Teddy Rogers Posted May 17, 2017 Posted May 17, 2017 (edited) If your not sick and tired of hearing/reading about it yet and you are still interested in studying WannaCrypt you can find information and samples from the following links... https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168 Samples https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168#malware-samples Ted. Edited May 17, 2017 by Teddy Rogers 5
Techlord Posted May 18, 2017 Posted May 18, 2017 On Wednesday, 17 May, 2017 at 6:44 AM, Teddy Rogers said: If your not sick and tired of hearing/reading about it yet and you are still interested in studying WannaCrypt Not only sick and tired of getting calls from clients regarding this but the name of this malware "WannaCry" makes it all the more irritating. It looks as if both the name and the worm were created by a couple of adolescent script-kiddies who just got their hands on the leaked ShadowBrokers exploits from last month ! Am pretty sure that after a few days it'd be revealed that all this was the doing of a bunch of tennage script kiddies !
Apuromafo Posted May 19, 2017 Posted May 19, 2017 (edited) some analisis if really need recomended for understand the wanacry:https://www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis about other variants analisishttps://blog.comae.io/wannacry-new-variants-detected-b8908fefea7eabout use similar things(metasploit):https://twitter.com/zerosum0x0/status/863698849856016384 About simples solution (disable smb)http://www.grouppolicy.biz/2017/03/how-to-disable-smb-1-on-windows-7-via-group-policy/ other articleshttps://hipertextual.com/2017/05/wannacry-ransomware-nsa-microsoft about simple tool for remove (antiransom )https://github.com/YJesus/AntiRansom/releases BR, Apuromafo Edited May 19, 2017 by Apuromafo update Links
Alzri2 Posted May 19, 2017 Posted May 19, 2017 6 hours ago, Techlord said: It looks as if both the name and the worm were created by a couple of adolescent script-kiddies who just got their hands on the leaked ShadowBrokers exploits from last month ! Mmmm, I don't think he's(they're) really script-kiddies since if you notice they use the proper crypto system (Symmetric and Asymmetric encryption, aka, Hybird encryption) to make it as much efficient as possible... script-kiddies don't know too much about cryptography
abhi93696 Posted May 19, 2017 Posted May 19, 2017 I agree with @Techlord on the name part of the worm... "WannaCry" ... What a NASTY name 1
Techlord Posted May 19, 2017 Posted May 19, 2017 1 hour ago, Alzri2 said: Mmmm, I don't think he's(they're) really script-kiddies since if you notice they use the proper crypto system (Symmetric and Asymmetric encryption, aka, Hybird encryption) to make it as much efficient as possible... script-kiddies don't know too much about cryptography No my friend... They used only THREE bitcoin addresses for their ransom bitcoins to be sent to, for example.. And they made several other such blunders which only those who are highly inexperienced would do. Nowadays its very easy to cut and paste all the crypto code from any of the several sites available ! Some of these guys even resort to asking for the snippets of codes on serious programming forums... 1
Nemo Posted May 19, 2017 Posted May 19, 2017 well apparenly if you are quick enough you can use a new tool called wanakiwi to extract key to decrypt from memory as long as the machine wasn't rebooted..
Sound Posted May 19, 2017 Posted May 19, 2017 I am more interested in what ShadowBrokers leaked out of some of the documents where to download.
Teddy Rogers Posted May 19, 2017 Author Posted May 19, 2017 4 hours ago, Nemo said: well apparenly if you are quick enough you can use a new tool called wanakiwi to extract key to decrypt from memory as long as the machine wasn't rebooted.. You must be referring to this... Quote This software allows to recover the prime numbers of the RSA private key that are used by Wanacry. It does so by searching for them in the wcry.exe process. This is the process that generates the RSA private key. The main issue is that the CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory. This is not really a mistake from the ransomware authors, as they properly use the Windows Crypto API. Indeed, for what I've tested, under Windows 10, CryptReleaseContext does cleanup the memory (and so this recovery technique won't work). It can work under Windows XP because, in this version, CryptReleaseContext does not do the cleanup. Moreover, MSDN states this, for this function : "After this function is called, the released CSP handle is no longer valid. This function does not destroy key containers or key pairs.". So, it seems that there are no clean and cross-platform ways under Windows to clean this memory. If you are lucky (that is the associated memory hasn't been reallocated and erased), these prime numbers might still be in memory. That's what this software tries to achieve. https://github.com/aguinet/wannakey Ted.
SmilingWolf Posted May 19, 2017 Posted May 19, 2017 Or to this: Quote This utility allows machines infected by the WannaCry ransomware to recover their files. The original method is based on Adrien Guinet's [wannakey] (https://github.com/aguinet/wannakey) which consist of scanning the WannaCry process memory to recover the prime numbers that were not cleaned during CryptReleaseContext(). Adrien's method was originally described as only valid for Windows XP but we proven this can be extended to Windows 7. Wanakiwi is based on the above method and Wanadecrypt which makes possible for lucky users to : Recover the private user key in memory to save it as 00000000.dky Decrypt all of their files https://github.com/gentilkiwi/wanakiwi
Nemo Posted May 19, 2017 Posted May 19, 2017 hopefully now everyone can get over this, i'm sick of hearing of it. lol
Techlord Posted May 19, 2017 Posted May 19, 2017 (edited) I'd already posted this last night (12 hours ago as of this post) on a couple of other forums but forgot to update this thread at that time... Yes, the link by smilingwolf to the tool is correct. Read the full article : (Clickable hyperlnks below) Quote WannaCry — Decrypting files with WanaKiwi + Demos Read More: Part 1 — Part 2 — Part 3 — Part 4 In Short DO NOT REBOOT your infected machines and TRY wanakiwi ASAP*! *ASAP because prime numbers may be over written in memory after a while. Usage You just need to download the tool and run it on the infected machine. Default settings should work. Usage: wanakiwi.exe <PID> - PID (Process Id) is an optional parameter. By default, wanakiwi automatically looks for wnry.exe or wcry.exe processes so this parameter should not be required. But in case, the main process has a different name this parameter can be used as an input parameter. Edited May 19, 2017 by Techlord
whoknows Posted May 22, 2017 Posted May 22, 2017 Stellar Data Recovery on Friday claimed it has cracked the ransomware at its R&D labs and is currently working on five cases from India. http://www.business-standard.com/article/current-affairs/stellar-cracks-wannacry-attack-works-on-5-indian-cases-to-recover-data-117051900643_1.html aka https://www.stellarinfo.com/ 1
kao Posted May 22, 2017 Posted May 22, 2017 @whoknows: right.. when was the last time an Indian IT company lived up to its claims? Here's the blogpost they did: https://www.stellarinfo.com/blog/recover-files-infected-by-wannacry-ransomware-attack-stellar-phoenix/ - in short, purchase their super-duper data recovery tool and hope there's an older copy of file located on some unused sectors of HDD. /facepalm
whoknows Posted May 22, 2017 Posted May 22, 2017 Stellar Phoenix Windows Data Recovery Professional 7.0.0.0 DC 17.05.2017-UZ1 is out.
Nemo Posted May 26, 2017 Posted May 26, 2017 It was patched in march ffs why do people even have this trouble 2 months later.. lol 1
mrexodia Posted May 26, 2017 Posted May 26, 2017 1 hour ago, Nemo said: It was patched in march ffs why do people even have this trouble 2 months later.. lol They didn't use Windows 10.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now