Windows XP PCs Infected By WannaCry Can Be Decrypted Without Paying Ransom (arstechnica.com)

← Back to Stories (view on slashdot.org)

Windows XP PCs Infected By WannaCry Can Be Decrypted Without Paying Ransom (arstechnica.com)

Posted by BeauHD on Thursday May 18, 2017 @09:20AM from the fingeres-crossed dept.

An anonymous reader quotes a report from Ars Technica: Owners of some Windows XP computers infected by the WCry ransomware may be able to decrypt their data without making the $300 to $600 payment demand, a researcher said Thursday. Adrien Guinet, a researcher with France-based Quarkslab, has released software that he said allowed him to recover the secret decryption key required to restore an infected XP computer in his lab. The software has not yet been tested to see if it works reliably on a large variety of XP computers, and even when it does work, there are limitations. The recovery technique is also of limited value because Windows XP computers weren't affected by last week's major outbreak of WCry. Still, it may be helpful to XP users hit in other campaigns. "This software has only been tested and known to work under Windows XP," he wrote in a readme note accompanying his app, which he calls Wannakey. "In order to work, your computer must not have been rebooted after being infected. Please also note that you need some luck for this to work (see below), and so it might not work in every case!"

60 comments

Min score:

Reason:

Sort:

Confused by Anonymous Coward · 2017-05-18 09:26 · Score: 0

The summary indicates that the technique decrypts computers affected by wannacry, but then later says this is not the case as XP machines were not affected by wannacry. To be blunt, what the hell is going on?!?
1. Re:Confused by sexconker · 2017-05-18 12:15 · Score: 2
  
  The summary indicates that the technique decrypts computers affected by wannacry, but then later says this is not the case as XP machines were not affected by wannacry. To be blunt, what the hell is going on?!?
  To be blunt, BeauHD.
2. Re:Confused by Anonymous Coward · 2017-05-18 18:28 · Score: 0
  
  All OS from XP up to Win10 were vulnerable to WannaCry. XP were not affectetd, probably airgapped. If XP is just 8% of total market share on the planet, there a huge chance that WannaCry only affected Win7, Win8, Win10 machines.
Sadly... by Anonymous Coward · 2017-05-18 09:30 · Score: 5, Funny

After you decrypt, you're left with a Windows XP system.
1. Re:Sadly... by Anonymous Coward · 2017-05-18 09:35 · Score: 0
  
  Just install Linux and use this website as a screensaver, no one will notice... http://fakeupdate.net/xp/index...
2. Re:Sadly... by PolygamousRanchKid+ · 2017-05-18 10:00 · Score: 2
  
  After you decrypt, you're left with a Windows XP system.
  Hey, a decryptor that could turn Windows 10 systems into Windows 7 systems would actually be quite useful!
  
  --
  Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
3. Re:Sadly... by DigiShaman · 2017-05-18 10:08 · Score: 1
  
  No, assuming the malware isn't still actively chewing on data to encrypt, in theory, you could just copy the recovered/decrypted files to an external target (Share, USB, Online web-based dropbox...etc). Then, and only then do you shitbox the computer and burn it to the ground. What's important is the data, not the infected PC at that point!
  
  --
  Life is not for the lazy.
4. Re:Sadly... by Anonymous Coward · 2017-05-18 10:26 · Score: 1
  
  Just install Linux
  Let's not go installing malware here.
5. Re: Sadly... by Anonymous Coward · 2017-05-18 11:45 · Score: 1
  
  Malware? SRSLY stop it with the fan boi shit. Linux is not installed BTW, you freaking sacrifice a goat, eat a waffle, have sex with a pony then compile your toolchain.
6. Re: Sadly... by Anonymous Coward · 2017-05-18 15:11 · Score: 0
  
  Male or female pony?
7. Re:Sadly... by Anonymous Coward · 2017-05-18 23:39 · Score: 1
  
  Sad, but nevertheless happier than a windows 10 system.
8. Re: Sadly... by Anonymous Coward · 2017-05-18 23:51 · Score: 0
  
  Raging stallion obviously.
9. Re:Sadly... by Anonymous Coward · 2017-05-19 00:48 · Score: 1
  
  The windows UI hasn't improved since xp anyway. In fact in some ways it's gone backwards: eg settings are now strewn randomly all over the joint rather than contained nicely in the control panel, the start menu has gone from well organised to a complete mess, design consistency has gone out the window and let's not even start on the whole tile eyesore. I guess the graphics are a bit purdier in a big and bulky sort of way but who gives a sh*t about that?
  If I could buy a supported version of xp with updated security I would "downgrade" in a heartbeat.
10. Re:Sadly... by fahrbot-bot · 2017-05-19 04:07 · Score: 1
  
  After you decrypt, you're left with a Windows XP system.
  Could be worse. Instead of encrypting your files, just think if the ransomware threatened to upgrade your system to Windows 10 if you didn't pay. (At least Microsoft tried molesting your system for free...)
  
