Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows XP PCs Infected By WannaCry Can Be Decrypted Without Paying Ransom (arstechnica.com)

Posted by BeauHD on from the fingeres-crossed dept.

An anonymous reader quotes a report from Ars Technica: Owners of some Windows XP computers infected by the WCry ransomware may be able to decrypt their data without making the $300 to $600 payment demand, a researcher said Thursday. Adrien Guinet, a researcher with France-based Quarkslab, has released software that he said allowed him to recover the secret decryption key required to restore an infected XP computer in his lab. The software has not yet been tested to see if it works reliably on a large variety of XP computers, and even when it does work, there are limitations. The recovery technique is also of limited value because Windows XP computers weren't affected by last week's major outbreak of WCry. Still, it may be helpful to XP users hit in other campaigns. "This software has only been tested and known to work under Windows XP," he wrote in a readme note accompanying his app, which he calls Wannakey. "In order to work, your computer must not have been rebooted after being infected. Please also note that you need some luck for this to work (see below), and so it might not work in every case!"

9 of 60 comments (clear)

  1. Sadly... by Anonymous Coward · · Score: 5, Funny

    After you decrypt, you're left with a Windows XP system.

    1. Re:Sadly... by PolygamousRanchKid+ · · Score: 2

      After you decrypt, you're left with a Windows XP system.

      Hey, a decryptor that could turn Windows 10 systems into Windows 7 systems would actually be quite useful!

      --
      Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
  2. Summary by Anonymous Coward · · Score: 5, Informative

    1. XP computers aren't infected via LAN spread, but you can click on the email and infect yourself manually (accidentally).
    2. This hack-fix works because XP doesn't wipe they key generation details out of memory. p and q can often be found by searching all memory. You then regenerate the key with p and q, like magic. If you reboot, memory is wiped and it's too late.

  3. Easy to prevent via patches/workarounds by Anonymous Coward · · Score: 4, Informative

    From MS - SMB Ports 445/139 (TCP) & 137/138 (UDP) protection via:

    Disable SMBv1 on the SMB server, configure the following registry key:

    Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1

    REG_DWORD: 0 = Disabled
    REG_DWORD: 1 = Enabled

    Default: 1 = Enabled

    Enable SMBv2 on the SMB server, configure the following registry key:

    Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB2

    REG_DWORD: 0 = Disabled
    REG_DWORD: 1 = Enabled

    Default: 1 = Enabled

    ---

    Disable SMBv1 on the SMB client, run the following commands:

    sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

    sc.exe config mrxsmb10 start= disabled

    Enable SMBv2 & SMBv3 on the SMB client, run the following commands:

    sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi

    sc.exe config mrxsmb20 start= auto

    * Per https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012/

    APK

    P.S.=> For a SINGLE 'standalone' non-networked PC (no home network/LAN) just turn off Server & Workstation services. It shuts off any "handles" (port 445) this thing propogates thru + turn off NetBIOS over TCP/IP in your internet connection & uncheck/disable Client for Microsoft Networks + File and Print Sharing. Port 139 & 445 always pop up issues over time.

    I covered all this 11++ yrs. ago in a security guide I wrote for users with a single system & apparently, its advice STILL STANDS THE "TEST OF TIME" ala https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&btnG=Google+Search&gbv=1/ vs. even today's threats like this one.

    * This effectively makes this threat a non-issue + saves you CPU cycles/RAM & other I/O wasted on services you don't NEED as a single PC user only... & you don't. They're just wastes with a single PC really. Many services are (covered in guide above based on CIS Tool guidance (who took fixes to their ware from "yours truly" too, no less)).

    Of course, don't be STUPID & click on attachments in bogus malicious emails this thing propogates thru as well (Chrome/Opera/Webkit users - BEWARE of the ShellControlFile issue that just popped up (.scf file) noted here-> http://www.theregister.co.uk/2017/05/17/chrome_on_windows_has_credential_theft_bug/ ) ... apk

    1. Re:Easy to prevent via patches/workarounds by thegarbz · · Score: 2

      Trump President
      UK leaving the EU

      and now APK +5 informative.

      I've seen it all.

  4. Well done sir. by JamesKeane7745 · · Score: 5, Insightful

    Why is everyone so down on this?

    Yes, it only works on limited OS install numbers
    Yes, you have to be lucky

    But someone has devoted his time and effort to find a way to rollback some of the damage cause by a major bit of malware. It may only be for a small subset, but he has published the code (we're all for that here, right?) so maybe it may inspire someone else, with a knowledge of memory allocation and cleanup on a different target platform, who may then have a light bulb moment!

    Try cracking a smile once in a while, not everything needs a scowl.

  5. Re:Huh? by Anonymous Coward · · Score: 4, Informative

    No. They got hit hard because many sites don't patch things.

    Our IT department (at an NHS hospital) have been busy all week patching PCs - in some cases, techs were going around with USB keys, because there were "WSUS issues" which prevented the patches being deployed remotely.

    A variety of IT contractors (who supply software as a service on co-located servers) have also been running around. One of the IT contractors admitted to me, that he had just patched a server (owned and managed by the software vendor but sited at the hospital) that was running windows 2012 with absolutely no patches installed. It had been misconfigured 5 years ago, and never received a single update, and no one ever checked on it.

  6. Re:Confused by sexconker · · Score: 2

    The summary indicates that the technique decrypts computers affected by wannacry, but then later says this is not the case as XP machines were not affected by wannacry. To be blunt, what the hell is going on?!?

    To be blunt, BeauHD.

  7. Re:Huh? by sexconker · · Score: 2, Informative

    No. They got hit hard because many sites don't patch things.

    Our IT department (at an NHS hospital) have been busy all week patching PCs - in some cases, techs were going around with USB keys, because there were "WSUS issues" which prevented the patches being deployed remotely.

    A variety of IT contractors (who supply software as a service on co-located servers) have also been running around. One of the IT contractors admitted to me, that he had just patched a server (owned and managed by the software vendor but sited at the hospital) that was running windows 2012 with absolutely no patches installed. It had been misconfigured 5 years ago, and never received a single update, and no one ever checked on it.

    I used to manage WSUS, and still do but via SCCM. You do not need suggestive quotation marks when referring to WSUS issues. Shit is unreliable.