A utility to decrypt WannaCry ransomware

[Static~Charge]

If you're lucky, this utility might "save your bacon":

More people infected by recent WCry worm can unlock PCs without paying ransom
A tool released on Friday decrypts PCs running a fuller suite of Windows versions.

https://arstechnica.com/security/20...ry-worm-can-unlock-pcs-without-paying-ransom/

 

[R-T-B]

In other words, if infected the number one thing you can do is NOT SHUTDOWN OR REBOOT.

 

[Static~Charge]

I was just coming back to update my post with that info. If you reboot the infected PC before running the utility, then the information needed to reconstruct the decryption key is gone.

 

[Kursah]

I read that article earlier today and intended on sharing it, thanks for doing so! This is something critical for those that do get hit by this.

 

[fullinfusion]

How is this ransomware infecting PC's?

Going to bad sites or...?

 

[revin]

How is this ransomware infecting PC's?

Going to bad sites or...?

I asked pretty much the same a couple days ago,........no responses and unsure from reading on the web, but it still has the ability to just scour the web looking for some SMB holes for sure.
So not clear if any website like that other TecH site with shit tons of ad's can carry an infection in it.

 

[R-T-B]

I asked pretty much the same a couple days ago,........no responses and unsure from reading on the web, but it still has the ability to just scour the web looking for some SMB holes for sure.
So not clear if any website like that other TecH site with shit tons of ad's can carry an infection in it.

As I said earlier, it's really not hard to scour the complete IPv4 range for open ports given a little time and effort.

So your basic answer is open ports + not patched = probably infected.

 

[Static~Charge]

There is a nasty flaw in the SMB (Server Message Block) v1 code found in all versions of Windows from XP to 10, including Server 2003 to 2016. SMB is the network file sharing protocol, and it is enabled by default in Windows. No one in their right mind would allow SMB access from the Internet, but you'd be surprised by how many Windows machines do this.

The "seed" machines scanned for open SMB ports on Internet-connected machines. When they found one, they exploited the security flaw to upload the WannaCry code and launch it. The malware then encrypted a large number of file types on the local drives and file shares. It also scanned for and infected other vulnerable machines on the local network. Based on this behavior, WannaCry is actually a worm, not a virus. You don't have to launch an infected program or open an infected document; the malware seeks out vulnerable machines on its own. If you want the technical details, Malwarebytes Labs has a write-up here.

 

[jboydgolfer]

I noticed today that my Malwarebytes began to act odd. Showing notifications that certain protections were disabled(web protection & i couldnt re-enable the service either), and when I would run a scan it would only go for a second and then end showing successful without a virus. I double checked to verify that I wasn't infected and I also disabled SMBV1 A while ago ,but I was still concerned. The reason Im mentioning this is because I ended up looking at another one of my computers and it was also behaving the same on that PC too,& different operating system though(just in case someone else might benefit from checking/finding a similar issue). The only solution I could find was to uninstall malwarebites, restart, run the Malwarebytes clean removal tool, restart again and then install anew. That fixed it on both computers,& The issue has not manifested again , hopefully it was just an issue with malwarebites, but all this talk about worms and viruses got me nervous and paranoid

 

[R-T-B]

I noticed today that my Malwarebytes began to act odd. Showing notifications that certain protections were disabled(web protection & i couldnt re-enable the service either), and when I would run a scan it would only go for a second and then end showing successful without a virus. I double checked to verify that I wasn't infected and I also disabled SMBV1 A while ago ,but I was still concerned. The reason Im mentioning this is because I ended up looking at another one of my computers and it was also behaving the same on that PC too,& different operating system though(just in case someone else might benefit from checking/finding a similar issue). The only solution I could find was to uninstall malwarebites, restart, run the Malwarebytes clean removal tool, restart again and then install anew. That fixed it on both computers,& The issue has not manifested again , hopefully it was just an issue with malwarebites, but all this talk about worms and viruses got me nervous and paranoid

@Bill_Bright mentioned that MB has been having issues like that lately. I wouldn't lose sleep over it.

 

[jboydgolfer]

@Bill_Bright mentioned that MB has been having issues like that lately. I wouldn't lose sleep over it.

I've actually experienced it several times in the past as well but I'm aware that it's irrational to worry I've taken the steps before this worm was released to disable the exploit it uses. The steps that I used to fix malwarebites are the recommended steps by their support team ,if anyone's reading this and counters a similar issue , use the steps in post #9

 

[alucasa]

It's called port scanning (also probing) and usually done by cheap VPS (Virtual private server). If you hang around web hosting forums, you will see countless people wanting two things.

1. Cheap VPS
2. Anonymity

They are usually the ones that do port scanning and plan their next move. Unfortunately, web hosting market is too competitive and new web hosting companies (usually one-man op) have to take every customers they can get, so they take in those shady people.