  --
  It must have been something you assimilated. . . .
11. Re:Sadly... by spongman · 2017-05-19 19:12 · Score: 1
  
  doh!
I've already developed a fix by Anonymous Coward · 2017-05-18 09:31 · Score: 1

Kill the VM and start a fresh one.
Summary by Anonymous Coward · 2017-05-18 09:33 · Score: 5, Informative

1. XP computers aren't infected via LAN spread, but you can click on the email and infect yourself manually (accidentally).
2. This hack-fix works because XP doesn't wipe they key generation details out of memory. p and q can often be found by searching all memory. You then regenerate the key with p and q, like magic. If you reboot, memory is wiped and it's too late.
1. Re:Summary by WallyL · 2017-05-19 06:12 · Score: 1
  
  Hm, so you're saying a flaw in XP (doesn't wipe details out of memory) can help undo an exploited flaw?
2. Re:Summary by marcansoft · 2017-05-19 08:22 · Score: 1
  
  WannaCry exploits Windows XP's poor security and then uses security against the user, which is then defeated by, again, Windows XP's poor security.
  It's security fail all the way down.
Huh? by Anonymous Coward · 2017-05-18 10:09 · Score: 1

Windows XP computers weren't affected by last week's major outbreak of WCry
Huh? I thought the NHS got hit so hard precisely because they still have lots of XP?
1. Re:Huh? by Anonymous Coward · 2017-05-18 10:25 · Score: 1
  
  THEY OPENS FISH EMAIL
2. Re:Huh? by Anonymous Coward · 2017-05-18 10:50 · Score: 4, Informative
  
  No. They got hit hard because many sites don't patch things.
  
  Our IT department (at an NHS hospital) have been busy all week patching PCs - in some cases, techs were going around with USB keys, because there were "WSUS issues" which prevented the patches being deployed remotely.
  
  A variety of IT contractors (who supply software as a service on co-located servers) have also been running around. One of the IT contractors admitted to me, that he had just patched a server (owned and managed by the software vendor but sited at the hospital) that was running windows 2012 with absolutely no patches installed. It had been misconfigured 5 years ago, and never received a single update, and no one ever checked on it.
3. Re:Huh? by sexconker · 2017-05-18 12:17 · Score: 2, Informative
  
  No. They got hit hard because many sites don't patch things.
  Our IT department (at an NHS hospital) have been busy all week patching PCs - in some cases, techs were going around with USB keys, because there were "WSUS issues" which prevented the patches being deployed remotely.
  A variety of IT contractors (who supply software as a service on co-located servers) have also been running around. One of the IT contractors admitted to me, that he had just patched a server (owned and managed by the software vendor but sited at the hospital) that was running windows 2012 with absolutely no patches installed. It had been misconfigured 5 years ago, and never received a single update, and no one ever checked on it.
  I used to manage WSUS, and still do but via SCCM. You do not need suggestive quotation marks when referring to WSUS issues. Shit is unreliable.
4. Re:Huh? by Anonymous Coward · 2017-05-18 18:32 · Score: 0
  
  Already mentioned by UK NHS that XP is only around 5% of their total endpoints. 95% are modern versions which are probably affected. NHS clarified that there XP machines were not affected (maybe air-gapped)?
Make sure you get permission first by Anonymous Coward · 2017-05-18 10:41 · Score: 0, Troll

If any of the files you're storing are copyrighted, make sure you have authorization to decrypt them before you violate DMCA. Circumvention is a serious crime.
Easy to prevent via patches/workarounds by Anonymous Coward · 2017-05-18 10:41 · Score: 4, Informative

