Antiy Responses to Ransomware WannaCry FAQ 1

Antiy Responses to Ransomware WannaCry FAQ  1

(Antiy CERT)

This morning (May 13), Antiy released the report named as “Antiy takes emergency response to the global outbreak of ransomware WannaCry ”. Many customers have questions related to this event, so we put the high-frequency ones together into FAQ1. We will continue to follow up the users’ questions.

1.Our current operator is XXX, is there any problem?

After the outbreak of Sasser and Blaster etc., some domestic operators have blocked port 445 and agreement family 135 ~ 139 for a long period, which aims to block the spread of worms. But at the same time, the information system users and maintainers cannot be their own security completely pinned on the operator’s security policy. As long as the relevant vulnerabilities exist, there are serious security risks. Therefore, vulnerability fixation and security policy reinforcement must be done as soon as possible.

2.  Will we be infected if accessing Internet with a wireless router?

We can not ensure that the wireless network operators must shield the relevant port, nor can guarantee the use of unified wireless routing of other nodes had not been infected. So no matter what kind of access to the Internet, users must patch security vulnerabilities and reinforce security policy first.

3. Is it safer that computers use the hotspot of mobile phones?

Because the phone is an external gateway, the computer will obtain an internal IP when using the hotspot of mobiles. Therefore, the computer will not be directly infected by the external infection nodes. However, it will bring in other security risks once the mobile devices are exposed.

4. Is home network safe? Is it only for business and education networks?

Based on the current analysis of the virus spreading policy, there is no clear orientation, that is, your terminals will be infected as long as they are detected by the infected nodes.

5. Can we still be infected even off line?

Before the relevant configuration reinforcement and patch upgrade, the computers should be off line. What you should first is to disconnect the other nodes, download Antiy immune and detecting tools and Microsoft corresponding patch by an online node firewall which enables the firewall. Then copying what you have downloaded to the offline system, connecting the Internet after disposal upgrade and restart.

6. Are there users reporting their phones infected? Does the PC user reflect the discrepancies found between the ransom displays and our report?

As of May 13, 2017, at 3 pm, Antiy has not monitored the mobile version of the family. But it is still possible to infected by other types of malicious code. In addition, if there are discrepancies showing out, you may be infected by other ransomware family.

If the mobile phone users encounter abnormalities, you can contact us through the following ways: Antiy Official Accounts, technical support email, Antiy MicroBlog, and emergency calls etc.

7. How to access Internet again when the computer is locked according to your XP security solution?

First of all, we apologize for the inconvenience to you. In this emergency case, Antiy can only provide a fast temporary solution.

What mentioned in the XP solution are only to open the firewall and stop three services, you can recover to form state to solve the above problem. Do as follows to reopen them: start Win+R command, type and execute in order.

net start rdr

net start srv

net start netbt

And then reboot the system.

Please visit this URL for free tools http://www.antiy.com/tools.html.

8. Can the computer avoid being infected by simply shutting it down?

You can avoid being infected, but the computer is used sooner or later. So it is recommended that you update the patch as soon as possible, turn on the firewall and turn off the port445.

9. Some users reflect that they cannot download patch via the URL.

There may be a large number of users to download the patch from Microsoft, but with a download failure. You can update the system patch to automatically upgrade. New version of Antiy immune tools will be packaged with the patch.

10. Is it necessary to close Port 10, 135,137,138,139?

If these ports are not needed, it is better to close. And the vulnerability leaked by Shadow Broker is exploited this time, and the other vulnerabilities may also be exploited by attackers. Far better to open the firewall in the system, and start the “Block all package commingin” mode. At present, we do not know what kind of exploit tools that superpower network arsenal hold, and whether these tools have been flowed into the black production. Therefore, all unused ports and services are suggested to close, which is the IT administrator’s job but also a good habit of individual users.

11. Am I secure after the patch updated?

Patch can only solve the corresponding vulnerabilities and there will be new vulnerabilities occur every month. Thus, it is suggested to use Antiy’s IEP or other host protection products with ransom protection, open Windows Firewall and close the unused port.

12. After Win10 is patched, is it necessary to manually close the port?

No, it is not at present, but please refer to our answers in above two questions.

13. When I am infected, are all the files not available? Can you decrypt? How to recover?

WannaCry uses the PKI algorithm for encryption, and the specific password protocol and the principle of key distribution mechanism are still in analysis. Basing on the existing information, it is not possible to decrypt. Some software (such as Office) may cache multiple versions during the editing, so there is the possibility of using data recovery software to recover a small amount of data.

14. How to protect Mac system?

The current malware will not infect the Mac system, but the Mac system is not absolutely safe. Any host system needs to use security products, upgrades timely, and optimizes security strategy.

15. I am a certain user of one website, I would like to know whether the website has also been infected. Am I will be infected through downloading data from it?

It has not yet been found that the virus has the property to replace relevant website files (but there have been similar viruses in the past, such as VBS.Haptime.A@mm). You should first do security scanning, and then download data from the Internet with the host protection software real-time monitoring. Please do not run any suspicious procedures easily.

16. Can you show me how does it spread? For example, are the computers that open the 445 port without ms17-010 patch in the LAN will be automatically infected? Or there must be a computer infected first, and then horizontally spread? Someone online said that the virus does not need to click manually.

The infected nodes send overflow data to the 445 port of random IP address. It can make other computers infected as long as connecting to the corresponding vulnerabilities in the system, no matter in the Intranet or outer network. Thus, if one computer is infected, the others will be quickly infected. This virus can spread and infect automatically without click.

17. Someone names it as Wanacry?

Antiy uses the original string WannaCry in the virus to name it. There may be naming differences for naming length limit or other reasons.

18. Who is the attacker?

There is no possible answer here and it is still undergoing analysis.