What virus is NSA Eternal Blue blackmail worm? How to fix the system vulnerability of blackmail virus attack
4hw.org: Recently, the global outbreak of blackmail virus has attracted great attention. This is called the "great plague" of computers. It's frightening. As we all know, computer viruses are made by people. Who made this global blackmail virus? Who should be responsible for this?
Nowadays, the commercialized operation of Internet hackers has become more and more mature, and there are huge and dirty trading insides behind it. Blackmail virus is one of them. Driven by the interests, the amount of Internet hackers trading in the world is frightening by 100 million yuan every day!
By contrast, the hospitals attacked in Britain have been in chaos. According to the British mirror and other reports, all it systems, telephone systems and patient management systems of 40 hospitals affected by the virus are currently suspended. This means that all systems are offline and the hospital cannot answer calls at all. Emergency patients waiting for treatment will be transferred to other places according to the arrangement of doctors, and at least one hospital will be forced to close down.
More than 45000 attacks have taken place, mainly in Russia, with at least 10 ransoms worth around $300 each hitting bitcoin accounts provided by hackers, the report said.
360 security center analysis, this campus network blackmail virus is leaked by NSA 'eternal blue' hacker weapon spread. "Eternal blue" can remotely attack the 445 port (file sharing) of windows. If the system does not install the Microsoft patch of March this year, no user action is required. As long as the system is powered on and online, lawbreakers can implant blackmail software, remote control Trojan horse, virtual currency mining machine and other malicious programs in computers and servers.
Because there have been many worms spreading through port 445 in China, some operators have blocked port 445 for individual users. However, there is no such restriction in the education network. There are a large number of 445 port machines exposed, so it becomes a disaster area for criminals to use NSA hacker weapons to attack.
360 monitoring data on campus network blackmail virus shows that the first one in China is ion virus, which attacks about 200 times an hour on average and reaches 1000 times an hour at night peak; wncy blackmail virus is a new global attack on the afternoon of May 12, and spreads rapidly in China's campus network, which attacks about 4000 times an hour at night peak.
So far, the behind the scenes developers have not been found, and the attack is still ongoing
How does blackmail spread?
This type of virus has a strong target, and is mainly spread by mail.
Once the blackmail virus file is opened by the user, it will use the C C server connected to the hacker to upload the local information and download the encrypted public key and private key. Then, write the encrypted public key and private key into the registry, traverse the office documents, pictures and other files in all local disks, tamper with and encrypt the format of these files; after the encryption is completed, a blackmail prompt file will be generated in the obvious position such as the desktop to guide the user to pay the ransom.
Once the blackmail virus file enters the local area, it will run automatically and delete the sample of blackmail software to avoid killing and analysis. Next, the blackmail virus uses the local Internet access rights to connect to the hacker's C C server, then uploads the local information and downloads the encrypted private key and public key, and encrypts the file using the private key and public key. Except for the virus developers themselves, it is almost impossible for others to decrypt. After encryption, the wallpaper will be modified, and blackmail prompt files will be generated at obvious places such as desktop to guide users to pay ransom. And the variety type is very fast, which is immune to the conventional antivirus software. The attack samples are mainly exe, JS, WSF, VBE and other types, which is a great challenge to the security products that rely on feature detection.
Extortion virus usually attacks anyone, but part of it is for enterprise users (such as xtbl, wallet), part of it is for all users.