Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WannaCry, WNCry, WanaCrypt0r, Wana Decrypt0r Ransomware Help & Support Topic


  • Please log in to reply
239 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:30 PM

Posted 12 May 2017 - 11:27 AM

BleepingComputer's ongoing coverage of whatever you want to call this thing (WanaCrypt0r, WannaCry, Wana Decrypt0r) can be found below. Many of these articles have been updated with new info as it has been discovered.
 

May 12th 2017 8:40 AMTelefonica Tells Employees to Shut Down Computers Amid Massive Ransomware Outbreak

May 12th 2017 1:07 PMWana Decryptor Ransomware Using NSA Exploit Leaked by Shadow Brokers Is on a Rampage

 

May 12th 2017 5:24 PM: WannaCry / Wana Decryptor / WanaCrypt0r Info & Technical Nose Dive

 

May 13th 2017 4:14 AMWana Decryptor Ransomware Outbreak Temporarily Stopped By "Accidental Hero"

May 13th 2017 5:05 AMMicrosoft Releases Patch for Older Windows Versions to Protect Against Wana Decryptor

 

May 14th 2017 8:00 AM: Honeypot Server Gets Infected with WannaCry Ransomware 6 Times in 90 Minutes

 

May 14th 2017 9:00 PM: Microsoft Exec Blames WannaCry Ransomware on NSA Vulnerability Hoarding Program

 

May 15th 2017 2:01 AM: With the Success of WannaCry, Imitations are Quickly In Development

 

May 15th 2017 6:55 AM​: WannaCry Ransomware Version With Second Kill Switch Detected and Shut Down

 

May 15th 2017 1:00 PM: Someone Created a WannaCry Version That Doesn't Use a Kill Switch

 

 

This is a dedicated help and support topic for the WannaCry, Wcry, WanaCrypt0r, and Wana Decrypt0r Ransomware. This ransomware is being spread very heavily today and I am sure we will be seeing a lof of victims.

This ransomware is currently being spread by the EternalBlue exploit. More info here:

Wana Decrypt0r Ransomware Using NSA Exploit Leaked by Shadow Brokers Is on a Rampage
 
First Variant: .wcry
Second Variant: .WCRY (+ .WCRYT for temp)
Third Varianmt: .WNCRY (+ .WNCRYT for temp)
 
The ransomware will display a lock screen that contains the same information. This screen acts as the decryptor as well, but should be terminated as it will encrypt new files as it is running.
 

wana-decrypt0r-2_0.png

 
 
The ransomware will also drop a ransom note named @Please_Read_Me@.txt, which can be seen below.

 

ransom-note-txt.png



BC AdBot (Login to Remove)

 


#2 rkosecurity

rkosecurity

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 12 May 2017 - 12:15 PM

Does anyone have a screen shot of what the "Contact Us" page looks like?



#3 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:30 PM

Posted 12 May 2017 - 12:33 PM

Nothing special. Get it up in a second.

#4 rkosecurity

rkosecurity

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 12 May 2017 - 12:45 PM

Awesome, thank you



#5 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:30 PM

Posted 12 May 2017 - 01:02 PM

Here ya go:

contact-form.png

#6 psychopomp

psychopomp

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 12 May 2017 - 01:04 PM

Can I receive an example of  WanaCrypt?



#7 Terrum

Terrum

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 12 May 2017 - 01:47 PM

So how do we go about decrypting our files after the virus is removed? It seems like it's the same variation of the old Ransom:Win32.Vigorf.A. All anti-viruses and threads I have seen tell you just how to remove the virus, but has anyone managed to decrypt their files? Also which KB update fixes this exploit? It seems to only affect Windows 7/2008 machines (and probably XP too).



#8 Makpptfox

Makpptfox

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 12 May 2017 - 01:49 PM

My dedicated server have been hit by WannaDecryptor but i've done nothing that could have leaded to an infection of it, how is it possible ?
(and by nothing, I mean litterally nothing, It was on a standby since 3 days, I've connected via the windows remote desktop sooner today and tonight I was infected)



#9 psychopomp

psychopomp

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 12 May 2017 - 01:50 PM

So how do we go about decrypting our files after the virus is removed? It seems like it's the same variation of the old Ransom:Win32.Vigorf.A. All anti-viruses and threads I have seen tell you just how to remove the virus, but has anyone managed to decrypt their files? Also which KB update fixes this exploit? It seems to only affect Windows 7/2008 machines (and probably XP too).

