French Researchers Find Last-ditch Cure To Unlock WannaCry Files

French researchers said on Friday they had found a last-chance way for technicians to save Windows files encrypted by WannaCry, racing against a deadline as the ransomware threatens to start locking up victims' computers first infected a week ago. From a report: WannaCry, which started to sweep round the globe last Friday and has infected more than 300,000 computers in 150 nations, threatens to lock out victims who have not paid a sum of $300 to $600 within one week of infection. A loose-knit team of security researchers scattered across the globe said they had collaborated to develop a workaround to unlock the encryption key for files hit in the global attack, which several independent security researchers have confirmed. The researchers warned that their solution would only work in certain conditions, namely if computers had not been rebooted since becoming infected and if victims applied the fix before WannaCry carried out its threat to lock their files permanently. Also see: Windows XP PCs Infected By WannaCry Can Be Decrypted Without Paying Ransom.

A different decription from the other decryption?

[Geoffrey.landis]

what about this one? https://yro.slashdot.org/story...

MAXIMUM LOLS

american pig dog

Side note

[93+Escort+Wagon]

From TFA:

"This is not a perfect solution," Suiche said. "But this is so far the only workable solution to help enterprises to recover their files if they have been infected and have no back-ups"

If an "enterprise" didn't already have a backup solution in place, their CIO - and relevant members of their IT staff - should be fired.

Re:Side note

Replying as AC here for obvious reasons, but in my experience with enterprise clients the issue is often not that no backups are done at all, but that they rarely allocate time to try a restore from those backups. A backup is only good if proven to successfully restore from.

The two scenarios I've seen that cause the most concern is first that the configuration of the server in question may be non-trivial, and some of the configuration does not restore properly. In that case you still have the customer data, but may not be accessible or accessible but with poorly understood performance issues. Vendor support or developer/consultant support or knowledge may have disappeared over time, especially with specialised installations / customisation.

The second is where the customer data consists of closely connected files or databases. It may not be possible to restore all the required files from different backup sets, even if you have all the journals.

Disaster recovery exercises and maintenance windows are the two hardest things to argue for in a budget from what I've learnt.

Re:French?

[Jzanu]

No, I'm afraid this is an instance of the American's surrendering and the French fighting. In other words, this reflects more of reality as America fails at not just its international obligations but even its intra-national ones. In contrast France actively fights terrorist groups in Mali and Niger so that they don't link in Nigeria and create a greater problem for the western world.

Topically, this is a sign of the strength of the French university system superseding the American system in one of the most important fields for future security.

You have to be kidding.

"If computers had not been rebooted since becoming infected" -- It's a Windows computer. It's been rebooted LOTS of times, if just to install the Windows Updates pushed out by Microsoft.

They are toast.

Re:A different decription from the other decryptio

[lorinc]

what about this one? https://yro.slashdot.org/story...

This one is a backup in case the first one gets encrypted!

More to point: the old method worked only for WinXP, this one also for Win7.

Protect yourself vs. WanaCry easily

From MS - SMB Ports 445/139 (TCP) & 137/138 (UDP) protection via:

Disable SMBv1 on the SERVER, configure the following registry key:

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1

REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled

Default: 1 = Enabled

Enable SMBv2 on the SERVER, configure the following registry key:

Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB2

REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled

Default: 1 = Enabled

---

Disable SMBv1 on the CLIENT, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

sc.exe config mrxsmb10 start= disabled

Enable SMBv2 & SMBv3 on the CLIENT, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi

sc.exe config mrxsmb20 start= auto

---

* The above is per https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012/

APK

P.S.=> For a SINGLE 'standalone' non-networked PC (no home network/LAN but TCP/IP connected online) turn off Server & Workstation services.

That shuts off any "handles" (port 445) this thing propogates thru + turn off NetBIOS over TCP/IP in your internet connection & uncheck/disable Client for Microsoft Networks + File and Print Sharing. Port 139 & 445 always pop up issues over time. It also makes your packet trains smaller (no encapsulation of LanMan)

I covered all this 11++ yrs. ago in a security guide I wrote for users with a single system & apparently, its advice STILL STANDS THE "TEST OF TIME" https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&btnG=Google+Search&gbv=1/ vs. even today's threats like this one.

