• We've upgraded our forums. Please post any issues/requests in this thread.

A utility to decrypt WannaCry ransomware

Joined
Nov 2, 2008
Messages
766 (0.23/day)
Likes
414
Processor Intel Core i3-4370
Motherboard Gigabyte GA-H97-D3H
Cooling Zalman CNPS9500 AT
Memory 16GB Crucial Ballistix Sport DDR3-1600
Video Card(s) Gigabyte GV-N75TOC-2GI GeForce GTX 750 Ti WindForce
Storage Crucial MX100 256GB SSD
Display(s) Acer G245HQ 23.6" LCD
Case Fractal Design Define R4 Black Pearl
Audio Device(s) Realtek ALC1150
Power Supply Corsair CX600M
Mouse Logitech M500
Keyboard Lenovo KB1021 USB
Software Windows 10 Professional x64
#1
Joined
Aug 20, 2007
Messages
7,370 (1.95/day)
Likes
6,498
System Name New Genesis
Processor AMD Ryzen 7 1800X @ 4.1GHz All Cores
Motherboard GIGABYTE Aorus Gaming 5
Cooling Noctua NH-U14S CPU Cooler with dual fans,4x 120mm Sunon MagLev Blowers and 2x 120mm Corsair ML120Pro
Memory G.SKILL TridentZ Series 32GB (4 x 8GB) DDR4-3200 @ 14-14-14-34-1T
Video Card(s) EVGA Geforce GTX 1080 FTW2 w /iCX Cooler
Storage HGST Ultrastar 7k6000 2TB HDD w/ 128MBs of Cache
Display(s) Benq BL3200PT 1440p 32" LCD w/ AU Optronics AMVA true 10-bit 100% sRGB Panel
Case Thermaltake Core X31
Audio Device(s) Onboard Toslink to Schiit Modi Multibit to Asgard 2 Amp to AKG K7XX Ruby Red Massdrop Headphones
Power Supply Seasonic PRIME 750W 80Plus TItanium
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Keycaps, Blue legends
Software Windows 10 Enterprise (From former workplace, yay no telemetry)
Benchmark Scores TS/FS Extreme: 10562: https://www.3dmark.com/fs/14260421 3575: https://www.3dmark.com/spy/2816092
#2
In other words, if infected the number one thing you can do is NOT SHUTDOWN OR REBOOT.
 
Joined
Nov 2, 2008
Messages
766 (0.23/day)
Likes
414
Processor Intel Core i3-4370
Motherboard Gigabyte GA-H97-D3H
Cooling Zalman CNPS9500 AT
Memory 16GB Crucial Ballistix Sport DDR3-1600
Video Card(s) Gigabyte GV-N75TOC-2GI GeForce GTX 750 Ti WindForce
Storage Crucial MX100 256GB SSD
Display(s) Acer G245HQ 23.6" LCD
Case Fractal Design Define R4 Black Pearl
Audio Device(s) Realtek ALC1150
Power Supply Corsair CX600M
Mouse Logitech M500
Keyboard Lenovo KB1021 USB
Software Windows 10 Professional x64
#3
I was just coming back to update my post with that info. If you reboot the infected PC before running the utility, then the information needed to reconstruct the decryption key is gone.
 

Kursah

Moderator
Staff member
Joined
Oct 15, 2006
Messages
10,951 (2.68/day)
Likes
5,061
Location
Missoula, MT, USA
System Name Kursah's Gaming Rig - Haswell Edition | Spartan Home Server 2015
Processor i7 4790k 4.0/4.8 @ 1.26v | i7 4790k 4.0/4.4 @ 1.18v - Both delidded w/CLU
Motherboard Asus Z87-Pro - BIOS 2103 | Asus Z87-Pro - BIOS 2103
Cooling Noctua NH-U14S Push-Pull | Cooler Master 212 EVO Stock - Using NT-H1 and AC MX-4
Memory 16GB (2x8) Corsair Dominator DDR3 2400 CL11 | 32GB (4x8) G.Skill DDR3-1600 CL9
Video Card(s) MSI GTX980 Ti Gaming 6G LE @ Stock | Onboard Intel HD 4600
Storage 850EVO 250GB SSD, 960GB SSD, 1x2TB | 840 120GB SSD, RAID10 6x2TB (6TB) + 8TB Backup
Display(s) Samsung 32" TV IPS 1080p, Dell 23" U2312HM IPS 1080p | 19" 4:3 Dell LCD..mostly RDP.
Case Corsair 600C - Stock Fans on Low | Lian Li Lancool PC-K7 - Cougar fans
Audio Device(s) Aune T1 mk1 > AKG K553 Pro + HiFiMAN HE-350 (Equalizer APO + PeaceUI) | Realtek ALC1150
Power Supply EVGA 750G2 Modular + APC 1500VA UPS | EVGA KR500 80+ Bronze + CyberPowerPC 1000VA UPS
Mouse Logitech G502 | Dell USB Laser Mouse
Keyboard Logitech G15 rv2 | Dell USB Keyboard
Software Windows 10 Pro x64 | Windows Server 2012 R2 (GUI Core,Hyper-V + VMs)
#4
I read that article earlier today and intended on sharing it, thanks for doing so! This is something critical for those that do get hit by this. :toast:
 

