(86)592-530-0188
On the evening of May 12, the global network has been attacked by a ransomware called Wannacry. The virus locked user’s files and demanded payment of Bitcoin to allow access. By 17:00 May 14, over 20million users in more than 100 countries have been attacked, caused numbers of organizations and enterprises out of normal operation. It is said that some elements of Wannacry comes from the tools leaked from NSA.
By May 15, WannaCrypt has attacked more than 100,000 enterprises and public organizations in over 100 countries, including 1,600 American organizations and 11,200 Russian ones. In China, the infected organizations and institutions cover almost every areas and various fields such as universities and colleges, railway stations, self-service terminals, postal services, gas stations, hospitals and governmental service terminals, the number of infected computers still growing.
Quickly respond to retrieve customer's lost
As the digital-forensics leader and cyber-security expert in China, Meiya Pico has lunched their first respond team to deal with the event: 1) post the guidance of protection to against the virus via its official channel – public Wechat;2)the computer forensics research team worked round to the clock on the features of the virus, and on the afternoon of the next day (May, 14) of the attack they reached the remarkable breakthrough, and found out the way this virus works: it encrypts data on the computer after it reads them to computer memory, then the files are encrypted and saved to the hard disk drives while the source files are deleted, i.e. the source files are not directly encrypted but deleted by the ransomware and the encrypted file are just duplicated one.
Based on the research results, Meiya Pico released new versions of two products, Recovery Master and Forensics Master, which support data recovery on the infected computers and are able to recover most or even all data in specific circumstances. Now these two software are available for global users to download in Chinese and English Version. A small tools will be released for public to help users recover data.
SafeDog, the sub company of Meiyapico, dedicated to providing security services to enterprise servers and cloud servers, timely released warning and preliminary solutions when the incident broke out. Soon it synchronized with the patch of Win2003 on EternalBlue, to help large institutions in China to prevent against WannaCrypt. It is known that SafeDog had already informed warming and released a version that is able to defend WannaCrypt since the NSA flaw leakage last month. Related products are also comprehensively updated after the WannaCrypt incident. It is said that until now the servers serviced by safeDog are all safe from this attack.
Meiya Pico running with time to work out solutions
1、Raise alarm
On the afternoon of May 13, Meiya Pico via its official channel released an article Several Pieces of Guidance to Prevent from Ransom after cyber-attack of ransom virus, telling the victims to isolate their computers from network to tackle with the virus, and advice the uninfected computer to take measures to prevent to be attacked.
Tips for protection
1.use firewall of the system
2.close port 445、135、137、138、139
3.open the system to update automatically
4.patching by hand
5.patch address:https://technet.microsoft.com/zh-cn/library/security/MS17-010;
patch address of win XP and win server 2003 beyond guarantee:https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/?from=groupmessage&isappinstalled=0(By 8:00 May 15, the article has been read by over 100000 persons, which takes important role in preventing more users from been attacked.)
6.use EternalBlue software prompt fix the bug, password of zip is www.meiyapico.com
2、Breakthrough on the research after the virus bursted
After the virus burst, Meiya Pico computer forensics team worked day and night to run with the time. On the evening of May 14, the team found out the way of the attack and set out 2 guidance of data recovery. Immediately, the free data recovery software available for global users was released by Meiya Pico official channel-public Wechat. The article was viewed by over 150,000 person. Meanwhile, online technical service is kept working 24 hours a day to provide supports and assistance for our customers.
3、Keep close eyes on the its trend
Meiya Pico is going to release more tools for users to protect from attack, and also keeps close eye on its latest trend and then supply the effective coordinate solution.
Technical breakthrough details
1. WannaCry encryption process research
The Meiya pico computer forensics team uses a virtual machine to simulate the process of a system being infected. Create a new virtual machine and copy several documents and virus samples.
Take the initiative to perform virus samples. Our team observed the directory where the test file is located generates the file name of the WNCRY suffix that is consistent with the original file name. Also the Desktop keys, may have a modified sub-key for the wallpaper, which is later changed to the !WannaCryptor!.bmp image:
Over time, you can see that the original files in the system have been deleted, leaving only the encrypted files, and the interface that tells you to pay the ransom. The files infected by WannaCry virus are encrypted by AES + RSA's encryption algorithm, which is very difficult to Brute-force cracking.
But research to this point, the principle of operation of this virus came out, Read the source file to memory, complete the encryption, write to the hard disk and remove the source file, and keep the encrypted file. Note: your original files are not encrypted directly, but are deleted by hackers. The files left in the memory is the encrypted copy.
2.Infected computer data recovery method Test
After knowing how the virus works, the team tested and successfully implemented two ways to save the data.
2.1. through the file system deletion recovery principle.
The WannaCry virus deletes the original files with the normal files deletion process. Recovery of data can be attempted through the file system's delete recovery principle. This is also the way that some security companies in the country currently provided. However, the limitation of this approach is that you must ensure that the original file is not covered by the new data. If the subsequent file reads and writes are more operable, the data recovery may fail. Data recovery is not stabilized.
2.2. Recover from the shadow copy data.
In cases that the data can not be recovered in a regular way, we can still try to use another method, the volume shadow copy service. The volume shadow copy is the Windows system default open file backup service.The service was introduced in W XP / 2003. Windows 2003 Server/Vista has enhanced this service. In Windows 7/8/8.1/10 all versions are open by default, and the historical version of the file can be saved under certain conditions.
According to the Internet, the WannaCry virus will be able to encrypt a specific type of files after running, and also remove the data from the volume shadow data in the system.
But through the actual testing of our researchers. In some versions (mainly 64-bit), the shadow copy is not been wiped out.
If the infected computer still has a copy of the volume shadow data, you can "recover" the relevant data by reading and exporting the historical version of the file in a certain way. If the computer has a default backup on the boot system the day before, it is infected, it is more likely that 100% data recovery can be achieved.
3. WannaCry data recovery operation
In order to make user operate more conveniently, based on the results of research and test, Meiya Pico technical researchers added a special function to launch a special edition of company's forensics products "Forensics Master" and " Recovery Master" support one key analysis of infected WannaCry virus computer to complete the two kinds of data recovery method. (A special note before the operation: if the computer is infected with the virus, please break the network immediately and avoid further transmission of the infection. The suggestion is to restore it in a read-only environment.)
Before recovery, you need to create an image file of your infected hard drive, or simply dissemble the infected hard drive and connect it through write blocker to other not infected computer, and install Forensics Master on this computer.