* This effectively makes this threat a non-issue + saves you CPU cycles/RAM & other I/O wasted on services you don't NEED as a single PC user only... & you don't. They're just wastes with a single PC really. Many services are (covered in guide above based on CIS Tool guidance (who took fixes to their ware from "yours truly" too, no less)) & again, no more encapsulated packet bulk.

AND?

Don't be STUPID & click on attachments in bogus malicious emails this thing propogates thru also (Chrome/Opera/Webkit users - BEWARE of the ShellControlFile issue that just popped up (.scf file) noted here-> http://www.theregister.co.uk/2017/05/17/chrome_on_windows_has_credential_theft_bug/ ) ... apk

Re: Protect yourself vs. WanaCry easily

Oh my god go away already

sure

'if the computer hasn't been rebooted since the infection'.
If it has been a week since infection, that has long since passed, I would say the first thing someone would do on seeing this is try to reboot. I would guess there is a flag the ransomware sets somewhere that tells it the machine has been restarted, I would say the chances of this are almost zero, knowing that most users reboot windows anyway to 'fix' most problems, or that it is the standard desktop support answer for most problems, having been on the receiving end of support occasionally.

Re:sure

[mark-t]

Indeed... I would liken the restriction that it only works if the machine hasn't been rebooted since infection to saying that while you can't prevent headaches, you can cure one you already have only as long as it hasn't already bothered you enough to want to do something about it.

For all practical purposes, this "cure" is at best only applicable for people who have yet to be infected, and can apply the mechanism immediately, it is about as worthless as dirt to virtually all those who have already been infected.

Let's Review The Facts

[NicknameUnavailable]

• It is based on SMB, which only impacts Windows machines sitting on the open internet and LANs, most commonly via someone plugging a laptop into their unsecured home network then taking it in to work or connecting via VPN.
• It uses an NSA backdoor that was patched 2 months ago on Windows 10, but not other versions, and was itself leaked about a month ago.
• It gives users a week to "pay" or get locked out (or have it removed otherwise.)
• It uses only 3 bitcoin wallets and tells everyone to pay the same sum, meaning there is no way to confirm who did and did not pay, therefore there was never an intention to have any further contact with machines which may be traceable.
• It had a backdoor to disable it by registering a nonsense domain name, which someone has since done at a security firm in the UK claiming they didn't know what it would actually do but just saw it was available.
• The code itself was 50% NSA leak and 50% script-kiddie or H1-b tier coding that errors out doing nothing 80% of the time.

All signs point to this being another attempt by Microsoft to get people to upgrade to Windows 10, not an actual piece of malware to produce money from the malware itself.

Re:French?

agreed

Re:French?

[Jzanu]

I'm German you fucking idiot - go troll somewhere else. Look up, I replied to the idiocy of another poster with information from reality. If you consider that a problem then perhaps you need some mental health treatment. Reality isn't flexible, and it is what it is.

This is all overblown

Just for kicks last weekend I put a completely unpatched Windows 10 machine, installed from a June 2016 RTM, on the Internet, 100% exposed. No NAT firewall. No Windows Firewall. No AV. No anti-malware. No nothing. Public IP. I even went so far as to enable insecure RDP and install a VNC server with NO authentication on the standard port.

Almost a week later, there is nothing unusual happening on that machine. No unusual network traffic (almost none at all, actually). File checksums for all windows components are still the same. No new DLLs on the system. No record of anyone even connecting to the completely open and unprotected VNC server.

I figured after the scary story about Windows machines being infected by WannaCry in MINUTES, I could have some fun with it. But no. This machine is still sitting there perfectly fine. None of the random documents I put on it have been encrypted. No signs of infection by anything.

Sad!

Re:This is all overblown

Do infected hosts actually scan for the SMB vulnerability over the Internet or just on your LAN? I thought the latter - in which case you would need to run the attachment in the phishing email on another host on your network before that box would get compromised.

Re:This is all overblown

[rsmith-mac]

I figured after the scary story about Windows machines being infected by WannaCry in MINUTES, I could have some fun with it. But no. This machine is still sitting there perfectly fine. None of the random documents I put on it have been encrypted. No signs of infection by anything.

Windows 10 is not vulnerable to the worm propagation mechanism of WannaCry. The exploit is mitigated (though not truly resolved) as part of the overall security hardening done throughout the OS.

