Since May 12, 2017, the network sharing protocol based on windows has been discovered in the network at home and abroad Carry on the attack to spread the worm malicious code, this is the lawless elements through the transformation before the leakage of NSA hacker force The network attack event initiated by the "eternal blue" attack program in the library. At present, the worms can scan windows machines with open 445 file sharing port, and no user is required How to operate, as long as you turn on the Internet, criminals can implant blackmail programs in computers and servers, and Program control Trojan horse, virtual currency mining machine and other malicious programs. At present, this worm is widely spread in the education network and Intranet without strict access control on port 445 Broadcast, showing the trend of outbreak, infected system A system that can be blackmailed for high amounts of money and cannot pay ransom on time Data will be destroyed, causing serious losses. The worm attack event has caused very serious practical harm The intranet of similar scale has also faced such threats. three hundred and sixty security The monitoring and response center will also keep an eye on the progress of the event and update it for you as soon as possible The event information.
Previously on the night of April 14, 2017, Beijing time, a large number of new NSA related network attackers And the document is shadowed Brokers organization, which includes multiple windows system services (SMB, RDP, IIS).
Global computer blackmail virus attacks on campus networks of Chinese Universities
It home on May 13, 2017
In addition to China, at least 19 NHS owned medical institutions in England and Scotland, including hospitals and general practitioner clinics, have been attacked.
Latest progress: according to the BBC, computer network virus attacks have spread to 74 countries, including the United States, the United Kingdom, China, Russia, Spain, Italy, etc.
According to the report of it home on May 12, many small partners of it home have contributed that at about 20:00 this evening, some college students in China reported that their computers were attacked by viruses and their documents were encrypted. The attacker claimed to pay bitcoin to unlock.
It is reported that the virus is national, suspected to spread through the campus network, very fast. At present, Hezhou University, Guilin University of Electronic Science and technology, Guilin Institute of aerospace industry and universities in Guangxi and other regions are affected.
In addition, some netizens reported that Dalian Maritime University and Shandong University were also attacked by the virus.
The it home requests the schoolchildren of each district, please back up the important documents as soon as possible to avoid being blackmailed, especially the fresh graduates, the thesis must be backed up well!
From the current situation, the virus seems to be spreading, it home will continue to pay attention to it.
In addition, many public hospitals in the UK are suspected to have been attacked by the same virus.
[extended reading] several public hospitals in the UK are under cyber attack and hackers extort money
According to British media reports, on May 12, Britain's national health service system suffered a large-scale network attack, computer systems in several public hospitals almost simultaneously collapsed, and telephone lines were cut off, resulting in many emergency patients being forced to transfer.
According to the daily mail, at least 19 NHS owned medical institutions in England and Scotland, including hospitals and general practitioners' clinics, have been cyber attacked.
Hospital staff said they had pop-up windows on their computer screens. Hackers sent messages that the hospital's computers had been controlled and a ransom had to be paid to prevent all files from being deleted.
A message circulated on the Internet said that hackers demanded a ransom of $300 for each computer being manipulated and paid in the form of virtual currency bitcoin. The pop-up page also has a countdown clock that shows the deadline for next Friday.
According to the report, at least 10 ransoms worth about $300 each have been sent to the bitcoin account provided by hackers.
A similar cyber attack occurred in Los Angeles last year, when hackers received a total ransom of 13140, according to the FBI.
On prevention of onion blackmail Software Emergency notification of virus attack
Campus network users:
Recently, onion blackmail software infection has occurred in many colleges and universities in China. Disk files will be encrypted with. Onion suffix by virus. Only by paying a high ransom can the files be decrypted and recovered, causing serious losses to learning materials and personal data.
According to the network security agency, this is a virus attack initiated by criminals using the "eternal blue" leaked from NSA hacker weapon library“ The "eternal blue" will scan windows machines with open 445 file sharing ports. As long as you turn on the Internet, criminals can plant blackmail software, remote control Trojan horses, virtual currency diggers and other malicious programs into computers and servers without any user operation.
Due to the previous outbreaks of worms using port 445 in China, operators have blocked port 445 for individual users. However, education network does not have such restrictions, and there are still a large number of machines exposing port 445. According to the statistics of relevant institutions, at present, more than 5000 machines are attacked by NSA's "eternal blue" hacker weapon every day, and the education network is the hardest hit area!
Here we remind teachers and students:
At present, Microsoft has released patch ms17-010 to fix the system vulnerability of "eternal blue" attack. Please install this patch for your computer as soon as possible; For XP, 2003 and other machines that Microsoft no longer provide security updates, it is recommended to use 360 "NSA weapon library immune tool" to detect whether there are vulnerabilities in the system, and close the ports affected by the vulnerabilities, so as to avoid being infringed by blackmail software and other viruses. Download address: http://dl.360safe.com/nsa/nsatool.exe
Methods of infection prevention:
① Control panel → windows firewall → advanced settings → inbound rule → new rule → port → TCP → enter "135445" below → block connection → create a new rule and select UDP
② Apply the latest official patch https://technet.microsoft.com/zh-cn/library/security/MS17-010
③ XP Win2003 or below https://dl.360safe.com/nsa/nsatool.exe （ 360 detection and repair tool)
Tip: after the official patch is completed, you can download the 360 test in the article to see if the repair is complete.
Blogger reminds: Microsoft official released a patch in March, 360 patch may cause the computer system can not start normally. Campus network, office, printing room, company and other public network, equipment use should be cautious. The blogger didn't make a patch and used the restore wizard to backup the important data on the cloud disk or mobile hard disk. Close ports 445, 135, 137, 138 and 139, and close network sharing. This blackmail outbreak is caused by the lack of security construction and awareness of enterprises and universities on the intranet, which has nothing to do with the information security industry. It has been blackmailed to restart the system and patch it. The local tyrant can also pay for it, but it doesn't have to be solved for you. (it's important to get into the habit of backing up your data!)