Jump to content
Login new information ×
Login new information
Donations campaign phase one 2024

WannaCry has been decrypted, if you follow the rules

Karlston

By Karlston
in Security & Privacy News

Recommended Posts

Karlston

Karlston

Posted
Posted

For those of you who were infected with WannaCry, very good news. If you see the WannaCry ransom screen:

 

WannaCrypt-ransom-executable.jpg

 

DON’T REBOOT.

 

Matt Suiche has confirmed that the wanakiwi tool can reach into your infected Win7 machine and retrieve the decryption key. The tool was created by Benjamin Delpy, @gentilkiwi. Per Suiche:

His tool is very ingenious as it does not look for the actual key but the prime numbers in memory to recompute the key itself. In short, his technique is totally bad ass and super smart.

Suiche has confirmed that the tool works on WinXP x86, Server 2003 x86, and Win7 x86 “This would imply it works for every version of Windows from XP to 7, including… Vista and 2008 and 2008 R2.”

 

Remember, the original WannaCry worm ONLY infects Windows 7 computers. Anything you’ve read to the contrary is wrong.

 

REMEMBER – You have to make sure your Windows machines are updated, to protect against new versions of WannaCry. They’re starting to make an appearance. If you haven’t already done it, drop everything and get patched now. Every Windows machine. No exceptions.

 

Source: Breaking: WannaCry has been decrypted, if you follow the rules (AskWoody)

Link to comment
Share on other sites
  • Replies 2
  • Views 608
  • Created
  • Last Reply
steven36

steven36

Posted
Posted

 

Quote

 

Frenchmen claim cure for WannaCry-infected computers

PARIS (AP) - French researchers have released software tools that they claim can restore some of the computers locked up by a global cyberattack that held users' files for ransom.

 

The researchers said, however, that the tools are not perfect and work only if the computers infected with the WannaCry ransomware have not been rebooted after being hit. For that reason, the technique isn't likely to help many people. In addition, companies needing to restore their operations right away likely would have turned to backups, if available, by now.

 

The developments came Friday, the apparent deadline for owners of some infected machines to pay a ransom of up to $600 or lose their files forever. As of Friday, the three accounts known to collect ransom payments had received less than $100,000 worth of the cybercurrency bitcoin, an amount that security researchers say is small compared with how widely WannaCry spread.

 

The researchers - Adrien Guinet, Matthieu Suiche and Benjamin Delpy - worked separately to find ways to decrypt files scrambled and held hostage by WannaCry.

 

In his research summary, Guinet - who works for the Paris-based firm Quarkslab - said his software had only been tested to work under Windows XP. He added the software helps recover the prime numbers of the RSA private key that are used by WannaCry.

 

After Guinet's fix came out, others looked for ways to extend that to other operating systems and have succeeded in applying the technique to the newer Windows 7 system as well.

Chris Wysopal, chief technology officer with the software security company Veracode, said that after ransomware attacks, researchers will often infect one of their own machines on purpose to see if the key is somehow left in the memory. That happened here with some systems of Windows.

 

  

http://www.walb.com/story/35471382/frenchman-claims-cure-for-wannacry-infected-computers

If the ransomware  don't work on nothing but Windows 7 how did the developers of this test it on WinXP x86, Server 2003 x86, and Win7 x86? That statement is a oxymoron ,lol. The tool was invented at 1st for xp only and others moded the code for other os. I know for a fact it  infected Server 2008 as well because  someone infected was trying to get help.

  

https://www.bleepingcomputer.com/forums/t/646476/wannacry-wncry-wanacrypt0r-wana-decrypt0r-ransomware-help-support-topic/?p=4238005

By what I'm reading over there now

Quote

 

From the article, it appears Benjamin Delpy based his decrypt on Adrien Guinet's decrypt method posted above.

 

So we may potentially have two decrypters for XP and Win 7.

 

Guinet -

 

https://github.com/aguinet/wannakey

 

Deply -

 

https://github.com/gentilkiwi/wanakiwi/releases

 

  

 https://www.bleepingcomputer.com/forums/t/646476/wannacry-wncry-wanacrypt0r-wana-decrypt0r-ransomware-help-support-topic/?p=4242749
Quote

I have tested it with latest advapi32.dll (6.1.7601.23796) available for Windows 7. It was tested several minutes after encryption finished. Success rate was about 60%. 

https://www.bleepingcomputer.com/forums/t/646476/wannacry-wncry-wanacrypt0r-wana-decrypt0r-ransomware-help-support-topic/?p=4242822

And it seems Woody was sort of right it seems  Eternal Blue  the worm failed to work on any systems XP in the wild but the actual  rasomware  did if you injected yourself with it . But it worked on Server and Windows 7. So  everyone who got infected was people who didn't do updates  even though there was a patch out for 3 mths.

 

So what good is a decrypter for XP unless  they put it in and and other exploit  by then it will be updated  and not work by then?..And  still if  you  didn't reboot you may only get back part of you're files . It seems to only affect Windows 7/ Server 2008
  

https://www.bleepingcomputer.com/forums/t/646476/wannacry-wncry-wanacrypt0r-wana-decrypt0r-ransomware-help-support-topic/?p=4242383

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...