Only Windows Vista, 7, and 8 are vulnerable. (Windows XP is apparently not vulnerable to the worm either, though it would seem for different reasons)

Re:A different decription from the other decryptio

[Geoffrey.landis]

... I see that /. has now added a link to that earlier /. story to the summary.

Re:French?

No, I'm afraid that the reason the US did not come up with a solution is because it is illegal under the DMCA. They could be sued by the perpetrators for bypassing encryption.

Unidentifiable anonymous stalker:

Unidentifiable ac stalker: Take your OWN advice & "Satan get thee behind me" - Are you Wana's creator pissed I show folks how to secure themselves vs. wannacry???

* You constantly stalk/harass/troll me - & you always fail!

(With "results" like yours, why do you bother??)

APK

P.S.=> Oh, ok - I've got it figured out - you ENJOY failure! & you have failed vs. me before constantly knowing I have it bookmarked to toss @ you under your "registered 'luser'" account which I KNOW you have (so you "hide" behind unidentifiable anonymous posts) - Hey:

Keep it up - you only make ME look GOOD & yourself? LMAO - well... "not so good"! apk

Re:French?

[Gravis+Zero]

No, I'm afraid this is an instance of the American's surrendering and the French fighting.

You aren't entirely wrong but I think it's important to remember that the US was hit very hard by this virus. There is no glory to be had and no incentive to continue working on the problem.

In contrast France actively fights terrorist groups in Mali and Niger so that they don't link in Nigeria and create a greater problem for the western world.

I think it's hilarious that you think we aren't doing enough to fight terrorism because we've practically destroyed ourselves with the level of military investment we've made just to kill some jerks in caves.

Re:French?

[Gravis+Zero]

the US was not hit very hard by this virus

FTFY

Re:French?

In contrast France actively fights terrorist groups in Mali and Niger

But not in the Paris banlieues.

Re:French?

[Jzanu]

Regardless this is still a sign of the US isolationism causing it to fall in status and capability despite the growing need for information security response. Expense and effectiveness are different things. The French mission in Mali has succeeded through well organized management and brought greater stability and safety to the region. It started 4 years ago and continues even now as a unilateral mission, and the French have a military budget less than 2% of their GDP. That article is about the need to increase it to 2% over a few years. With much smaller budget France maintains its own nuclear powered aircraft carrier, nuclear arsenal, and expeditionary military force fighting across multiple fronts and producing measurable gains. Largely this is through ferreting all corruption out of military procurement, and if similar efforts are made then the US could achieve comparable results for cost and do more with the same budget.

Re:French?

[thegarbz]

Accusing a person of something he didn't say.
Claiming that he offers no solutions where actually the entire post was about an example which could be followed.
Accusing the person of affecting all humanity right after suggesting he only hates Americans for talking up someone else.
Claiming to have a false sense for sorrow for reasons unknown.
Accusing a foreigner that it's their fault for Trump being in office.
Then claiming you made a point.

Actually you made 5 points. None of them made sense.

One more point. You claim we think you're a "hater" when in fact the correct word would probably be "stoner". Lay off the weed when posting on slashdot man.

Re:French?

[thegarbz]

Wait what? Fixed That For Who? :-)

Re:French?

[Gravis+Zero]

Largely this is through ferreting all corruption out of military procurement, and if similar efforts are made then the US could achieve comparable results for cost and do more with the same budget.

I agree completely. However, I think that our money would be better spent raising the standard of living and education globally than eternally fighting a small number of people. People don't get sucked into murdering others when their life is great and the future is hopeful. If you think it's an intrinsic part of the religion itself then you are an advocate for genocide.

Who pays for all these security researches ?

It seems there are a large number of security researches. How do they make money, for examining malware day in and day out for a majority of their time ? Take the people mentioned in the article they are spending weeks and yet they will make nothing from their public service. After all this is over who will need or hire them ?

Re: French?

[Brockmire]

He just needs a Snickers.

Racing Against Time, not really

[n329619]

The victims might be watching the timer, but the researchers can change the BIOS clock and create backups for their research.

Re:French?

[TimMD909]

I'm German you fucking idiot - go troll somewhere else. Look up, I replied to the idiocy of another poster with information from reality. If you consider that a problem then perhaps you need some mental health treatment. Reality isn't flexible, and it is what it is.

There's that friendly German personality I've heard so much about ;-) .