This manual is not intended for technical specialists, therefore:

1. definitions of some terms are simplified;
2. technical details are not considered;
3. system protection methods (installing updates, configuring security systems, etc.) are not considered.

The instruction was written by me to help system administrators who want to train company employees who are far from the IT sphere (accounting, personnel, salespeople, etc.), in the basics of cyber hygiene.

Glossary

Software(hereinafter - software) - a program or set of programs used to control a computer.

Encryption is the transformation of data into a form that is unreadable without an encryption key.

Encryption key is secret information used when encrypting/decrypting files.

Decoder- a program that implements the decryption algorithm.

Algorithm- a set of instructions describing the procedure for the performer to achieve some result.

mail attachment- a file attached to an email.

Extension(file name extension) is a sequence of characters added to the file name and used to identify the file type (for example, *.doc, *.jpg). According to the type of files, a certain program will be used to open them. For example, if the file extension is *.doc, then MS Word will be launched to open it, if it is *.jpg, then the image viewer will be launched, etc.

Link(or more precisely, a hyperlink) is a part of a document web page that refers to another element (command, text, title, note, image) in the document itself or to another object (file, directory, application) located on a local disk or in computer network.

Text file is a computer file containing text data.

Archiving- this is compression, that is, reducing the size of the file.

Backup copy— a file or a group of files created as a result of information backup.

Backup- the process of creating a copy of data on a medium (hard disk, floppy disk, etc.) designed to restore data to its original or new storage location in case of damage or destruction.

Domain(domain name) - a name that makes it possible to access Internet sites and network resources located on them (websites, e-mail servers, other services) in a form convenient for a person. For example, instead of 172.217.18.131, enter google.com.ua, where ua, com, google are domains of different levels.

What is a ransomware virus?

ransomware virus(hereinafter referred to as ransomware) is malicious software that encrypts user files and demands a ransom for decryption. The most commonly encrypted file types are MS Office documents and spreadsheets ( docx, xlsx), Images ( jpeg, png, tif), video files ( avi, mpeg, mkv etc.), documents in the format pdf etc., as well as database files - 1C ( 1CD, dbf), Accent ( mdf). System files and programs are usually unencrypted to keep Windows running and give the user a chance to contact ransomware. In rare cases, the entire disk is encrypted; in this case, Windows cannot be loaded.

What is the danger of such viruses?

In the vast majority of cases, decryption on your own is IMPOSSIBLE, because. extremely complex encryption algorithms are used. In very rare cases, files can be decrypted if an infection with an already known type of virus has occurred, for which antivirus manufacturers have released a decryptor, but even in this case, information recovery is not 100% guaranteed. Sometimes a virus has a flaw in its code, and decryption becomes impossible in principle, even by the author of the malware.

In the vast majority of cases, after encoding, the encryptor deletes the original files using special algorithms, which excludes the possibility of recovery.

Another dangerous feature of viruses of this kind is that quite often they are “invisible” to antiviruses, because The algorithms used for encryption are also used in many legal programs (for example, client-bank), which is why many encryptors are not perceived by antiviruses as malware.

Ways of infection.

Most often, infection occurs through email attachments. The user receives an e-mail from an addressee known to him or disguised as an organization (tax office, bank). The letter may contain a request to conduct an accounting reconciliation, confirm the payment of an invoice, an offer to familiarize yourself with a credit debt in a bank, or something similar. That is, the information will be such that it will certainly interest or frighten the user and encourage them to open the email attachment with the virus. Most often, it will look like an archive containing a *.js, *.scr, *.exe, *.hta, *.vbs, *.cmd, *.bat file. After launching such a file, immediately or after some time, the process of encrypting files on the PC begins. Also, an infected file can be sent to the user in one of the programs for instant messaging (Skype, Viber, etc.).

Less often, infection occurs after installing hacked software or after clicking on an infected link on a website or in the body of an email.

It should be borne in mind that very often, after infecting one PC on the network, a virus can spread to other machines using vulnerabilities in Windows and/or installed programs.

Signs of infection.

