A virtual racket: is it possible to return the stolen money virus

The virus-extortionist WannaCryptor elicited from users worldwide tens of thousands of dollars. RBC found, can affected by virus attacks to get their money back and how to protect yourself from losses in the future

Last week thousands of computers worldwide infected with the new virus WannaCryptor (people called him WannaCry — “Want to cry”). He threatened the server with a number of companies and government agencies, as well as operating systems of individuals. According to the social website Reddit, as of 16 may 2017, the creators of a computer virus WannaCryptor received from his victims almost $67 thousand

As noted by the experts surveyed by RBC, WannaCryptor refers to the type of viruses encoders. He’s not stealing money, and creates the conditions under which the customer pays (or not pays) the attacker money. “Virus encrypts files on the user’s computer and then extorts money for their decryption, — says Deputy head of the laboratory of computer forensics and malicious code study Group-IB Sergey Nikitin. — More people buy bitcoins, transfer them to the recipient, then it is impossible to determine who the money will receive.”

Viruses extortionists

According to leading analyst of Department of development “Doctor Web” Vyacheslav Medvedev, as a rule, these malicious programs are run by the users themselves (with flash drives, or links in emails, websites). Using the fact that you are running under administrative rights and do not limit the ability to install new software, these programs encrypt files on your local computer and network. “Known pseudohyperkalemia — simulating encryption and encrypt or delete data without the possibility of decryption, says Medvedev. — Therefore paying for it is not recommended”.

Representatives of companies — developers of anti-virus pay attention to the fact that in the virus labs, they can decrypt the files. “However, we must understand that recovery will be possible only in some cases, warns the head of sales support ESET Russia Vitaly Zemsky. — If files are processed with the use of complex encryption algorithms (WannaCryptor uses a hybrid algorithm RSA+AES), then the decoding with high probability is impossible.” And chief, information security AT Consulting Anton Kardanov draws attention to the fact that the remote source files, you can also try to recover with the freeware Recuva.

If the user paid money for the unlock, to return these funds impossible, according to respondents RBC experts. “In the case of virus WannaCryptor sure no one will return, — says Director of the information technology Department SDM-Bank Oleg Ilyukhin. In this scheme, the man himself confirms that he transferred the money”. Antivirus here also are not liable. “Antivirus cannot answer for the actions of users, independently of the triggering of a Trojan and not installing the updates, — said Vyacheslav Medvedev from “Doctor Web”. — Typical mistakes leading to pass malicious programs are disable antivirus, disable them check the running programs, the rejection of the updates, the use of the ancient versions, etc.”

Medvedev notices that no one antivirus can’t even theoretically know all malware at the time of their entry. “If the system has a vulnerability, then the antivirus will not save here — agrees Sergey Nikitin. Companies can quickly keep track of all the emerging viruses, but there is always a certain time gap between the appearance of the virus and hit him in the base.”

Lawyers also believe that the company that released the antivirus, apply makes no sense. “Between the user and the developer, and installation and use of antivirus software do not have obligations, providing for compensation of losses incurred in connection with the fraudulent acts of third parties”, — the member of lawyer chamber of Moscow Elena Luzanov’s. In addition, antivirus company, specify in the license agreement that are not responsible for possible inefficiencies.

To plead with the attackers is also useless. “In fact the transfers are made in address accounts worldwide on bogus individuals and legal entities, — says Luzanov’s. — Find the criminals will be extremely difficult.” According to the Executive Director of the legal Consulting company HEADS Nikita Kulikov, if criminals will find and will be judged in a foreign country, probably, the Russian law enforcement bodies will send such a request to the security service of the country where the criminal will be judged. However, in this case the chances of getting compensation become even more elusive, he said.

Banking Trojans

The chance to recover their money above, if the user has encountered another type of virus, known as banking Trojans. They steal passwords and logins to payment systems from their “victims”, as well as monitor and modify payment information — during its formation or during transmission. “Banking Trojans exist for a long time, they are directed to obtain the data necessary to steal money, — says Sergey Nikitin. Is the login, password and one time password comes on SMS”. Such viruses are created for PCs and smartphones.