From MS - SMB Ports 445/139 (TCP) & 137/138 (UDP) protection via:
Disable SMBv1 on the SMB server, configure the following registry key:
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled
Enable SMBv2 on the SMB server, configure the following registry key:
Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB2
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled
---
Disable SMBv1 on the SMB client, run the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
Enable SMBv2 & SMBv3 on the SMB client, run the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
sc.exe config mrxsmb20 start= auto
* Per https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012/
APK
P.S.=> For a SINGLE 'standalone' non-networked PC (no home network/LAN) just turn off Server & Workstation services. It shuts off any "handles" (port 445) this thing propogates thru + turn off NetBIOS over TCP/IP in your internet connection & uncheck/disable Client for Microsoft Networks + File and Print Sharing. Port 139 & 445 always pop up issues over time.
I covered all this 11++ yrs. ago in a security guide I wrote for users with a single system & apparently, its advice STILL STANDS THE "TEST OF TIME" ala https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&btnG=Google+Search&gbv=1/ vs. even today's threats like this one.
* This effectively makes this threat a non-issue + saves you CPU cycles/RAM & other I/O wasted on services you don't NEED as a single PC user only... & you don't. They're just wastes with a single PC really. Many services are (covered in guide above based on CIS Tool guidance (who took fixes to their ware from "yours truly" too, no less)).
Of course, don't be STUPID & click on attachments in bogus malicious emails this thing propogates thru as well (Chrome/Opera/Webkit users - BEWARE of the ShellControlFile issue that just popped up (.scf file) noted here-> http://www.theregister.co.uk/2017/05/17/chrome_on_windows_has_credential_theft_bug/ ) ... apk
1. Re: Easy to prevent via patches/workarounds by khandom08 · 2017-05-18 10:49 · Score: 1
  
  Mod parent up. This is not a "normal" APK rant.
2. Re:Easy to prevent via patches/workarounds by Anonymous Coward · 2017-05-18 11:16 · Score: 0
  
  Isn't non-networked already protected?
3. Re:Easy to prevent via patches/workarounds by Anonymous Coward · 2017-05-18 14:29 · Score: 0
  
  > They're just wastes with a single PC really.
  Sure, until your buddy comes over and wants to share a file with you. Then you have to remember what the fuck the name of all that stuff that you disabled was. Good luck with that!
4. Re: Easy to prevent via patches/workarounds by Anonymous Coward · 2017-05-18 20:45 · Score: 0
  
  Hey! Aren't you that guy who keeps trying to tell everyone that HOSTS files solve all Internet security problems? What happened to that?
5. Re:Easy to prevent via patches/workarounds by thegarbz · 2017-05-18 23:55 · Score: 2
  
  Trump President
  UK leaving the EU
  and now APK +5 informative.
  I've seen it all.
Well done sir. by JamesKeane7745 · 2017-05-18 10:44 · Score: 5, Insightful

Why is everyone so down on this?

Yes, it only works on limited OS install numbers
Yes, you have to be lucky

But someone has devoted his time and effort to find a way to rollback some of the damage cause by a major bit of malware. It may only be for a small subset, but he has published the code (we're all for that here, right?) so maybe it may inspire someone else, with a knowledge of memory allocation and cleanup on a different target platform, who may then have a light bulb moment!

Try cracking a smile once in a while, not everything needs a scowl.
1. Re:Well done sir. by Anonymous Coward · 2017-05-18 11:16 · Score: 0
  
  What does Windows do with hibernation files after the system has been brought out of hibernation and rebooted. Is the old hibernation file still there? Could a system encrypted by WannaCrypt that has been hibernated, restored, and rebooted, be decrypted by searching the hibernation file for the key?
2. Re:Well done sir. by gweihir · 2017-05-18 11:43 · Score: 1
  
  It is also a pretty neat implementation error. I am going to use this in my security lecture this year as example on how to mess up key handling and why to not trust the OS API (unless you are sure it it good).
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
3. Re:Well done sir. by toonces33 · 2017-05-18 13:05 · Score: 0
  
  I wonder if it also works on Server 2003.
4. Re:Well done sir. by Anonymous Coward · 2017-05-18 13:44 · Score: 0
  
  Sever 2003 may be based on XP but the attack vector is probably a bit different. XP computers aren't infected via LAN spread, but you can click on the email and infect yourself manually (accidentally). Most machines running Server 2003 probably won't have an email client installed on them so it's far less likely for this situation to occur.
5. Re:Well done sir. by Anonymous Coward · 2017-05-19 00:29 · Score: 0
  
