Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Windows Microsoft Operating Systems Privacy Security Software The Almighty Buck Technology

Windows XP PCs Infected By WannaCry Can Be Decrypted Without Paying Ransom (arstechnica.com) 60

An anonymous reader quotes a report from Ars Technica: Owners of some Windows XP computers infected by the WCry ransomware may be able to decrypt their data without making the $300 to $600 payment demand, a researcher said Thursday. Adrien Guinet, a researcher with France-based Quarkslab, has released software that he said allowed him to recover the secret decryption key required to restore an infected XP computer in his lab. The software has not yet been tested to see if it works reliably on a large variety of XP computers, and even when it does work, there are limitations. The recovery technique is also of limited value because Windows XP computers weren't affected by last week's major outbreak of WCry. Still, it may be helpful to XP users hit in other campaigns. "This software has only been tested and known to work under Windows XP," he wrote in a readme note accompanying his app, which he calls Wannakey. "In order to work, your computer must not have been rebooted after being infected. Please also note that you need some luck for this to work (see below), and so it might not work in every case!"
This discussion has been archived. No new comments can be posted.

Windows XP PCs Infected By WannaCry Can Be Decrypted Without Paying Ransom

Comments Filter:
  • Sadly... (Score:5, Funny)

    by Anonymous Coward on Thursday May 18, 2017 @04:30PM (#54444935)

    After you decrypt, you're left with a Windows XP system.

    • After you decrypt, you're left with a Windows XP system.

      Hey, a decryptor that could turn Windows 10 systems into Windows 7 systems would actually be quite useful!

    • Comment removed based on user account deletion
    • by Anonymous Coward

      Sad, but nevertheless happier than a windows 10 system.

    • by Anonymous Coward

      The windows UI hasn't improved since xp anyway. In fact in some ways it's gone backwards: eg settings are now strewn randomly all over the joint rather than contained nicely in the control panel, the start menu has gone from well organised to a complete mess, design consistency has gone out the window and let's not even start on the whole tile eyesore. I guess the graphics are a bit purdier in a big and bulky sort of way but who gives a sh*t about that?

      If I could buy a supported version of xp with updated

    • After you decrypt, you're left with a Windows XP system.

      Could be worse. Instead of encrypting your files, just think if the ransomware threatened to upgrade your system to Windows 10 if you didn't pay. (At least Microsoft tried molesting your system for free...)

  • by Anonymous Coward
    Kill the VM and start a fresh one.
  • Summary (Score:5, Informative)

    by Anonymous Coward on Thursday May 18, 2017 @04:33PM (#54444961)

    1. XP computers aren't infected via LAN spread, but you can click on the email and infect yourself manually (accidentally).
    2. This hack-fix works because XP doesn't wipe they key generation details out of memory. p and q can often be found by searching all memory. You then regenerate the key with p and q, like magic. If you reboot, memory is wiped and it's too late.

    • by WallyL ( 4154209 )

      Hm, so you're saying a flaw in XP (doesn't wipe details out of memory) can help undo an exploited flaw?

      • WannaCry exploits Windows XP's poor security and then uses security against the user, which is then defeated by, again, Windows XP's poor security.

        It's security fail all the way down.

  • by Anonymous Coward

    Windows XP computers weren't affected by last week's major outbreak of WCry

    Huh? I thought the NHS got hit so hard precisely because they still have lots of XP?

    • by Anonymous Coward

      THEY OPENS FISH EMAIL

    • Re:Huh? (Score:4, Informative)

      by Anonymous Coward on Thursday May 18, 2017 @05:50PM (#54445429)
      No. They got hit hard because many sites don't patch things.

      Our IT department (at an NHS hospital) have been busy all week patching PCs - in some cases, techs were going around with USB keys, because there were "WSUS issues" which prevented the patches being deployed remotely.