fullinfusion

Vanguard Beta Tester
Joined
Jan 11, 2008
Messages
9,605 (2.65/day)
Likes
3,363
Processor I7-7700K
Motherboard Asus Z270 Maximus IX Code
Cooling Custom water plus another cooler
Memory Corsair Vengeance LED Red 4x8GB 32GB 3200MHz kit
Video Card(s) 2 x MSI RX Vega 56 and a single MSI RX Vega 64 in test rig
Storage 960 EVO/960 Pro M.2 nvme 250/1TB, Samsumg 850 evo 256/ WD 1TB blue
Display(s) Nexius 32" freesync 2 HDR
Case Corsair Obsidion 650D/ cardboard box
Audio Device(s) Onboard
Power Supply EVGA Supernova G2 1300W
Mouse Mionix Naos 7000
Keyboard G15
Software Windows 10 Home
#5
How is this ransomware infecting PC's?

Going to bad sites or...?
 
Joined
Oct 18, 2007
Messages
1,190 (0.32/day)
Likes
579
System Name Firebird
Processor Intel i7 2600K @5.0'ish 24/7 stock core Voltage {5.2 w/102 bCLK}
Motherboard Intel Extreme DZ68BC SkullTrail Z68 Cougerpoint, Excellent MCH !
Cooling Scythe NINJA PLUS Rev.B[skt478] Modded to 1155 Scythe SH12 fan
Memory Samsung 32nm 16Gb 4x4 (@19xxmhz} low profile[ better than 2133 banwidth]
Video Card(s) @Norton F@H Kreij GigaByte 7950 ARCTIC Accelero Xtreme III / XFX HD5870-XXX Edition
Storage Toshiba 3Tbx2,Hitachi 320,1TBx2,'Cuda 400 7200.10, WD1TBUSB,moved to SATA
Display(s) Acer K272HUL 1440 27" WQHD, Samsung 226W, Vizio M60C3 4K 60",Vizio XVT3D554SV
Case CoolerMaster HAF 932
Audio Device(s) Intel 10ch[9+1] HD Audio X540> Pioneer VSX39TX[copper chasis,Rosewood sides 5x6LCD remote
Power Supply Seasonic X750 @ 24/7
Mouse Logictech G300s
Keyboard Saitek Cyborg v7
Software Windows 7 ROG E3 X64 by Neuropass/tweakscene
Benchmark Scores 4642@665/1600 220/GAT F1 4544 220/667strap 2.5/3/2/6 Bliss 650/1500 6490 Q6700 Bliss 690/1500
#6
How is this ransomware infecting PC's?

Going to bad sites or...?
I asked pretty much the same a couple days ago,........no responses and unsure from reading on the web, but it still has the ability to just scour the web looking for some SMB holes for sure.
So not clear if any website like that other TecH site with shit tons of ad's can carry an infection in it.
 
