1. Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

A utility to decrypt WannaCry ransomware

Discussion in 'General Software' started by Static~Charge, May 19, 2017.

  1. Static~Charge

    Static~Charge

    Joined:
    Nov 2, 2008
    Messages:
    711 (0.22/day)
    Thanks Received:
    381
    sttubs, remixedcat, rtwjunkie and 4 others say thanks.
  2. R-T-B

    R-T-B

    Joined:
    Aug 20, 2007
    Messages:
    6,597 (1.82/day)
    Thanks Received:
    5,897
    In other words, if infected the number one thing you can do is NOT SHUTDOWN OR REBOOT.
     
    rtwjunkie says thanks.
  3. Static~Charge

    Static~Charge

    Joined:
    Nov 2, 2008
    Messages:
    711 (0.22/day)
    Thanks Received:
    381
    I was just coming back to update my post with that info. If you reboot the infected PC before running the utility, then the information needed to reconstruct the decryption key is gone.
     
    Kursah, eidairaman1 and R-T-B say thanks.
  4. Kursah

    Kursah Moderator Staff Member

    Joined:
    Oct 15, 2006
    Messages:
    10,531 (2.67/day)
    Thanks Received:
    4,717
    Location:
    Missoula, MT, USA
    I read that article earlier today and intended on sharing it, thanks for doing so! This is something critical for those that do get hit by this. :toast:
     
    10 Year Member at TPU
  5. fullinfusion

    fullinfusion 1.21 Gigawatts

    Joined:
    Jan 11, 2008
    Messages:
    9,304 (2.67/day)
    Thanks Received:
    3,131
    How is this ransomware infecting PC's?

    Going to bad sites or...?
     
  6. revin

    revin

    Joined:
    Oct 18, 2007
    Messages:
    1,185 (0.33/day)
    Thanks Received:
    580
    I asked pretty much the same a couple days ago,........no responses and unsure from reading on the web, but it still has the ability to just scour the web looking for some SMB holes for sure.
    So not clear if any website like that other TecH site with shit tons of ad's can carry an infection in it.
     
    bubbleawsome and fullinfusion say thanks.
  7. R-T-B

    R-T-B

    Joined:
    Aug 20, 2007
    Messages:
    6,597 (1.82/day)
    Thanks Received:
    5,897
    As I said earlier, it's really not hard to scour the complete IPv4 range for open ports given a little time and effort.

    So your basic answer is open ports + not patched = probably infected.
     
  8. Static~Charge

    Static~Charge

    Joined:
    Nov 2, 2008
    Messages:
    711 (0.22/day)
    Thanks Received:
    381
    There is a nasty flaw in the SMB (Server Message Block) v1 code found in all versions of Windows from XP to 10, including Server 2003 to 2016. SMB is the network file sharing protocol, and it is enabled by default in Windows. No one in their right mind would allow SMB access from the Internet, but you'd be surprised by how many Windows machines do this.

    The "seed" machines scanned for open SMB ports on Internet-connected machines. When they found one, they exploited the security flaw to upload the WannaCry code and launch it. The malware then encrypted a large number of file types on the local drives and file shares. It also scanned for and infected other vulnerable machines on the local network. Based on this behavior, WannaCry is actually a worm, not a virus. You don't have to launch an infected program or open an infected document; the malware seeks out vulnerable machines on its own. If you want the technical details, Malwarebytes Labs has a write-up here.
     
    remixedcat, bubbleawsome and R-T-B say thanks.
  9. jboydgolfer

    jboydgolfer

    Joined:
    Oct 17, 2012
    Messages:
    5,904 (3.39/day)
    Thanks Received:
    8,139
    Location:
    Massachusetts
    I noticed today that my Malwarebytes began to act odd. Showing notifications that certain protections were disabled(web protection & i couldnt re-enable the service either), and when I would run a scan it would only go for a second and then end showing successful without a virus. I double checked to verify that I wasn't infected and I also disabled SMBV1 A while ago ,but I was still concerned. The reason Im mentioning this is because I ended up looking at another one of my computers and it was also behaving the same on that PC too,& different operating system though(just in case someone else might benefit from checking/finding a similar issue). The only solution I could find was to uninstall malwarebites, restart, run the Malwarebytes clean removal tool, restart again and then install anew. That fixed it on both computers,& The issue has not manifested again , hopefully it was just an issue with malwarebites, but all this talk about worms and viruses got me nervous and paranoid :fear:
     
  10. R-T-B

    R-T-B

    Joined:
    Aug 20, 2007
    Messages:
    6,597 (1.82/day)
    Thanks Received:
    5,897
    @Bill_Bright mentioned that MB has been having issues like that lately. I wouldn't lose sleep over it.
     
    rtwjunkie and jboydgolfer say thanks.
  11. jboydgolfer

    jboydgolfer

    Joined:
    Oct 17, 2012
    Messages:
    5,904 (3.39/day)
    Thanks Received:
    8,139
    Location:
    Massachusetts
    I've actually experienced it several times in the past as well but I'm aware that it's irrational to worry :rolleyes:I've taken the steps before this worm was released to disable the exploit it uses. The steps that I used to fix malwarebites are the recommended steps by their support team ,if anyone's reading this and counters a similar issue , use the steps in post #9
     
  12. alucasa

    Joined:
    Apr 2, 2009
    Messages:
    3,505 (1.15/day)
    Thanks Received:
    2,292
    It's called port scanning (also probing) and usually done by cheap VPS (Virtual private server). If you hang around web hosting forums, you will see countless people wanting two things.

    1. Cheap VPS
    2. Anonymity

    They are usually the ones that do port scanning and plan their next move. Unfortunately, web hosting market is too competitive and new web hosting companies (usually one-man op) have to take every customers they can get, so they take in those shady people.
     
    remixedcat says thanks.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guest)