Jump to content

Welcome to nsane.forums

Welcome to nsane.forums, like most online communities you need to register to view parts of our community or to make contributions, but don't worry: this is a free and simple process that requires minimal information. Be a part of nsane.forums by signing in or creating an account.

  • Access special members only forums
  • Start new topics and reply to others
  • Subscribe to topics and forums to get automatic updates

 

Please note: Unfortunetely due to some server side issues, registration via Hotmail / Outlook email addresses do not work, members are requested to use some other email addresses like Gmail to register here.


Sign in to follow this  
adi

Recovery Tool for WannaCrypt (for XP Only)

Recommended Posts

adi    1,051
adi

There's a ransom-free fix for WannaCry‬pt.

Oh snap, you've rebooted your XP box
Sooo... that's not gonna work for you mate

 

Windows XP PCs infected by WannaCrypt can be decrypted without paying ransom by using a new utility dubbed Wannakey.

 

Wannakey offers in-memory key recovery for Win XP machines infected by the infamous ransomware strain. The fix can be used to dump encryption keys from memory. This RSA private key, once recovered, can be used to restore encrypted files on infected computers.

 

Caveats and limitations apply. Compromised machines must not have been rebooted after being infected, otherwise the crucial keys will already have been discarded from volatile memory. That's quite a big ask a week after the devastating WannaCrypt outbreak, especially since initial advice centred on turning off machines to stop the further spread of infection across corporate networks.

 

The Wannakey tool, put together by security researcher Adrien Guinet and released on Thursday, appears promising but is yet to be independently tested. Windows XP is, of course, the antithesis of a strong and stable operating system even when it doesn't have a malware infection. So whether it'll work for victims of WannaCrypt before their system crashes has to be doubtful.

 

The developer readily acknowledges these limitations. "This software has only been tested and known to work under Windows XP. In order to work, your computer must not have been rebooted after being infected," Guinet writes. "Please also note that you need some luck for this to work, and so it might not work in every cases." ®

 

  • Like 2

Share this post


Link to post
Share on other sites
Batu69    18,607
Batu69

Moved from Guides & Tutorials forum.

  • Like 2

Share this post


Link to post
Share on other sites
Karamjit Lal    4,251
Karamjit Lal

Windows XP was one of the Windows versions hit by the WannaCry ransomware, and despite the patch released by Microsoft, there were still thousands of computers that ended up infected.

And thanks to new software developed by French researcher Adrien Guinet, Windows XP users whose computers were compromised by WannaCry can remove the infection without having to pay the $300 ransom.

A tool that he posted on Github can search for the decryption key in the memory if the computer wasn’t rebooted after being infected, so if you already restarted the system and it then got locked down by WannaCrypt, this isn’t going to work.

If the aforementioned condition is met, the app can recover the prime numbers of the RSA private key that are being used by WannaCry to encrypt your files.

“It does so by searching for them in the wcry.exe process. This is the process that generates the RSA private key. The main issue is that the CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory,” the researcher explains.

Only working on Windows XP

What’s important to note is that this application works exclusively on Windows XP, and the researcher says it hasn’t been tested on a different Windows version.

On the other hand, Windows XP systems that haven’t been infected just yet must deploy Microsoft’s patch that’s available even for unsupported versions of Windows.

The WannaCry ransomware is based on a vulnerability in all Windows versions that was stolen from the NSA and posted only by hacking group Shadow Brokers earlier this year. Microsoft patched all supported versions of Windows, including Vista, 7, 8.1, and 10 as part of the March Patch Tuesday, while Windows XP remained vulnerable to attacks as it’s no longer getting support.

After thousands of computers got infected, Microsoft decided to release the patch for Windows XP systems as well, thus publishing the first update in 3 years for the operating system launched in 2001.

From: http://news.softpedia.com/news/windows-xp-users-can-remove-wannacry-infection-without-paying-300-ransom-515852.shtml

Share this post


Link to post
Share on other sites
Batu69    18,607
Batu69

Topic merged.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

×