1. Very often, after launching the file attached to the letter, there is a high activity of the hard disk, the processor is loaded up to 100%, i.e. The computer starts to slow down a lot.
2. Some time after the virus is launched, the PC suddenly restarts (in most cases).
3. After the reboot, a text file opens, which reports that the user's files are encrypted and indicates contacts for communication (e-mail). Sometimes, instead of opening the file, the desktop wallpaper is replaced with ransom text.
4. Most of the user's files (documents, photos, databases) end up with a different extension (for example, *.breaking_bad, *.better_call_soul, *.vault, *.neutrino, *.xtbl, etc.) or are completely renamed, and do not open any program, even if you change the extension. Sometimes the entire hard drive is encrypted. In this case, Windows does not boot at all, and the ransom message is shown almost immediately after turning on the PC.
5. Sometimes all user files are placed in one password-protected archive. This happens if an attacker penetrates the PC and archives and deletes files manually. That is, when a malicious file is launched from an email attachment, the user's files are not automatically encrypted, but software is installed that allows an attacker to secretly connect to a PC via the Internet.

Ransom text example

What to do if the infection has already occurred?

1. If the encryption process started in your presence (the PC is very “slow”; a text file with a message about encryption was opened; files began to disappear, and their encrypted copies began to appear instead), you should IMMEDIATELY turn off the power to the computer by unplugging the power cord or holding it for 5 seconds. power button. Perhaps this will save some of the information. DO NOT RESTART PC! OFF ONLY!
2. If encryption has already taken place, in no case should you try to cure the infection yourself, or delete or rename encrypted files or files created by the ransomware.

In both cases, you should immediately report the incident to the system administrator.

IMPORTANT!!!

Do not try to independently negotiate with the attacker through the contacts provided by him! At best, this is useless; at worst, it can increase the amount of the ransom for decryption.

How to prevent infection or minimize its consequences?

1. Do not open suspicious emails, especially those with attachments (see below for how to recognize such emails).
2. Do not click on suspicious links on websites and in emails you receive.
3. Do not download or install programs from untrusted sources (websites with hacked software, torrent trackers).
4. Always back up important files. The best option would be to store backups on another medium that is not connected to the PC (flash drive, external drive, DVD drive), or in the cloud (for example, Yandex.Disk). Often, the virus also encrypts archive files (zip, rar, 7z), so storing backups on the same PC where the original files are stored is pointless.

How to recognize a malicious email?

1. The subject and content of the letter are not related to your professional activities. For example, an office manager received a letter about a tax audit, an invoice, or a resume.

2. The letter contains information that is not related to our country, region or area of ​​activity of our company. For example, a requirement to repay a debt in a bank registered in the Russian Federation.

3. Often a malicious email is designed as an alleged response to some of your emails. At the beginning of the subject of such a letter, there is a combination of "Re:". For example, "Re: Invoice", although you know for sure that you did not send letters to this address.

4. The letter allegedly came from a well-known company, but the address of the sender of the letter contains meaningless sequences of letters, words, numbers, extraneous domains that have nothing to do with the official addresses of the company mentioned in the text of the letter.

5. The "To" field contains an unknown name (not your mailbox), a set of incoherent characters, or a duplicate name of the sender's mailbox.

6. In the text of the letter, under various pretexts, the recipient is asked to provide or confirm any personal or proprietary information, download a file or follow a link, while reporting on the urgency or any sanctions in case of failure to follow the instructions specified in the letter.

7. The archive attached to the letter contains *.js, *.scr, *.exe, *.hta, *.vbs, *.cmd, *.bat, *.iso files. It is also very common to mask a malicious extension. For example, in the file name "Accounts receivable.doc.js", *.doc is a false extension that does not carry any functionality, and *.js is the real extension of the virus file.

8. If the letter came from a well-known sender, but the style of the letter and literacy are very different, this is also a reason to be wary. As well as uncharacteristic content - for example, a client received a request to pay a bill. In this case, it is better to contact the sender via another communication channel (phone, Skype), since it is likely that his PC was hacked or infected with a virus.

An example of a malicious email

The new ransomware malware WannaCry (also known as WannaCry Decryptor, WannaCrypt, WCry and WanaCrypt0r 2.0) made itself known to the world on May 12, 2017, when files on computers in several healthcare institutions in the UK were encrypted. As it soon became clear, companies in dozens of countries found themselves in a similar situation, and Russia, Ukraine, India, and Taiwan suffered the most. According to Kaspersky Lab, on the first day of the attack alone, the virus was detected in 74 countries.

Why is WannaCry dangerous? The virus encrypts various types of files (given the .WCRY extension, the files become completely unreadable) and then demands a ransom of $600 for decryption. To speed up the money transfer procedure, the user is intimidated by the fact that in three days the ransom amount will increase, and after seven days, the files will not be able to be decrypted at all.

