Ransomware Day: Massive Infection with Wanna Decrypt0r
More than 60,000 computers were attacked and infected with a virus-extortionist Wana Decrypt0r. Wana Decrypt0r authors use the ETERNALBLUE exploit created by the NSA specialists for a vulnerability in SMBv1 (MS17-010) to deliver malicious code to Windows systems. The virus encrypts all files on the computer and requires a ransom of $ 300 in bitcoins. The payment is given three days, then the amount is doubled.
The group of experts on cyber security MalwareHunterTeam claims that the most affected servers in Russia and Taiwan suffered as a result of the attack. Other countries also came under attack:
- Great Britain;
- Spain;
- Italy;
- Germany;
- Portugal;
- Turkey;
- Ukraine;
- Kazakhstan;
- Indonesia;
- Vietnam;
- Japan;
- Philippines;
Microsoft closed this vulnerability in March. But, apparently, not all had time to update their systems. You can see the real-time infection report here:
Protective measures
As a means of protection, it is recommended to update the Windows system urgently (if you did not do it for some reason), use the firewall detection and blocking tools, etc.
For example, you can do this with the following commands:
netsh advfirewall firewall add rule <span class="hljs-attr">dir=in</span> <span class="hljs-attr">action=block</span> <span class="hljs-attr">protocol=TCP</span> <span class="hljs-attr">localport=135</span> <span class="hljs-attr">name="Block_TCP-135"
netsh advfirewall firewall add rule <span class="hljs-attr">dir=in</span> <span class="hljs-attr">action=block</span> <span class="hljs-attr">protocol=TCP</span> <span class="hljs-attr">localport=445</span> <span class="hljs-attr">name="Block_TCP-445"