux, and Android will not be affected. Please do not panic, do not listen to rumors. For example, the figure below is obviously false, it is for the ostrich PS. 6. What are the symptoms of infection by this ransomware? A: The most obvious symptom after poisoning is that the desktop background of the computer has been modified. Many files are locked by encryption and the virus pops up. Files locked by virus encryption include the following suffixes: .doc;.docx;.xls;.xlsx;.ppt;.pptx;.pst;.ost;.msg;.eml;.vsd;.vsdx;.txt;.csv;.rtf;.123;.wks ;wk1;.pdf;.dwg;.onetoc2;.snt;.jpeg;.jpg;.docb;.docm;.dot;.dotm;.dotx;.xlsm;.xlsb;.xlw;.xlt;. Xlm;.xlc;.xltx;.xltm;.pptm;.pot;.pps;.ppsm;.ppsx;.ppam;.potx;.potm;.edb;.hwp;.602;.sxi;.sti; .sldx;.sldm;.sldm;.vdi;.vmdk;.vmx;.gpg;.aes;.ARC;.PAQ;.bz2;.tbk;.bak;.tar;.tgz;.gz;.7z ;.rar;.zip;.backup;.iso;.vcd;.bmp;.png;.gif;.raw;.cgm;.tif;.tiff;.nef;.psd;.ai;.svg;. Djvu;.m4u;.m3u;.mid;.wma;.flv;.3g2;.mkv;.3gp;.mp4;.mov;.avi;.asf;.mpeg;.vob;.mpg;.wmv; .fla;.swf;.wav;.mp3;.sh;.class;.jar;.java;.rb;.asp;.php;.jsp;.brd;.sch;.dch;.dip;.pl ;.vb;.vbs;.ps1;.bat;.cmd;.js;.asm;.h;.pas;.cpp;.c;.cs;.suo;.sln;.ldf;.mdf;. Ibd;.myi;.myd;.frm;.odb;.dbf;.db;.mdb;.accdb;.sql;.sqlitedb;.sqlite3;.asc;.lay6;.lay;.mml;.sxm; .otg;.odg;.uop;.std;.sxd;.otp;.odp;.wb2;.slk;.dif;.stc;.sxc;.ots;.ods;.3dm;.max;.3ds ;.uot;.stw;.sxw;.ott;.odt;.pem;.p12;.csr;.crt;.key;.pfx;.der; 7. What is the relationship between "Eternal Blue" and "Random Virus"? A: "Eternal Blue" refers to the dangerous leak "EternalBlue" leaked by the NSA. The ransomware virus WannaCry was used to spread the vulnerability. Of course, there may be other viruses spread through the "Eternal Blue" loophole. Patching the system is a must. 8. I have heard of an accidental move by a British brother that prevented the continued spread of bitcoin ransomware attacks that have swept the global network. He saved the world. Is it true? A: The virus body of the ransomware virus WannaCry contains a piece of code. The content is that the virus will automatically detect whether the “http://†URL can be accessed. If it can be accessed, it will not continue to spread. This is the "magic switch" of the virus. The foreign security researcher (British brother) found this URL immediately after discovering this code, which effectively prevented the spread of the virus. However, this only prevented the spread of the virus, the infected computer was still attacked, and the file was locked by encryption. In addition, this piece of code in the virus body is not encrypted, any new virus maker can modify or delete this piece of code, so in the future there may be a new variant virus with the "magic switch" removed. 9. If you use a genuine operating system and have automatic updates turned on, do you still need to use online immune tools? A: If the automatic update is enabled on Vista systems, there is no need to use any immune tools, and it is not necessary to manually close the relevant ports. If the three systems Winxp, Win2003 and Win8 hit a patch provided by Microsoft urgently, it will no longer need to use immune tools and manually close the port.