      A variety of IT contractors (who supply software as a service on co-located servers) have also been running around. One of the IT contractors admitted to me, that he had just patched a server (owned and managed by the software vendor but sited at the hospital) that was running windows 2012 with absolutely no patches installed. It had been misconfigured 5 years ago, and never received a single update, and no one ever checked on it.
      • Re: (Score:3, Informative)

        by sexconker ( 1179573 )

        No. They got hit hard because many sites don't patch things.

        Our IT department (at an NHS hospital) have been busy all week patching PCs - in some cases, techs were going around with USB keys, because there were "WSUS issues" which prevented the patches being deployed remotely.

        A variety of IT contractors (who supply software as a service on co-located servers) have also been running around. One of the IT contractors admitted to me, that he had just patched a server (owned and managed by the software vendor but sited at the hospital) that was running windows 2012 with absolutely no patches installed. It had been misconfigured 5 years ago, and never received a single update, and no one ever checked on it.

        I used to manage WSUS, and still do but via SCCM. You do not need suggestive quotation marks when referring to WSUS issues. Shit is unreliable.

  • by Anonymous Coward on Thursday May 18, 2017 @05:41PM (#54445383)

    From MS - SMB Ports 445/139 (TCP) & 137/138 (UDP) protection via:

    Disable SMBv1 on the SMB server, configure the following registry key:

    Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1

    REG_DWORD: 0 = Disabled
    REG_DWORD: 1 = Enabled

    Default: 1 = Enabled

    Enable SMBv2 on the SMB server, configure the following registry key:

    Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB2

    REG_DWORD: 0 = Disabled
    REG_DWORD: 1 = Enabled

    Default: 1 = Enabled

    ---

    Disable SMBv1 on the SMB client, run the following commands:

    sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

    sc.exe config mrxsmb10 start= disabled

    Enable SMBv2 & SMBv3 on the SMB client, run the following commands:

    sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi

    sc.exe config mrxsmb20 start= auto

    * Per https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012/ [microsoft.com]

    APK

    P.S.=> For a SINGLE 'standalone' non-networked PC (no home network/LAN) just turn off Server & Workstation services. It shuts off any "handles" (port 445) this thing propogates thru + turn off NetBIOS over TCP/IP in your internet connection & uncheck/disable Client for Microsoft Networks + File and Print Sharing. Port 139 & 445 always pop up issues over time.

    I covered all this 11++ yrs. ago in a security guide I wrote for users with a single system & apparently, its advice STILL STANDS THE "TEST OF TIME" ala https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&btnG=Google+Search&gbv=1/ [google.com] vs. even today's threats like this one.

    * This effectively makes this threat a non-issue + saves you CPU cycles/RAM & other I/O wasted on services you don't NEED as a single PC user only... & you don't. They're just wastes with a single PC really. Many services are (covered in guide above based on CIS Tool guidance (who took fixes to their ware from "yours truly" too, no less)).

    Of course, don't be STUPID & click on attachments in bogus malicious emails this thing propogates thru as well (Chrome/Opera/Webkit users - BEWARE of the ShellControlFile issue that just popped up (.scf file) noted here-> http://www.theregister.co.uk/2017/05/17/chrome_on_windows_has_credential_theft_bug/ [theregister.co.uk] ) ... apk

  • Well done sir. (Score:5, Insightful)

    by James Keane ( 4387461 ) on Thursday May 18, 2017 @05:44PM (#54445399)
    Why is everyone so down on this?

    Yes, it only works on limited OS install numbers
    Yes, you have to be lucky

    But someone has devoted his time and effort to find a way to rollback some of the damage cause by a major bit of malware. It may only be for a small subset, but he has published the code (we're all for that here, right?) so maybe it may inspire someone else, with a knowledge of memory allocation and cleanup on a different target platform, who may then have a light bulb moment!

    Try cracking a smile once in a while, not everything needs a scowl.
    • by gweihir ( 88907 )

      It is also a pretty neat implementation error. I am going to use this in my security lecture this year as example on how to mess up key handling and why to not trust the OS API (unless you are sure it it good).

    • I wonder if it also works on Server 2003.

No spitting on the Bus! Thank you, The Mgt.

Working...