Windows XP PCs Infected By WannaCry Can Be Decrypted Without Paying Ransom

An anonymous reader quotes a report from Ars Technica: Owners of some Windows XP computers infected by the WCry ransomware may be able to decrypt their data without making the $300 to $600 payment demand, a researcher said Thursday. Adrien Guinet, a researcher with France-based Quarkslab, has released software that he said allowed him to recover the secret decryption key required to restore an infected XP computer in his lab. The software has not yet been tested to see if it works reliably on a large variety of XP computers, and even when it does work, there are limitations. The recovery technique is also of limited value because Windows XP computers weren't affected by last week's major outbreak of WCry. Still, it may be helpful to XP users hit in other campaigns. "This software has only been tested and known to work under Windows XP," he wrote in a readme note accompanying his app, which he calls Wannakey. "In order to work, your computer must not have been rebooted after being infected. Please also note that you need some luck for this to work (see below), and so it might not work in every case!"

Summary

1. XP computers aren't infected via LAN spread, but you can click on the email and infect yourself manually (accidentally).
2. This hack-fix works because XP doesn't wipe they key generation details out of memory. p and q can often be found by searching all memory. You then regenerate the key with p and q, like magic. If you reboot, memory is wiped and it's too late.

Easy to prevent via patches/workarounds

From MS - SMB Ports 445/139 (TCP) & 137/138 (UDP) protection via:

Disable SMBv1 on the SMB server, configure the following registry key:

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1

REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled

Default: 1 = Enabled

Enable SMBv2 on the SMB server, configure the following registry key:

Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB2

REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled

Default: 1 = Enabled

---

Disable SMBv1 on the SMB client, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

sc.exe config mrxsmb10 start= disabled

Enable SMBv2 & SMBv3 on the SMB client, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi

sc.exe config mrxsmb20 start= auto

* Per https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012/

APK

P.S.=> For a SINGLE 'standalone' non-networked PC (no home network/LAN) just turn off Server & Workstation services. It shuts off any "handles" (port 445) this thing propogates thru + turn off NetBIOS over TCP/IP in your internet connection & uncheck/disable Client for Microsoft Networks + File and Print Sharing. Port 139 & 445 always pop up issues over time.

I covered all this 11++ yrs. ago in a security guide I wrote for users with a single system & apparently, its advice STILL STANDS THE "TEST OF TIME" ala https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&btnG=Google+Search&gbv=1/ vs. even today's threats like this one.

* This effectively makes this threat a non-issue + saves you CPU cycles/RAM & other I/O wasted on services you don't NEED as a single PC user only... & you don't. They're just wastes with a single PC really. Many services are (covered in guide above based on CIS Tool guidance (who took fixes to their ware from "yours truly" too, no less)).

Of course, don't be STUPID & click on attachments in bogus malicious emails this thing propogates thru as well (Chrome/Opera/Webkit users - BEWARE of the ShellControlFile issue that just popped up (.scf file) noted here-> http://www.theregister.co.uk/2017/05/17/chrome_on_windows_has_credential_theft_bug/ ) ... apk

Re:Huh?

No. They got hit hard because many sites don't patch things.

Our IT department (at an NHS hospital) have been busy all week patching PCs - in some cases, techs were going around with USB keys, because there were "WSUS issues" which prevented the patches being deployed remotely.

A variety of IT contractors (who supply software as a service on co-located servers) have also been running around. One of the IT contractors admitted to me, that he had just patched a server (owned and managed by the software vendor but sited at the hospital) that was running windows 2012 with absolutely no patches installed. It had been misconfigured 5 years ago, and never received a single update, and no one ever checked on it.

Re:Huh?

[sexconker]

No. They got hit hard because many sites don't patch things.

Our IT department (at an NHS hospital) have been busy all week patching PCs - in some cases, techs were going around with USB keys, because there were "WSUS issues" which prevented the patches being deployed remotely.

A variety of IT contractors (who supply software as a service on co-located servers) have also been running around. One of the IT contractors admitted to me, that he had just patched a server (owned and managed by the software vendor but sited at the hospital) that was running windows 2012 with absolutely no patches installed. It had been misconfigured 5 years ago, and never received a single update, and no one ever checked on it.

I used to manage WSUS, and still do but via SCCM. You do not need suggestive quotation marks when referring to WSUS issues. Shit is unreliable.