What should I do if my server is infected with the Bitcoin ransomware virus? Attached is a ransomware solution

Congratulations when you see this picture! You hit the jackpot! It means that you have been infected by the Bitcoin ransomware virus. All server web files are encrypted. Generally, you are required to pay 3 Bitcoins to decrypt them. One Bitcoin is approximately equal to 10,000 yuan, and 3 Bitcoins are also more than 30,000 yuan. As shown below

The latest report from the National Network and Information Security Information Reporting Center:

Monitoring found that WannaCry broke out around the world A variant of the ransomware virus has emerged: WannaCry 2.0.

The difference from the previous version is that this variant cancels the Kill Switch and cannot turn off the spread of the variant ransomware by registering a domain name. This variant may spread faster.

Internet users are requested to upgrade and install Windows operating system-related patches as soon as possible. If a machine infected with the virus is infected, please disconnect it from the Internet immediately to avoid further spread of infection.

Previous notification:

The National Network and Information Security Information Reporting Center earlier issued an emergency notification stating that at around 20:00 on May 12, 2017, a new type of "worm" A ransomware virus broke out. Tens of thousands of computers in more than 100 countries and regions have been infected by this ransomware virus. Some users of Windows series operating systems in my country have been infected.

Computer users are requested to upgrade and install the patch as soon as possible. The address is: https://technet.microsoft.com/zh-cn/library/security/MS17-010.aspx.

There is no official patch for Windows 2003 and XP. Relevant users can open and enable Windows Firewall, enter "Advanced Settings", disable "File and Printer Sharing" settings; or enable personal firewall to turn off 445 and 135, 137, 138 , 139 and other high-risk ports.

If the machine is infected with the virus, please disconnect it from the Internet immediately to avoid further spreading of infection.

Analysis: The threat of ransomware is far from gone

Cyber ​​security experts pointed out that a large-scale ransomware cyberattack broke out in Beijing At around 8 pm on the 12th, the network nodes of a large number of domestic institutions and enterprises were shut down, so the startup on the 15th will face a security test. Many important computer systems are in an intranet environment and cannot access the aforementioned domain names, and may not be able to update security patches in a timely manner, so they may still face greater risks.

Network security experts recommend that users disconnect from the Internet and turn on the computer, that is, unplug the network cable and then turn on the computer. This can basically avoid being infected by ransomware. You should find a way to apply security patches as soon as possible after turning on the computer, or install defense tools launched by various network security companies for this matter before you can connect to the Internet.

After being invaded by this ransomware, almost all types of files such as photos, pictures, documents, audios, and videos in the user's host system will be encrypted, and the suffix names of the encrypted files will be uniformly changed to. WNCRY will pop up a ransomware dialog box on the desktop, asking the victim to pay hundreds of dollars worth of Bitcoin to the attacker's Bitcoin wallet, and the ransom amount will increase over time.

Han Zhihui, a doctor and engineer at the National Internet Emergency Center, said that at present, the security industry has not been able to effectively break the malicious encryption behavior of the ransomware. Once a user's host is penetrated by ransomware, the ransomware can only be removed by using specialized killing tools or reinstalling the operating system, but the user's important data files cannot be fully restored.

What should I do if the server is infected by the Bitcoin ransomware virus?

Suggested solutions:

In addition to the recommendations of the National Network and Information Security Information Notification Center, we have helped you organize a temporary solution. Now Let me teach you step by step: how to set up your computer to prevent ransomware.

Temporary solution:

Turn on the system firewall

Use the advanced system firewall settings to block connections to port 445 (this operation will affect the use of port 445 Service)

Turn on automatic system updates, and detect updates for installation

Download address of the "Bitcoin Ransomware Virus" immunity tool released by 360: http://dl.360safe.com/ nsa/nsatool.exe

Steps to restore data:

1: Kill the virus first

If you use free anti-virus software, it is recommended to use 360 Security Guard 11 can currently detect and kill encrypted viruses. As shown in the figure

-note-if there are two wallet virus mailboxes http://india.com or http://aol.com, then one payload_xxxx will be detected. exe.

2: Modify the weak RDP (Remote Desktop Control) password (password) before the poisoning
(Some children say that my QWEasd!@# is not strong, I can only say The salary your boss offers you is too low. Using such a password is no different than leaving the door open to let hackers in)

3: Restore data
A: Please use the free Kaspersky cracking tool for XTBL http://media.kaspersky.com/utilities/VirusUtilities/RU/rannohdecryptor.zip?_ga=1.69588624.1814211149.1453294100 (Personal test Valid, please back up before testing to avoid damaging the file)
B: Wallet is a variant virus of XTBL. Currently, there is no cracking tool for wallet encrypted data. You can only pay Bitcoin to hackers for processing (general hacker quotation is 3 Bitcoins. The total amount is about RMB 30,000). If you are not in a hurry to use the data, please wait patiently for Kaspersky to reveal it. The more urgent the data, the more you need to pay attention to the risks. Please find professional and experienced people to handle it.

Recovery instance snapshot: This is a server with more than 700,000 files encrypted with the suffix fly_goods@aol.com.wallet. The recovery of more than 600,000 files was completed by purchasing a private key, which took 4 Hours and 20 minutes, it is estimated that it will take 1-2 days to restore everything to normal, about 5 hours to restore 700,000 files, and at least 1 day to reconfigure the server environment. ------To paralyzed hackers, you also encrypt exe applications.

C: Generally, better servers have their own disk snapshot function. You can restore the snapshot to before the infection to minimize the loss, and then enable the personal firewall to turn off 445 and high-risk ports such as 135, 137, 138, and 139, then install the necessary anti-virus software and apply the latest patches.

【Guess you like】

1.php Chinese website special recommendation: php programmer toolbox download (one-click to build a php environment)

2. Recommended MAC version of php development tools: 10 of the most popular MAC version of php development tools

3. Ranking of web front-end development tools: 8 Recommended downloads of html development tools

4. Recommended 9 best php development tools in 2017