Joined
Aug 20, 2007
Messages
7,370 (1.95/day)
Likes
6,498
System Name New Genesis
Processor AMD Ryzen 7 1800X @ 4.1GHz All Cores
Motherboard GIGABYTE Aorus Gaming 5
Cooling Noctua NH-U14S CPU Cooler with dual fans,4x 120mm Sunon MagLev Blowers and 2x 120mm Corsair ML120Pro
Memory G.SKILL TridentZ Series 32GB (4 x 8GB) DDR4-3200 @ 14-14-14-34-1T
Video Card(s) EVGA Geforce GTX 1080 FTW2 w /iCX Cooler
Storage HGST Ultrastar 7k6000 2TB HDD w/ 128MBs of Cache
Display(s) Benq BL3200PT 1440p 32" LCD w/ AU Optronics AMVA true 10-bit 100% sRGB Panel
Case Thermaltake Core X31
Audio Device(s) Onboard Toslink to Schiit Modi Multibit to Asgard 2 Amp to AKG K7XX Ruby Red Massdrop Headphones
Power Supply Seasonic PRIME 750W 80Plus TItanium
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Keycaps, Blue legends
Software Windows 10 Enterprise (From former workplace, yay no telemetry)
Benchmark Scores TS/FS Extreme: 10562: https://www.3dmark.com/fs/14260421 3575: https://www.3dmark.com/spy/2816092
#7
I asked pretty much the same a couple days ago,........no responses and unsure from reading on the web, but it still has the ability to just scour the web looking for some SMB holes for sure.
So not clear if any website like that other TecH site with shit tons of ad's can carry an infection in it.
As I said earlier, it's really not hard to scour the complete IPv4 range for open ports given a little time and effort.

So your basic answer is open ports + not patched = probably infected.
 
Joined
Nov 2, 2008
Messages
766 (0.23/day)
Likes
414
Processor Intel Core i3-4370
Motherboard Gigabyte GA-H97-D3H
Cooling Zalman CNPS9500 AT
Memory 16GB Crucial Ballistix Sport DDR3-1600
Video Card(s) Gigabyte GV-N75TOC-2GI GeForce GTX 750 Ti WindForce
Storage Crucial MX100 256GB SSD
Display(s) Acer G245HQ 23.6" LCD
Case Fractal Design Define R4 Black Pearl
Audio Device(s) Realtek ALC1150
Power Supply Corsair CX600M
Mouse Logitech M500
Keyboard Lenovo KB1021 USB
Software Windows 10 Professional x64
#8
There is a nasty flaw in the SMB (Server Message Block) v1 code found in all versions of Windows from XP to 10, including Server 2003 to 2016. SMB is the network file sharing protocol, and it is enabled by default in Windows. No one in their right mind would allow SMB access from the Internet, but you'd be surprised by how many Windows machines do this.

The "seed" machines scanned for open SMB ports on Internet-connected machines. When they found one, they exploited the security flaw to upload the WannaCry code and launch it. The malware then encrypted a large number of file types on the local drives and file shares. It also scanned for and infected other vulnerable machines on the local network. Based on this behavior, WannaCry is actually a worm, not a virus. You don't have to launch an infected program or open an infected document; the malware seeks out vulnerable machines on its own. If you want the technical details, Malwarebytes Labs has a write-up here.
 
Joined
Oct 17, 2012
Messages
6,850 (3.63/day)
Likes
8,999
Location
Massachusetts
Processor i7 4790
Motherboard Asrock Z97 Extreme 4
Cooling Corsair H-110i GTX
Memory 16 Gb kingston Hyper X
Video Card(s) Nvidia Reference GTX 970 x2
Storage C:\Samsung 850EVO 500Gb & Samsung 850 evo 250Gb
Display(s) Dell Ultra Sharp Widescreen 24" 1200P
Case Phanteks Enthoo Pro M Acrylic
Audio Device(s) Realtech Edition X1789,Ver2.78
Power Supply EVGA 220-G2-0650-Y1
Mouse Logitech G502 spectrum
Keyboard AZIO MRGB Kaith Blue
Software Win 10 Professional 64 bit
Benchmark Scores Congrats USA!! on the Travel Ban.....
#9
I noticed today that my Malwarebytes began to act odd. Showing notifications that certain protections were disabled(web protection & i couldnt re-enable the service either), and when I would run a scan it would only go for a second and then end showing successful without a virus. I double checked to verify that I wasn't infected and I also disabled SMBV1 A while ago ,but I was still concerned. The reason Im mentioning this is because I ended up looking at another one of my computers and it was also behaving the same on that PC too,& different operating system though(just in case someone else might benefit from checking/finding a similar issue). The only solution I could find was to uninstall malwarebites, restart, run the Malwarebytes clean removal tool, restart again and then install anew. That fixed it on both computers,& The issue has not manifested again , hopefully it was just an issue with malwarebites, but all this talk about worms and viruses got me nervous and paranoid :fear:
 
