The first actions of a regular user.
Almost one-time reports of large-scale failures in many countries could cause panic and a feeling of insecurity among regular users of the network.
The victims of the encryption program were mostly the servers of large organizations from which the attackers intended to steal money. Ordinary users were not insured against exposure, although it is easy to protect yourself from the virus
The virus is a new version of WannaCry (WNCRY) and is called Wana Decrypt0r 2.0 . There are several ways to infect their computer. Malicious software can come via email or the user risks accidentally downloading it himself – for example, downloading something pirated from torrents, opening a window with a fake update and downloading false installation files.
But the main option is to send emails. The victim gets the infection by clicking on the malicious attachment. Most often we are talking about files with js and exe extensions, as well as documents with malicious macros (for example, Microsoft Word files).
What does the virus do
Having penetrated into the system, the Trojan scans the disks, encrypts the files and adds the WNCRY extension to all of them: this way the data is no longer available without the decryption key. Access is blocked both to images, documents and music, and system files.
There is a risk that after creating encrypted copies the virus will delete the originals. Even if the antivirus blocks the application after the fact, the files are already encrypted, and although the program is not available, information about the blocking is placed on the desktop screen – instead of wallpaper.
Each victim of the ransomware program sees a sentence for free to decrypt some files and pay for restoring access to everything else. The victim is invited to purchase bitcoins and send the specified amount to the wallet. However, no one guarantees that after paying the ransom the device will cease to be paralyzed.
The threat of WNCRY infection will not affect macOS users, while owners of computers running Windows should be worried. We are talking about Windows Vista, 7, 8, 8.1 and 10, as well as Windows Server 2008/2012/2016.
In March 2017, Microsoft reported closing a vulnerability through which computers were infected on May 12. Most likely, the program in a random order spread only to those who did not update in time. From the Microsoft website, you can downloadpatch MS17-010, which closes the vulnerability.
After installation, you must restart the computer. As assured by Microsoft, users of Windows Defender antivirus are automatically protected from the virus. For third-party antivirus software like Kaspersky or Symantec, it is also worth downloading the latest version.
In the antivirus, you must enable the System Monitoring component. Then you need to check the system: in case of detection of malicious attacks (MEM: Trojan.Win64.EquationDrug.gen) – reboot the system again and make sure that patch MS17-010 is installed.
If you were unable to secure your computer in advance, you should perform several steps to remove Wncry.
1. It is necessary to enable safe mode with network driver loading. In Windows 7, this can be done by rebooting the system after pressing the F8 key. There are also instructions on how to perform this step for other versions, including Windows 8 and Windows 10 .
2. You can manually remove unwanted applications through the “Uninstall a program.” However, to avoid the risk of error and accidental damage to the system, you should use anti-virus programs like SpyHunter Anti-Malware Tool , Malwarebytes Anti-malware or STOPZilla .
The final step for the regular user is to restore the encrypted files, which should be performed only after removing Wncry. Otherwise, you can damage the system files and registries.
To restore files, you can use decryptors , as well as the Shadow Explorer utility (returns shadow copies of files and the initial state of encrypted files) or Stellar Phoenix Windows Data Recovery . For residents of the countries of the former USSR there is a free (for non-commercial use) solution R.saver from Russian-speaking developers.
These methods do not guarantee complete file recovery.