  You should also mention that they SHOULD NOT roll their own crypto. It's more a case of "Read the documentation, Implementation advice, Third-party lists of gotchas, ...
  Even the NSA has guidelines for its Malware Division to simply rely on the Crypto API, as it is "Good enough" and does not betray the malware source via suspicious identifiable crypto.
6. Re:Well done sir. by Anonymous Coward · 2017-05-19 01:11 · Score: 0
  
  Sure, but he was wondering if it would work, not if it is needed.
7. Re:Well done sir. by gweihir · 2017-05-21 01:49 · Score: 1
  
  That one is tricky. There are situations where you have to do it yourself to get the required trust-level. Of course, that does _not_ include designing the actual crypto algorithm, only a few people on this planet can do that at this time. But from your own example, you can see that even "what the NSA does" may not be good enough. (I know a few people that used to do work for the NSA. These people are only cooking with water, same as everybody else. Of course, they have a lot of water at their disposal, but they are human and they make mistakes. Also, the NSA is not an attractive employer for the best and brightest, they only get the second liege players.) But of course, this on very advanced, and students must know that they will need decades of experience if they ever be able to do this at all. That is why so much time is spent on attacks in a good security lecture: The students must get an intuition what can fail and what they are up against. Same as any good engineering lecture.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
"QED" baby... apk by Anonymous Coward · 2017-05-18 11:19 · Score: 0

See subject: THUS https://yro.slashdot.org/comments.pl?sid=10630231&cid=54445383/ it has been proven & it works.
* Credits to MS & ME/'yours truly' from a long LONG time ago (but not a galaxy far away).
APK
P.S.=> Thank you: It's the thought that counts + you got your wish granted (bonus!!!).. apk
I looked below by Anonymous Coward · 2017-05-18 23:32 · Score: 0

All i found were some comments.
Game changer by Anonymous Coward · 2017-05-18 23:57 · Score: 0

Excellent. This is the kind of research that well help 3's or 4's of people everywhere!
Did you try rebooting? by Anonymous Coward · 2017-05-19 00:00 · Score: 0

"In order to work, your computer must not have been rebooted after being infected."
And the number of XP users infected with WannaCrypt who didn't immediately try rebooting in the hope it would all just go away is....
You need glasses then... apk by Anonymous Coward · 2017-05-19 00:18 · Score: 0

http://hardware.slashdot.org/c...
http://news.slashdot.org/comme...
http://tech.slashdot.org/comme...
http://science.slashdot.org/co...
http://tech.slashdot.org/comme...
http://news.slashdot.org/comme...
http://news.slashdot.org/comme...
http://news.slashdot.org/comme...
http://hardware.slashdot.org/c...
http://yro.slashdot.org/commen...
http://yro.slashdot.org/commen...
https://entertainment.slashdot...
APK
P.S.=>

"I've seen it all." - by thegarbz ( 1787294 ) on Friday May 19, 2017 @07:55AM (#54447589)
See subject, see above & now go see an optometrist (because you don't see very well @ all)... apk
1. Re:You need glasses then... apk by thegarbz · 2017-05-19 20:23 · Score: 1
  
  Wow. The fact that you keep a list of your AC posts that got modded up actually blew my mind.
2. Re: You need glasses then... apk by Anonymous Coward · 2017-05-20 09:30 · Score: 0
  
  You mad cause he schooled you?
It's 3 things but there's other ways by Anonymous Coward · 2017-05-19 00:25 · Score: 0

See subject: You could always Email a file to a pal easily. You can FTP a file easily. You could do it via removable media easily. You could IRC DCC a file to him easily, etc. - et al (& the list goes on). You can restart those 3 services easily.
APK
P.S.=> I can't believe you don't know those options & yes, they are REAL + EASY alternative methods... apk
1. Re:It's 3 things but there's other ways by Anonymous Coward · 2017-05-19 03:14 · Score: 0
  
  P.S.=> I can't believe you don't know those options
  REALLY??? I mean... REALLY???
Not same (no LAN != non-networked) by Anonymous Coward · 2017-05-19 00:53 · Score: 0

