Windows XP PCs Infected By WannaCry Can Be Decrypted Without Paying Ransom (arstechnica.com) 60
An anonymous reader quotes a report from Ars Technica: Owners of some Windows XP computers infected by the WCry ransomware may be able to decrypt their data without making the $300 to $600 payment demand, a researcher said Thursday. Adrien Guinet, a researcher with France-based Quarkslab, has released software that he said allowed him to recover the secret decryption key required to restore an infected XP computer in his lab. The software has not yet been tested to see if it works reliably on a large variety of XP computers, and even when it does work, there are limitations. The recovery technique is also of limited value because Windows XP computers weren't affected by last week's major outbreak of WCry. Still, it may be helpful to XP users hit in other campaigns. "This software has only been tested and known to work under Windows XP," he wrote in a readme note accompanying his app, which he calls Wannakey. "In order to work, your computer must not have been rebooted after being infected. Please also note that you need some luck for this to work (see below), and so it might not work in every case!"
Re: (Score:3)
The summary indicates that the technique decrypts computers affected by wannacry, but then later says this is not the case as XP machines were not affected by wannacry. To be blunt, what the hell is going on?!?
To be blunt, BeauHD.
Sadly... (Score:5, Funny)
After you decrypt, you're left with a Windows XP system.
Re: (Score:1)
Just install Linux
Let's not go installing malware here.
Re: Sadly... (Score:1)
Malware? SRSLY stop it with the fan boi shit. Linux is not installed BTW, you freaking sacrifice a goat, eat a waffle, have sex with a pony then compile your toolchain.
Re: (Score:3)
After you decrypt, you're left with a Windows XP system.
Hey, a decryptor that could turn Windows 10 systems into Windows 7 systems would actually be quite useful!
Re: (Score:2)
doh!
Re: (Score:2)
Re: (Score:1)
Sad, but nevertheless happier than a windows 10 system.
Re: (Score:1)
The windows UI hasn't improved since xp anyway. In fact in some ways it's gone backwards: eg settings are now strewn randomly all over the joint rather than contained nicely in the control panel, the start menu has gone from well organised to a complete mess, design consistency has gone out the window and let's not even start on the whole tile eyesore. I guess the graphics are a bit purdier in a big and bulky sort of way but who gives a sh*t about that?
If I could buy a supported version of xp with updated
Re: (Score:2)
After you decrypt, you're left with a Windows XP system.
Could be worse. Instead of encrypting your files, just think if the ransomware threatened to upgrade your system to Windows 10 if you didn't pay. (At least Microsoft tried molesting your system for free...)
I've already developed a fix (Score:1)
Summary (Score:5, Informative)
1. XP computers aren't infected via LAN spread, but you can click on the email and infect yourself manually (accidentally).
2. This hack-fix works because XP doesn't wipe they key generation details out of memory. p and q can often be found by searching all memory. You then regenerate the key with p and q, like magic. If you reboot, memory is wiped and it's too late.
Re: (Score:2)
Hm, so you're saying a flaw in XP (doesn't wipe details out of memory) can help undo an exploited flaw?
Re: (Score:2)
WannaCry exploits Windows XP's poor security and then uses security against the user, which is then defeated by, again, Windows XP's poor security.
It's security fail all the way down.
Huh? (Score:1)
Huh? I thought the NHS got hit so hard precisely because they still have lots of XP?
Re: (Score:1)
THEY OPENS FISH EMAIL
Re:Huh? (Score:4, Informative)
Our IT department (at an NHS hospital) have been busy all week patching PCs - in some cases, techs were going around with USB keys, because there were "WSUS issues" which prevented the patches being deployed remotely.
A variety of IT contractors (who supply software as a service on co-located servers) have also been running around. One of the IT contractors admitted to me, that he had just patched a server (owned and managed by the software vendor but sited at the hospital) that was running windows 2012 with absolutely no patches installed. It had been misconfigured 5 years ago, and never received a single update, and no one ever checked on it.
