Karlston Posted May 19, 2017 Share Posted May 19, 2017 For those of you who were infected with WannaCry, very good news. If you see the WannaCry ransom screen: DON’T REBOOT. Matt Suiche has confirmed that the wanakiwi tool can reach into your infected Win7 machine and retrieve the decryption key. The tool was created by Benjamin Delpy, @gentilkiwi. Per Suiche: His tool is very ingenious as it does not look for the actual key but the prime numbers in memory to recompute the key itself. In short, his technique is totally bad ass and super smart. Suiche has confirmed that the tool works on WinXP x86, Server 2003 x86, and Win7 x86 “This would imply it works for every version of Windows from XP to 7, including… Vista and 2008 and 2008 R2.” Remember, the original WannaCry worm ONLY infects Windows 7 computers. Anything you’ve read to the contrary is wrong. REMEMBER – You have to make sure your Windows machines are updated, to protect against new versions of WannaCry. They’re starting to make an appearance. If you haven’t already done it, drop everything and get patched now. Every Windows machine. No exceptions. Source: Breaking: WannaCry has been decrypted, if you follow the rules (AskWoody) Link to comment Share on other sites More sharing options...
steven36 Posted May 19, 2017 Share Posted May 19, 2017 Quote Frenchmen claim cure for WannaCry-infected computers 2017-05-19T19:03:02Z2017-05-19T19:03:02Z PARIS (AP) - French researchers have released software tools that they claim can restore some of the computers locked up by a global cyberattack that held users' files for ransom. The researchers said, however, that the tools are not perfect and work only if the computers infected with the WannaCry ransomware have not been rebooted after being hit. For that reason, the technique isn't likely to help many people. In addition, companies needing to restore their operations right away likely would have turned to backups, if available, by now. The developments came Friday, the apparent deadline for owners of some infected machines to pay a ransom of up to $600 or lose their files forever. As of Friday, the three accounts known to collect ransom payments had received less than $100,000 worth of the cybercurrency bitcoin, an amount that security researchers say is small compared with how widely WannaCry spread. The researchers - Adrien Guinet, Matthieu Suiche and Benjamin Delpy - worked separately to find ways to decrypt files scrambled and held hostage by WannaCry. In his research summary, Guinet - who works for the Paris-based firm Quarkslab - said his software had only been tested to work under Windows XP. He added the software helps recover the prime numbers of the RSA private key that are used by WannaCry. After Guinet's fix came out, others looked for ways to extend that to other operating systems and have succeeded in applying the technique to the newer Windows 7 system as well. Chris Wysopal, chief technology officer with the software security company Veracode, said that after ransomware attacks, researchers will often infect one of their own machines on purpose to see if the key is somehow left in the memory. That happened here with some systems of Windows. http://www.walb.com/story/35471382/frenchman-claims-cure-for-wannacry-infected-computers If the ransomware don't work on nothing but Windows 7 how did the developers of this test it on WinXP x86, Server 2003 x86, and Win7 x86? That statement is a oxymoron ,lol. The tool was invented at 1st for xp only and others moded the code for other os. I know for a fact it infected Server 2008 as well because someone infected was trying to get help. https://www.bleepingcomputer.com/forums/t/646476/wannacry-wncry-wanacrypt0r-wana-decrypt0r-ransomware-help-support-topic/?p=4238005 By what I'm reading over there now Quote From the article, it appears Benjamin Delpy based his decrypt on Adrien Guinet's decrypt method posted above. So we may potentially have two decrypters for XP and Win 7. Guinet - https://github.com/aguinet/wannakey Deply - https://github.com/gentilkiwi/wanakiwi/releases https://www.bleepingcomputer.com/forums/t/646476/wannacry-wncry-wanacrypt0r-wana-decrypt0r-ransomware-help-support-topic/?p=4242749 Quote I have tested it with latest advapi32.dll (6.1.7601.23796) available for Windows 7. It was tested several minutes after encryption finished. Success rate was about 60%. https://www.bleepingcomputer.com/forums/t/646476/wannacry-wncry-wanacrypt0r-wana-decrypt0r-ransomware-help-support-topic/?p=4242822 And it seems Woody was sort of right it seems Eternal Blue the worm failed to work on any systems XP in the wild but the actual rasomware did if you injected yourself with it . But it worked on Server and Windows 7. So everyone who got infected was people who didn't do updates even though there was a patch out for 3 mths. So what good is a decrypter for XP unless they put it in and and other exploit by then it will be updated and not work by then?..And still if you didn't reboot you may only get back part of you're files . It seems to only affect Windows 7/ Server 2008 https://www.bleepingcomputer.com/forums/t/646476/wannacry-wncry-wanacrypt0r-wana-decrypt0r-ransomware-help-support-topic/?p=4242383 Link to comment Share on other sites More sharing options...
Karlston Posted May 20, 2017 Author Share Posted May 20, 2017 It's true, WannaCry does infect OS's other than Windows 7... http://www.overclockers.com.au/pic.php?pic=images/newspics/19may17/30.jpg Sorry, couldn't resist it... Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.