According to the law “About national payment system”, the Bank must refund the amount of any transaction effected without the client’s consent, unless it is proved that a participant has violated the rules of use of means of payment. “After the unauthorized debit, you should immediately contact the Bank to report the problem and block the card — says Vitaliy Zemsky. — Immediately after that, in the nearest branch of your Bank to write a statement of disagreement with the transaction and the refund.” Further, the Bank is obliged to conduct an internal investigation of the incident and, if the customer is right, to return the money.

The representative of the press service of TCS Bank, told RBC that the credit institution usually compensate the customer losses from fraud. This occurs if the Bank can clearly establish the involvement of the virus to the contested transactions and if the client was not told the attackers the details of the card, one-time passwords and other identification data. However, Oleg Ilyukhin draws attention to the fact that usually such cases are associated with lack of protection on the client computer. “Often it turns out that the client does not have an antivirus program installed or not updated operating system,” he says.

In the case of official refusal of the Bank to reimburse Vitaly Zemsky advised to go to the police with allegations of fraud, as well as to the Prosecutor and the court. However, the partner bar Association “Barschevsky and partners” Pavel Hlystov notes that the current judicial practice proceeds from the fact that the Bank is not responsible for the illegal withdrawal of funds of the client, if the arbitrage transaction, attackers used a valid username and password.

If the client lost money due to a hacker attack on the Bank itself and not on your computer, the situation is more optimistic. In this case, the Bank will be obliged to compensate the full amount deducted from the account. “Objections to the Bank that the funds was caused by the criminal actions of persons unrelated to the Bank have no legal value, says Khlystov. Bank as a professional participant of the market must be accountable to the client, regardless of whose actions resulted in the illegal withdrawal of funds”.

How to protect your wallet

Respondents RBC experts are unanimous in the opinion that it’s much better to be proactive antivirus protection. First of all, it is important to use the actual operating system, which includes security updates. “Do not use versions of Microsoft Windows are not supported by the manufacturer, — says Vitaliy Zemsky. — To replace the outdated operating systems use the update released by Microsoft for Windows XP, Windows 8, and Windows Server 2003”.

It is important to update all programs that the owner of the device uses a operating system: browsers and plugins, and all application program. In addition, you must promptly update your antivirus program.

Sergey Nikitin noted that it is also desirable to work on the computer not with administrator rights and user rights. This greatly reduces the likelihood of any automatic intrusion. Vyacheslav Medvedev from “Doctor Web” advises to disable all the unused services in the operating system and also backup your data and do not store them on the same computer where the files are Trojans successfully removed copy. “If we are talking about smartphones, betting apps only from official app store. The second point: the smartphone must have the latest version of Android starting from version 6.0 and newer,” — concludes Nikitin.


Global cyber attack using a virus WannaCryptor (WannaCry) began on 12 may. According to Europol, to date, the virus ransomware has infected more than 200 thousand computers in 150 countries.

WannaCry encrypts user files, after which they become impossible to use, and requires victims of a ransom for the decryption. Victims of the virus attack proposed transfer to the specified account a certain amount in bitcoin. In terms of US dollars the amount of the redemption is normally equal to the amount in the range of $200 to 600.

In Russia under the attack of the hackers got including the computers of government agencies, including the Railways, the Ministry of health, Sberbank, the emergencies Ministry and the interior Ministry and the company “MegaFon”. In addition, as announced on 16 may the head of the Russian security Council Nikolai Patrushev, among the most affected regions from the massive cyber-attacks hit the Tatarstan Republic.

According to the social website Reddit, currently the creators of the virus-the extortioner WannaCry has already received from his victims more than $67 thousand experts auditing and consulting company PwC has documented more than 300 new strains of the virus WannaCry that spoke of keeping the risk of new attacks.