Re: (Score:3, Informative)
No. They got hit hard because many sites don't patch things.
Our IT department (at an NHS hospital) have been busy all week patching PCs - in some cases, techs were going around with USB keys, because there were "WSUS issues" which prevented the patches being deployed remotely.
A variety of IT contractors (who supply software as a service on co-located servers) have also been running around. One of the IT contractors admitted to me, that he had just patched a server (owned and managed by the software vendor but sited at the hospital) that was running windows 2012 with absolutely no patches installed. It had been misconfigured 5 years ago, and never received a single update, and no one ever checked on it.
I used to manage WSUS, and still do but via SCCM. You do not need suggestive quotation marks when referring to WSUS issues. Shit is unreliable.
Easy to prevent via patches/workarounds (Score:4, Informative)
From MS - SMB Ports 445/139 (TCP) & 137/138 (UDP) protection via:
Disable SMBv1 on the SMB server, configure the following registry key:
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled
Enable SMBv2 on the SMB server, configure the following registry key:
Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB2
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled
---
Disable SMBv1 on the SMB client, run the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
Enable SMBv2 & SMBv3 on the SMB client, run the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
sc.exe config mrxsmb20 start= auto
* Per https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012/ [microsoft.com]
APK
P.S.=> For a SINGLE 'standalone' non-networked PC (no home network/LAN) just turn off Server & Workstation services. It shuts off any "handles" (port 445) this thing propogates thru + turn off NetBIOS over TCP/IP in your internet connection & uncheck/disable Client for Microsoft Networks + File and Print Sharing. Port 139 & 445 always pop up issues over time.
I covered all this 11++ yrs. ago in a security guide I wrote for users with a single system & apparently, its advice STILL STANDS THE "TEST OF TIME" ala https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&btnG=Google+Search&gbv=1/ [google.com] vs. even today's threats like this one.
* This effectively makes this threat a non-issue + saves you CPU cycles/RAM & other I/O wasted on services you don't NEED as a single PC user only... & you don't. They're just wastes with a single PC really. Many services are (covered in guide above based on CIS Tool guidance (who took fixes to their ware from "yours truly" too, no less)).
Of course, don't be STUPID & click on attachments in bogus malicious emails this thing propogates thru as well (Chrome/Opera/Webkit users - BEWARE of the ShellControlFile issue that just popped up (.scf file) noted here-> http://www.theregister.co.uk/2017/05/17/chrome_on_windows_has_credential_theft_bug/ [theregister.co.uk] ) ... apk
Re: Easy to prevent via patches/workarounds (Score:1)
Re: (Score:3)
Trump President
UK leaving the EU
and now APK +5 informative.
I've seen it all.
Re: (Score:2)
Wow. The fact that you keep a list of your AC posts that got modded up actually blew my mind.
Well done sir. (Score:5, Insightful)
Yes, it only works on limited OS install numbers
Yes, you have to be lucky
But someone has devoted his time and effort to find a way to rollback some of the damage cause by a major bit of malware. It may only be for a small subset, but he has published the code (we're all for that here, right?) so maybe it may inspire someone else, with a knowledge of memory allocation and cleanup on a different target platform, who may then have a light bulb moment!
Try cracking a smile once in a while, not everything needs a scowl.
Re: (Score:2)
It is also a pretty neat implementation error. I am going to use this in my security lecture this year as example on how to mess up key handling and why to not trust the OS API (unless you are sure it it good).
Re: (Score:2)
That one is tricky. There are situations where you have to do it yourself to get the required trust-level. Of course, that does _not_ include designing the actual crypto algorithm, only a few people on this planet can do that at this time. But from your own example, you can see that even "what the NSA does" may not be good enough. (I know a few people that used to do work for the NSA. These people are only cooking with water, same as everybody else. Of course, they have a lot of water at their disposal, but
Re: (Score:1)