Yesterday, the United Kingdom, Italy, Russia and other countries in the world broke the ransomware attack, a large number of colleges and universities in China also infected, the computer files of many teachers and students were encrypted by the virus, only the payment of ransom can be restored. According to the emergency announcement of 360 security guards, criminals use NSA leaking hacker weapons to attack Windows vulnerabilities, and quickly spread infections such as ONION and WNCRY on the campus network. It is recommended that computer users use 360 "NSA arsenal immune tools" to defend as soon as possible.
Figure: The ransomware infection carried by NSA hacking weapons
According to the 360 Security Center analysis, the education network ransomware was spread by the "eternal blue" hacker weapon leaked by the NSA. "Eternal Blue" can remotely attack Windows port 445 （file sharing）. If the system does not have the Microsoft patch installed in March this year, no user operation is required. As long as the Internet is turned on, "Eternal Blue" can execute arbitrary code in the computer. , implant malicious programs such as ransomware.
Due to the frequent occurrence of worms spread by port 445 in China, some operators have blocked 445 ports for individual users. However, there is no such restriction on the education network. There are a large number of machines exposed to 445 ports, so it has become the hardest hit by criminals using NSA hacking weapons. At the graduation season of colleges and universities, the ransomware has caused some recent graduates' papers to be encrypted and falsified, directly affecting the graduation defense.
At present, the ransomware transmitted by "Eternal Blue" is dominated by ONION and WNCRY. The disk files of the victim machine will be changed to the corresponding suffixes. Pictures, documents, videos, compressed packages, etc. cannot be opened normally. Only the ransom payment can be decrypted and recovered. The two types of ransomware, the amount of extortion are 5 bitcoins and 300 US dollars, respectively, equivalent to 50,000 yuan and 2000 yuan.
360 monitoring data on education network ransomware events showed that the first ONION virus appeared in China, with an average of 200 attacks per hour and a peak of more than 1,000 per hour during the night. The WNCRY ransom virus appeared on the afternoon of May 12. The global attack, and the rapid expansion of the campus network in China, attacked about 4,000 times per hour during the night peak period.
Security experts have found that the ONION ransom virus will also be spread with the mining machine （calculation of virtual currency） and remote control Trojans to form a Trojan virus "big package" that combines mining, remote control and extortion of various malicious acts. High-performance servers are profitable, and ordinary computers will encrypt files and extort money, maximizing the economic value of the victim machine.
Microsoft has released a patch fix in March this year for Windows system vulnerabilities exploited by NSA hackers. The 360 Security Center has also launched the "NSA arsenal immune tool", which can detect the vulnerability of NSA hacker weapon attack with one click; for XP, 2003 and other systems that have stopped updating, the immune tool can close the exploit port and prevent the computer from being blocked. NSA hacking weapons are implanted with malicious programs such as ransomware.
Figure: NSA arsenal immunization tool
Confirmation method: first pull the network cable and then turn it on, confirm that the 360 is running normally, the office is normal, and then plug in the network cable.
If it is not poisoned, download the NSA arsenal immune tool patch reinforcement system and download the document guard backup document.
Download the NSA arsenal immune tool:
Download Document Guardian:
If you are confirmed to be poisoned, do not try to plug in the network cable or USB flash drive. Please follow the instructions below:
1. Shut down the computer including TCP and UDP protocols 135 and 445 ports tutorial:
2. Install the anti-ransom protection tool, document guard, and try to recover the encrypted file.
PS: The anti-ransom protection tool only works before the virus invades. Please do a good job of backing up important documents. Do not access suspicious websites, do not open suspicious messages and files