The threat of infection with the WannaCry ransomware virus affects computers based on Windows operating systems. If you use licensed versions of Windows and regularly update your system, then you don’t have to worry that a virus will enter your system in this way.

Users of MacOS, ChromeOS and Linux, as well as iOS and Android mobile operating systems, should not be afraid of WannaCry attacks at all.

What to do if you become a victim of WannaCry?

The UK National Crime Agency (NCA) recommends that small businesses that are victims of ransomware and are concerned about the spread of the virus online take the following actions:

• Isolate your computer, laptop, or tablet from the corporate/internal network immediately. Turn off Wi-Fi.
• Change drivers.
• Without connecting to a Wi-Fi network, directly connect your computer to the Internet.
• Update your operating system and all other software.
• Update and run your antivirus.
• Reconnect to the network.
• Monitor network traffic and/or run a virus scan to make sure the ransomware is gone.

Important!

Files encrypted by the WannaCry virus cannot be decrypted by anyone except intruders. Therefore, do not waste time and money on those "IT geniuses" who promise to save you from this headache.

Is it worth paying money to attackers?

The first questions asked by users who have encountered the new WannaCry ransomware virus are: how to recover files and how to remove a virus. Not finding free and effective solutions, they are faced with a choice - to pay money to the extortionist or not? Since users often have something to lose (personal documents and photo archives are stored on the computer), the desire to solve the problem with the help of money really arises.

But the NCA urges notpay money. If you still decide to do this, then keep in mind the following:

• First, there is no guarantee that you will get access to your data.
• Secondly, your computer may still be infected with a virus even after payment.
• Thirdly, you will most likely just give your money to cybercriminals.

How to protect yourself from WannaCry?

What actions to take to prevent infection with the virus, explains Vyacheslav Belashov, head of the department for the implementation of information security systems at SKB Kontur:

The peculiarity of the WannaCry virus is that it can penetrate the system without human intervention, unlike other ransomware viruses. Previously, for the virus to work, it was required that the user was inattentive - he followed a dubious link from an email that was not really intended for him, or downloaded a malicious attachment. In the case of WannaCry, a vulnerability is exploited that exists directly in the operating system itself. Therefore, Windows-based computers that did not install the March 14, 2017 updates were the first to be at risk. One infected workstation from the local network is enough for the virus to spread to the others with the existing vulnerability.

Users affected by the virus have one main question - how to decrypt their information? Unfortunately, there is no guaranteed solution yet, and it is unlikely to be foreseen. Even after paying the specified amount, the problem is not solved. In addition, the situation may be aggravated by the fact that a person, in the hope of recovering his data, risks using supposedly “free” decryptors, which in reality are also malicious files. Therefore, the main advice that can be given is to be careful and do everything possible to avoid such a situation.

What exactly can and should be done at the moment:

1. Install the latest updates.

This applies not only to operating systems, but also to anti-virus protection tools. Information on updating Windows can be found.

2. Make backup copies of important information.

3. Be careful when working with mail and the Internet.

Pay attention to incoming emails with questionable links and attachments. To work with the Internet, it is recommended to use plugins that allow you to get rid of unnecessary advertising and links to potentially malicious sources.

Modern technologies allow hackers to constantly improve the ways of fraud in relation to ordinary users. As a rule, virus software that penetrates a computer is used for these purposes. Encryption viruses are considered especially dangerous. The threat lies in the fact that the virus spreads very quickly, encrypting files (the user simply cannot open any document). And if it is quite simple, then it is much more difficult to decrypt the data.

What to do if a virus has encrypted files on your computer

Everyone can be attacked by a ransomware, even users who have powerful antivirus software are not insured. File encryptor trojans are represented by different code, which may be beyond the power of the antivirus. Hackers even manage to attack in this way large companies that have not taken care of the necessary protection of their information. So, having “picked up” a ransomware program online, you need to take a number of measures.

The main signs of infection are the slow operation of the computer and the change in the names of documents (you can see it on the desktop).

1. Restart your computer to stop encryption. When enabled, do not confirm the launch of unknown programs.
2. Run the antivirus if it has not been attacked by ransomware.
3. In some cases, shadow copies will help restore information. To find them, open the "Properties" of the encrypted document. This method works with the encrypted data of the Vault extension, which has information on the portal.
4. Download the latest anti-crypto virus utility. The most effective ones are offered by Kaspersky Lab.

