Photo: Sergey Konkov / TASS
Experts on cyber security have warned of a new wave of virus attacks WannaCry, which has already infected computers in 150 countries. According to them, was registered more than 300 new versions of the virus, and the number is growing
The experts of audit and consulting company PwC has documented more than 300 new strains of the virus WannaCry that may 12 was attacked by about 200 thousand computers around the world. As told RBC head of the Russian practice of services for information security Roman Chaplygin, their number grows with each passing hour, therefore in the near future it is expected a new wave of attacks.
According to him, yesterday, may 14, was discovered 300 installation files that contain the malicious software and their number is growing. They are based on three main principles and are essentially copies of the original WannaCry. The first principle is that the virus contains a “switch” that allows to neutralize the infection. In the second type viruses, there is no such function, but they do not have a mechanism of distribution, and cannot reproduce themselves. The third type does not contain the “switch” and distributed at high speed, but performs no malicious actions. “Most likely, it was done by mistake and today can be a new virus strain that will be resistant against the existing security solutions, while performing malicious payload,” said Chaplygin.
In addition, as the expert says, there are new strains of the virus that my aim is not just to encrypt a user’s files, but to steal them. As reported in PwC, many laboratories focused on cybersecurity, to develop a tool for decrypting data that was encrypted with a virus-extortionist.
“It is important to note that changing the logic of the virus. The lull does not mean the end of the attack, and until the end it is unclear what the consequences. Companies must be vigilant and continue to protect your system” — warned the expert.
Previously, the spread of the virus managed to block the British expert on cyber security. He registered a domain name iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com the name of which was contained in the code of the virus. After the domain became available in the Network, the virus began to receive from him a response and continued to spread (this was incorporated in the algorithm).
However, as reported by the publication Motherboard, the creators WannaCry rewrote the code of the malware, and now again the virus was able to infect computers. The peak of infections was expected on Monday, may 15, in connection with the beginning of the work week, warned the portal.
In Group-IB also reported the appearance of modifications WannaCry. According to the company, someone uploaded a new version of the virus without the possibility of blocking in the VirusTotal service that analyzes suspicious files and links on a variety of Trojans and malware. That is, the spread of the virus cannot be stopped by analogy with the way were eliminated the original WannaCry. According to the version of Group-IB, the virus downloaded is not the authors of the original virus.
“Yes, there is a new version, but tell what was the infection, not yet. Maybe just someone for fun and not for contamination created a new version and immediately uploaded it to this global base,” — said the representative of the Group-IB. However, cybercriminals will take little time to modify Wanna Cryptor and start the attack, and now only a “temporary respite,” he warned.
In addition, experts Group-IB noted that in the first place under threat of a major company — “the more computers in a local network, the more hosts can be infected”. Whereas for a normal user to activate the virus must either run it manually or have access to the Internet through a local network provider.
Information on the global virus attack that targeted the computers with the Windows operating system in more than 150 countries, appeared on Friday, may 12. The virus encrypts files on infected computers and demands to pay $300 or $600 in bitcoins for access to them. Otherwise, the virus promises to delete files within three days. A user launches the page where you can track how much money has already been transferred to fraudsters. At the time of this writing, the hackers got more than $50 thousand
Putin denied the “Russian trace”
Earlier, the authorities of Romania have suggested that the global attack could be that the organization, “associated with the grouping of cybercrime APT28/Fancy Bear”, which traditionally referred to the “Russian hackers”. The Telegraph, in turn, suggested that the attack could be a group Shadow Brokers associated with Russia. The publication was associated with the statements of hackers, made in April, which they allegedly stole “cyber weapons” the U.S. intelligence community, giving them access to all Windows computers.
However, on Monday, may 15, Russian President Vladimir Putin has denied the Russian involvement in the massive cyber attack. He referred to the statement of the head of Microsoft brad Smith, according to which, a share of responsibility for global cyber attacks lies in including the CIA and the NSA: they collected data about the vulnerabilities, which were subsequently stolen. “As for the source of these threats, then, in my opinion, the management Microsoft it expressly stated: he said that the primary source of this virus are the special services of the United States. Russia is completely innocent. I’m surprised to hear in these circumstances is something else,” — commented on the cyber attacks Putin.