Jump to content
Tuts 4 You

WannaCrypt, WannaCry, WanaCrypt0r, WCrypt...


Teddy Rogers

Recommended Posts

On Wednesday, 17 May, 2017 at 6:44 AM, Teddy Rogers said:

If your not sick and tired of hearing/reading about it yet and you are still interested in studying WannaCrypt

Not only sick and tired of getting calls from clients regarding this but the name of this malware "WannaCry" makes it all the more irritating. ;)

It looks as if both the name and the worm were created by a couple of adolescent script-kiddies who just got their hands on the leaked ShadowBrokers exploits from last month !

Am pretty sure that after a few days it'd be revealed that all this was the doing of a bunch of tennage script kiddies !

Link to comment
6 hours ago, Techlord said:

It looks as if both the name and the worm were created by a couple of adolescent script-kiddies who just got their hands on the leaked ShadowBrokers exploits from last month !

Mmmm, I don't think he's(they're) really script-kiddies since if you notice they use the proper crypto system (Symmetric and Asymmetric encryption, aka, Hybird encryption) to make it as much efficient as possible... script-kiddies don't know too much about cryptography ;)

Link to comment
1 hour ago, Alzri2 said:

Mmmm, I don't think he's(they're) really script-kiddies since if you notice they use the proper crypto system (Symmetric and Asymmetric encryption, aka, Hybird encryption) to make it as much efficient as possible... script-kiddies don't know too much about cryptography ;)

No my friend... They used only THREE bitcoin addresses for their ransom bitcoins to be sent to, for example..

And they made several other such blunders which only those who are highly inexperienced would do. Nowadays its very easy to cut and paste all the crypto code from any of the several sites available ! Some of these guys even resort to asking for the snippets of codes on serious programming forums...

  • Like 1
Link to comment

well apparenly if you are quick enough you can use a new tool called wanakiwi to extract key to decrypt from memory as long as the machine wasn't rebooted..

Link to comment
Teddy Rogers
4 hours ago, Nemo said:

well apparenly if you are quick enough you can use a new tool called wanakiwi to extract key to decrypt from memory as long as the machine wasn't rebooted..

You must be referring to this...

Quote

This software allows to recover the prime numbers of the RSA private key that are used by Wanacry.

It does so by searching for them in the wcry.exe process. This is the process that generates the RSA private key. The main issue is that the CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory.

This is not really a mistake from the ransomware authors, as they properly use the Windows Crypto API. Indeed, for what I've tested, under Windows 10, CryptReleaseContext does cleanup the memory (and so this recovery technique won't work). It can work under Windows XP because, in this version, CryptReleaseContext does not do the cleanup. Moreover, MSDN states this, for this function : "After this function is called, the released CSP handle is no longer valid. This function does not destroy key containers or key pairs.". So, it seems that there are no clean and cross-platform ways under Windows to clean this memory.

If you are lucky (that is the associated memory hasn't been reallocated and erased), these prime numbers might still be in memory.

That's what this software tries to achieve.

https://github.com/aguinet/wannakey

Ted.

Link to comment
SmilingWolf

Or to this:

Quote

This utility allows machines infected by the WannaCry ransomware to recover their files.

The original method is based on Adrien Guinet's [wannakey] (https://github.com/aguinet/wannakey) which consist of scanning the WannaCry process memory to recover the prime numbers that were not cleaned during CryptReleaseContext().

Adrien's method was originally described as only valid for Windows XP but we proven this can be extended to Windows 7.

Wanakiwi is based on the above method and Wanadecrypt which makes possible for lucky users to :

  • Recover the private user key in memory to save it as 00000000.dky
  • Decrypt all of their files

https://github.com/gentilkiwi/wanakiwi

Link to comment

I'd already posted this last night (12 hours ago as of this post) on a couple of other forums but forgot to update this thread at that time...

Yes, the link by smilingwolf to the tool  is correct.

Read the full article  : (Clickable hyperlnks below)

 

Quote

 

WannaCry — Decrypting files with WanaKiwi + Demos

Read More: Part 1 — Part 2 — Part 3 — Part 4

In Short

DO NOT REBOOT your infected machines and TRY wanakiwi ASAP*!
*ASAP because prime numbers may be over written in memory after a while.

Usage

You just need to download the tool and run it on the infected machine. Default settings should work.

Usage: wanakiwi.exe <PID>
- PID (Process Id) is an optional parameter. By default, wanakiwi automatically looks for wnry.exe or wcry.exe processes so this parameter should not be required. But in case, the main process has a different name this parameter can be used as an input parameter.

 

 

Edited by Techlord
Link to comment

Stellar Data Recovery on Friday claimed it has cracked the ransomware at its R&D labs and is currently working on five cases from India.
 

http://www.business-standard.com/article/current-affairs/stellar-cracks-wannacry-attack-works-on-5-indian-cases-to-recover-data-117051900643_1.html
aka
https://www.stellarinfo.com/

 

  • Like 1
Link to comment
1 hour ago, Nemo said:

It was patched in march ffs why do people even have this trouble 2 months later.. lol

They didn't use Windows 10.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...