Joined
Aug 20, 2007
Messages
7,370 (1.95/day)
Likes
6,498
System Name New Genesis
Processor AMD Ryzen 7 1800X @ 4.1GHz All Cores
Motherboard GIGABYTE Aorus Gaming 5
Cooling Noctua NH-U14S CPU Cooler with dual fans,4x 120mm Sunon MagLev Blowers and 2x 120mm Corsair ML120Pro
Memory G.SKILL TridentZ Series 32GB (4 x 8GB) DDR4-3200 @ 14-14-14-34-1T
Video Card(s) EVGA Geforce GTX 1080 FTW2 w /iCX Cooler
Storage HGST Ultrastar 7k6000 2TB HDD w/ 128MBs of Cache
Display(s) Benq BL3200PT 1440p 32" LCD w/ AU Optronics AMVA true 10-bit 100% sRGB Panel
Case Thermaltake Core X31
Audio Device(s) Onboard Toslink to Schiit Modi Multibit to Asgard 2 Amp to AKG K7XX Ruby Red Massdrop Headphones
Power Supply Seasonic PRIME 750W 80Plus TItanium
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Keycaps, Blue legends
Software Windows 10 Enterprise (From former workplace, yay no telemetry)
Benchmark Scores TS/FS Extreme: 10562: https://www.3dmark.com/fs/14260421 3575: https://www.3dmark.com/spy/2816092
#10
I noticed today that my Malwarebytes began to act odd. Showing notifications that certain protections were disabled(web protection & i couldnt re-enable the service either), and when I would run a scan it would only go for a second and then end showing successful without a virus. I double checked to verify that I wasn't infected and I also disabled SMBV1 A while ago ,but I was still concerned. The reason Im mentioning this is because I ended up looking at another one of my computers and it was also behaving the same on that PC too,& different operating system though(just in case someone else might benefit from checking/finding a similar issue). The only solution I could find was to uninstall malwarebites, restart, run the Malwarebytes clean removal tool, restart again and then install anew. That fixed it on both computers,& The issue has not manifested again , hopefully it was just an issue with malwarebites, but all this talk about worms and viruses got me nervous and paranoid :fear:
@Bill_Bright mentioned that MB has been having issues like that lately. I wouldn't lose sleep over it.
 
Joined
Oct 17, 2012
Messages
6,850 (3.63/day)
Likes
8,999
Location
Massachusetts
Processor i7 4790
Motherboard Asrock Z97 Extreme 4
Cooling Corsair H-110i GTX
Memory 16 Gb kingston Hyper X
Video Card(s) Nvidia Reference GTX 970 x2
Storage C:\Samsung 850EVO 500Gb & Samsung 850 evo 250Gb
Display(s) Dell Ultra Sharp Widescreen 24" 1200P
Case Phanteks Enthoo Pro M Acrylic
Audio Device(s) Realtech Edition X1789,Ver2.78
Power Supply EVGA 220-G2-0650-Y1
Mouse Logitech G502 spectrum
Keyboard AZIO MRGB Kaith Blue
Software Win 10 Professional 64 bit
Benchmark Scores Congrats USA!! on the Travel Ban.....
#11
@Bill_Bright mentioned that MB has been having issues like that lately. I wouldn't lose sleep over it.
I've actually experienced it several times in the past as well but I'm aware that it's irrational to worry :rolleyes:I've taken the steps before this worm was released to disable the exploit it uses. The steps that I used to fix malwarebites are the recommended steps by their support team ,if anyone's reading this and counters a similar issue , use the steps in post #9
 
Joined
Apr 2, 2009
Messages
3,505 (1.10/day)
Likes
2,254
#12
It's called port scanning (also probing) and usually done by cheap VPS (Virtual private server). If you hang around web hosting forums, you will see countless people wanting two things.

1. Cheap VPS
2. Anonymity

They are usually the ones that do port scanning and plan their next move. Unfortunately, web hosting market is too competitive and new web hosting companies (usually one-man op) have to take every customers they can get, so they take in those shady people.