Encryption viruses in 2016: examples

When fighting any virus attack, it is important to understand that the code changes very often, supplemented by new antivirus protection. Of course, protection programs need some time until the developer updates the databases. We have selected the most dangerous encryption viruses of recent times.

Ishtar ransomware

Ishtar is a ransomware that extorts money from the user. The virus was noticed in the autumn of 2016, infecting a huge number of computers of users from Russia and a number of other countries. It is distributed using email distribution, which contains attached documents (installers, documents, etc.). Data infected with the Ishtar ransomware gets the prefix "ISHTAR" in the name. The process creates a test document that indicates where to go to get the password. The attackers demand from 3,000 to 15,000 rubles for it.

The danger of the Ishtar virus is that today there is no decryptor that would help users. Antivirus software companies need time to decipher all the code. Now you can only isolate important information (if they are of particular importance) on a separate medium, waiting for the release of a utility capable of decrypting documents. It is recommended to reinstall the operating system.

Neitrino

The Neitrino ransomware appeared on the Internet in 2015. By the principle of attack, it is similar to other viruses of this category. Changes the names of folders and files by adding "Neitrino" or "Neutrino". The virus is difficult to decipher - far from all representatives of antivirus companies undertake this, referring to a very complex code. Restoring a shadow copy may help some users. To do this, right-click on the encrypted document, go to "Properties", tab "Previous Versions", click "Restore". It will not be superfluous to use the free utility from Kaspersky Lab.

Wallet or .wallet.

The Wallet encryption virus appeared at the end of 2016. During the infection process, it changes the name of the data to "Name..wallet" or similar. Like most ransomware viruses, it enters the system through email attachments sent by hackers. Since the threat appeared quite recently, antivirus programs do not notice it. After encryption, it creates a document in which the fraudster specifies the mail for communication. Currently, anti-virus software developers are working on decrypting the code of the ransomware virus. [email protected] Attacked users can only wait. If the data is important, it is recommended to save it to an external drive by cleaning the system.

Enigma

The Enigma encryption virus started infecting the computers of Russian users at the end of April 2016. It uses the AES-RSA encryption model, which is found in most ransomware today. The virus penetrates the computer using a script that the user himself runs by opening files from a suspicious email. There is still no universal remedy for dealing with the Enigma cipher. Users who have a license for an antivirus can ask for help on the official website of the developer. A small "loophole" was also found - Windows UAC. If the user clicks "No" in the window that appears during the virus infection, they can later restore information using shadow copies.

Granite

The new ransomware virus Granit appeared on the Web in the fall of 2016. Infection occurs according to the following scenario: the user launches an installer that infects and encrypts all data on the PC and connected drives. Fighting the virus is difficult. To remove it, you can use special utilities from Kaspersky, but the code has not yet been decrypted. Restoring previous versions of the data may help. In addition, a specialist who has extensive experience can decrypt, but the service is expensive.

Tyson

Was seen recently. It is an extension of the already well-known no_more_ransom ransomware, which you can learn about on our website. Gets to personal computers from e-mail. Many corporate PCs have been attacked. The virus creates a text document with instructions to unlock, offering to pay a "ransom". The Tyson ransomware has recently appeared, so there is no unlock key yet. The only way to restore information is to return previous versions if they have not been deleted by a virus. You can, of course, take a risk by transferring money to the account indicated by the attackers, but there is no guarantee that you will receive a password.

Spora

In early 2017, a number of users fell victim to the new Spora ransomware. According to the principle of operation, it does not differ much from its counterparts, but boasts a more professional performance: instructions for obtaining a password are better written, the website looks prettier. Created Spora ransomware in C language, uses a combination of RSA and AES to encrypt victim data. As a rule, the computers on which the 1C accounting program is actively used were attacked. The virus, hiding under the guise of a simple invoice in .pdf format, forces company employees to launch it. No cure has been found yet.