See subject & no home LAN != non-networked - you STILL connect to the internet as networked (I go PURE TCP/IP & it has bennies - shorter packet trains (no 'sandwiched in NetBIOS' etc - et al, which IS how it works inside IP post NT 4.0 - lanman used to be MS' PRIMARY network protocol but the internet CHANGED IT ALL for them too & of course, what I noted too (less CPU/RAM/other I-O)).
* Neat part? I discovered that while using my security guide (which IS geared to single system users & warns networked folks @ home or work to STEER CLEAR of certain parts) I could use HUGE tracts of it @ work (including no NetBIOS over TCP/IP or Client for MS Networks I note in my original post in your network connection))?? I was INVISIBLE @ work on LANS there on many jobs - YET I could access all things on the network for the most part & get online etc. NO PROBLEM!
APK
P.S.=> It hurt me once when the network WAN admin pushed an update & also when he "rescoped" the WAN - I had to use an NT Recovery diskette to get back online again (came up w/ the idea quick & glad I made one for my workstation) but other than those 2 puny "mishaps" (which don't occur often really)??
For 4++ yrs. on a couple jobs everyone was like "Why can't I see your system on the LAN/WAN?" - I said (lol) because:
"DEUS EX MACHINA" ( I am TRULY, the "ghost in the machine" )... apk
Re:I never say "hosts cure all" by Anonymous Coward · 2017-05-19 01:43 · Score: 0

. Show us where I said "hosts cure all", ok? You can't. I never have.
You just did. In the parent post.
Now give my my prize.
Selectively & only partially quoting me? by Anonymous Coward · 2017-05-19 01:59 · Score: 0

See subject: GROW UP (partially selectively quoting me but not putting out the full context of what I said? Give us a break you UNIDENTIFIABLE trolling little immature pest).
APK
P.S.=> Unbelievable... apk
1. Re: Selectively & only partially quoting me? by Anonymous Coward · 2017-05-19 09:47 · Score: 0
  
  Ohhhhh my days mate why do you do this? Your life would make a fascinating film about mental health. Don't let your personality issues get in the way of communicating
sounds like the private key is in memory by Anonymous Coward · 2017-05-19 07:59 · Score: 0

Sounds like thus guy figured out wannacry generates the key pair on the infected machine, and he's potentially pulling the private key out of memory. Once the computer is rebooted, it's unlikely you'll be able to retrieve it at that point.
Hahaha - U.R. another "SiDeWaLk-ShRiNk of /." by Anonymous Coward · 2017-05-19 15:06 · Score: 0

See subject: You're a wannabe "SiDeWaLk-ShRiNk of /." complete w/ DELUSIONS of grandeur thinking you're qualified to judge anyone's mental condition (you're a stalking whacko fool), lmao - I can't put it any plainer than that!
I don't need an actual FORMAL mental examination (that YOU DO making libelous statements about myself & you DON'T have one):
Especially to make that plainly obvious judgement about YOU or "your kind"!
What is "your kind"? Ok - UNIDENTIABLE skulking anonymous troll worms that are so F'd up mentally they PROJECT their own 'issues' onto others as you just tried w/ me giving it away lol!
* Don't play poker - you're easier to read than a book... & you KNOW it.
(I pity you)
APK
P.S.=> Above all else? Leave me alone, stalker-whacko-psycho... apk
I never say "hosts cure all" asshole by Anonymous Coward · 2017-05-21 09:43 · Score: 0

See subject: Don't put words in my mouth I never said. Show us where I said "hosts cure everything", ok? You can't. I never have.
In fact, I've ADMITTED, & in a +5 INFORMATIVE RATED POST, a thing hosts CANNOT STOP (BGP exploit) before http://tech.slashdot.org/comments.pl?sid=1901826&cid=34490450/ SO EAT YOUR WORDS FUCKER!
Thus PROVING YOU WRONG w/ concrete, undeniable & VERIFIABLE proof!
(Clue - NOTHING stops everything but hosts do far more for far less natively vs. any other SINGLE "so-called 'solution'" out there)
LASTLY I SEE YOU TRIED TO "DOWNMOD HIDE" YOUR FAIL, attempting to 'hide' this post w/ abused downmods last time I posted it https://yro.slashdot.org/comments.pl?sid=10630231&cid=54447647/ you pitiful loser!
APK
P.S.=> I told you this already this week here https://yro.slashdot.org/comments.pl?sid=10610229&cid=54420023/ - so go away & quit stalking me via UNIDENTIFIABLE anonymous posts you loony weirdo! apk