1C.Drop.1

This encryption virus for 1C appeared in the summer of 2016, disrupting the work of many accounting departments. It was developed specifically for computers that use 1C software. Getting through a file in an email to a PC, it prompts the owner to update the program. Whichever button the user presses, the virus will start encrypting files. Dr.Web specialists are working on decryption tools, but so far no solution has been found. This is due to the complex code, which can be in several modifications. The only protection against 1C.Drop.1 is the vigilance of users and the regular archiving of important documents.

da_vinci_code

A new ransomware with an unusual name. The virus appeared in the spring of 2016. It differs from its predecessors by improved code and strong encryption mode. da_vinci_code infects a computer thanks to an executable application (usually attached to an e-mail), which the user independently launches. The da Vinci coder (da vinci code) copies the body to the system directory and registry, ensuring that it starts automatically when Windows is turned on. Each victim's computer is assigned a unique ID (helps to get the password). It is almost impossible to decrypt the data. You can pay money to attackers, but no one guarantees that you will receive the password.

[email protected] / [email protected]

Two email addresses that often accompanied ransomware in 2016. They serve to connect the victim with the attacker. Addresses were attached to a variety of types of viruses: da_vinci_code, no_more_ransom, and so on. It is highly not recommended to contact, as well as transfer money to scammers. Users in most cases remain without passwords. Thus, showing that attackers ransomware works, generating income.

Breaking Bad

Appeared at the beginning of 2015, but actively spread only a year later. The principle of infection is identical to other ransomware: installation of a file from an email, data encryption. Conventional antiviruses usually do not notice the Breaking Bad virus. Some code cannot bypass Windows UAC, so the user is still able to restore previous versions of documents. The decoder has not yet been presented by any company developing anti-virus software.

XTBL

A very common ransomware that caused trouble for many users. Once on a PC, the virus changes the file extension to .xtbl in a matter of minutes. A document is created in which the attacker extorts money. Some strains of the XTBL virus cannot destroy system restore files, allowing important documents to be recovered. The virus itself can be removed by many programs, but it is very difficult to decrypt documents. If you own a licensed antivirus, use technical support by attaching samples of infected data.

Kukaracha

The Kukaracha cipher was spotted in December 2016. A virus with an interesting name hides user files using the RSA-2048 algorithm, which is highly resistant. Kaspersky Anti-Virus identified it as Trojan-Ransom.Win32.Scatter.lb. Kukaracha can be removed from the computer so that other documents are not infected. However, infected ones are almost impossible to decrypt today (a very powerful algorithm).

How ransomware works

There are a huge number of ransomware, but they all work on a similar principle.

1. Access to a personal computer. As a rule, thanks to the attached file to the e-mail. The installation is initiated by the user himself by opening the document.
2. File infection. Almost all types of files are encrypted (depending on the virus). A text document is created that contains contacts for communication with intruders.
3. Everything. The user cannot access any document.

Remedies from popular laboratories

The widespread use of ransomware, which is recognized as the most dangerous threat to user data, has become an impetus for many antivirus labs. Every popular company provides its users with programs that help them fight ransomware. In addition, many of them help with the decryption of documents protected by the system.

Kaspersky and encryption viruses

One of the most famous anti-virus laboratories in Russia and the world today offers the most effective means to combat ransomware viruses. The first obstacle for the ransomware virus will be Kaspersky Endpoint Security 10 with the latest updates. The anti-virus simply will not allow the threat to enter the computer (however, new versions may not be stopped). To decrypt information, the developer presents several free utilities at once: XoristDecryptor, RakhniDecryptor and Ransomware Decryptor. They help to find the virus and pick up the password.

Dr. Web and ransomware

This lab recommends using their anti-virus program, whose main feature is file backup. The storage with copies of documents is also protected from unauthorized access by intruders. The owners of the licensed product Dr. Web, the function of contacting technical support for help is available. True, even experienced specialists cannot always resist this type of threat.

ESET Nod 32 and ransomware

This company did not stand aside either, providing its users with good protection against viruses entering the computer. In addition, the laboratory has recently released a free utility with up-to-date databases - Eset Crysis Decryptor. The developers claim that it will help in the fight against even the newest ransomware.

It continues its oppressive march on the Web, infecting computers and encrypting important data. How to protect yourself from ransomware, protect Windows from ransomware - are patches, patches released to decrypt and cure files?

New ransomware virus 2017 Wanna Cry continues to infect corporate and private PCs. At $1 billion in damage from virus attack. In 2 weeks, the ransomware virus infected at least 300 thousand computers despite warnings and security measures.

What is ransomware 2017- as a rule, you can "pick up", it would seem, on the most harmless sites, for example, banking servers with user access. Once on the victim's hard drive, the ransomware "settles" in the System32 system folder. From there, the program immediately disables the antivirus and goes to "Autorun"". After each reboot, the encryption program starts in the registry starting his dirty work. The ransomware starts downloading similar copies of programs like Ransom and Trojan. It also often happens ransomware self-replication. This process can be momentary, or it can take weeks - until the victim notices something was wrong.

The ransomware often disguises itself as ordinary pictures, text files, but the essence is always the same - this is an executable file with the extension .exe, .drv, .xvd; sometimes - libraries.dll. Most often, the file has a completely harmless name, for example " document. doc", or " picture.jpg”, where the extension is written manually, and the true file type is hidden.

After the encryption is completed, the user sees instead of familiar files a set of "random" characters in the name and inside, and the extension changes to a hitherto unknown - .NO_MORE_RANSOM, .xdata other.

2017 Wanna Cry ransomware virus – how to protect yourself. I would like to note right away that Wanna Cry is rather a collective term for all ransomware and ransomware viruses, as it has recently infected computers most often. So, let's talk about Protect yourself from Ransom Ware ransomware, of which there are a great many: Breaking.dad, NO_MORE_RANSOM, Xdata, XTBL, Wanna Cry.

How to protect Windows from ransomware. – EternalBlue via SMB port protocol.

Windows ransomware protection 2017 - basic rules:

• Windows update, timely transition to a licensed OS (Note: XP version is not updated)
• updating anti-virus databases and firewalls on demand
• utmost care when downloading any files (cute "cats" can result in the loss of all data)
• backing up important information to removable media.

Ransomware virus 2017: how to cure and decrypt files.

Relying on anti-virus software, you can forget about the decryptor for a while. In laboratories Kaspersky, Dr. Web, Avast! and other antiviruses no solution found for curing infected files. At the moment, it is possible to remove the virus using an antivirus, but there are no algorithms to return everything “to normal” yet.

Some try to use decryptors like the RectorDecryptor utility but this won't help: algorithm for decrypting new viruses has not yet been compiled. It is also absolutely unknown how the virus will behave if it is not removed after the use of such programs. Often this can result in the erasure of all files - as a warning to those who do not want to pay the attackers, the authors of the virus.

At the moment, the most effective way to recover lost data is to contact those. support from the vendor of the antivirus program you are using. To do this, send a letter, or use the feedback form on the manufacturer's website. Be sure to add the encrypted file to the attachment and, if any, a copy of the original. This will help programmers in drawing up the algorithm. Unfortunately, for many, a virus attack comes as a complete surprise, and copies are not found, which complicates the situation at times.

Cardiac methods of treating Windows from ransomware. Unfortunately, sometimes you have to resort to full formatting of the hard drive, which entails a complete change of the OS. Many will think of restoring the system, but this is not an option - even there is a “rollback” that will allow you to get rid of the virus, then the files will still remain encrypted.

On April 12, 2017, information appeared about the rapid spread of an encryption virus called WannaCry around the world, which can be translated as “I want to cry.” Users have questions about updating Windows from the WannaCry virus.

A virus on a computer screen looks like this:

The bad WannaCry virus that encrypts everything

The virus encrypts all files on the computer and demands a ransom of $300 or $600 to the Bitcoin wallet to supposedly decrypt the computer. Computers in 150 countries of the world were infected, the most affected is Russia.

MegaFon, Russian Railways, the Ministry of Internal Affairs, the Ministry of Health and other companies came face to face with this virus. Among the victims are ordinary Internet users.

Almost everyone is equal in front of the virus. The difference, perhaps, is that in companies the virus spreads throughout the local network within the organization and instantly infects the maximum possible number of computers.

The WannaCry virus encrypts files on computers running Windows. Back in March 2017, Microsoft released MS17-010 updates for various versions of Windows XP, Vista, 7, 8, 10.

It turns out that those who have automatic Windows updates configured are out of the risk zone for the virus, because they received the update in a timely manner and were able to avoid it. I'm not going to claim that this is actually the case.

Rice. 3. Message when installing update KB4012212

After installation, the KB4012212 update required a restart of the laptop, which I didn’t really like, because it’s not known how this could end, but where should the user go? However, the reboot went well. This means that we live in peace until the next virus attack, and, alas, there is no doubt that such attacks will take place.

In any case, it is important to have a place to restore the operating system and your files from.

Windows 8 update from WannaCry

For a laptop with licensed Windows 8, update KB 4012598 was installed, because