Downloading windows 10 iso, will try to catch the virus on VM, because can't find virus example in Google)



#10 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:30 PM

Posted 12 May 2017 - 01:52 PM

Installed via a Windows exploit. Added link to info in first post of topic.

More info here:

https://www.bleepingcomputer.com/news/security/wana-decrypt0r-ransomware-using-nsa-exploit-leaked-by-shadow-brokers-is-on-a-rampage/

#11 kishoreraja

kishoreraja

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 12 May 2017 - 01:53 PM

My PC has been affected. Fortunately I have stopped the process but lost some important files. How to recover it?



#12 psychopomp

psychopomp

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 12 May 2017 - 01:55 PM

My PC has been affected. Fortunately I have stopped the process but lost some important files. How to recover it?

Can you send me an example of this files? 



#13 Terrum

Terrum

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 12 May 2017 - 01:55 PM

My dedicated server have been hit by WannaDecryptor but i've done nothing that could have leaded to an infection of it, how is it possible ?
(and by nothing, I mean litterally nothing, It was on a standby since 3 days, I've connected via the windows remote desktop sooner today and tonight I was infected)

Which Server OS version do you use? If it's Server 2008, it's probable that you haven't used Windows Update to fix the critical exploit that was deployed back in March to fix this. I'm guilty of this also - but I can't seem to find which KB fixes this exploit.

 

 

 

So how do we go about decrypting our files after the virus is removed? It seems like it's the same variation of the old Ransom:Win32.Vigorf.A. All anti-viruses and threads I have seen tell you just how to remove the virus, but has anyone managed to decrypt their files? Also which KB update fixes this exploit? It seems to only affect Windows 7/2008 machines (and probably XP too).

Downloading windows 10 iso, will try to catch the virus on VM, because can't find virus example in Google)

 

You probably won't be able to catch the virus on anything newer than Server 2012/2016 or Windows 8/10, it only seems to be hitting older operating systems where the exploit isn't fixed due to lack of Windows Updates (correct me if I'm wrong).

 

I do have the virus archived though, I can share it with you if you wish, if it's not against the forum's rules.



#14 psychopomp

psychopomp

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 12 May 2017 - 01:58 PM

 

My dedicated server have been hit by WannaDecryptor but i've done nothing that could have leaded to an infection of it, how is it possible ?
(and by nothing, I mean litterally nothing, It was on a standby since 3 days, I've connected via the windows remote desktop sooner today and tonight I was infected)

Which Server OS version do you use? If it's Server 2008, it's probable that you haven't used Windows Update to fix the critical exploit that was deployed back in March to fix this. I'm guilty of this also - but I can't seem to find which KB fixes this exploit.

 

 

 

So how do we go about decrypting our files after the virus is removed? It seems like it's the same variation of the old Ransom:Win32.Vigorf.A. All anti-viruses and threads I have seen tell you just how to remove the virus, but has anyone managed to decrypt their files? Also which KB update fixes this exploit? It seems to only affect Windows 7/2008 machines (and probably XP too).

Downloading windows 10 iso, will try to catch the virus on VM, because can't find virus example in Google)

 

You probably won't be able to catch the virus on anything newer than Server 2012/2016 or Windows 8/10, it only seems to be hitting older operating systems where the exploit isn't fixed due to lack of Windows Updates (correct me if I'm wrong).

 

I do have the virus archived though, I can share it with you if you wish, if it's not against the forum's rules.

 

If you can - it will be great. I'll share here if will find something interesting there



#15 Terrum

Terrum

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 12 May 2017 - 01:59 PM

Installed via a Windows exploit. Added link to info in first post of topic.

More info here:

https://www.bleepingcomputer.com/news/security/wana-decrypt0r-ransomware-using-nsa-exploit-leaked-by-shadow-brokers-is-on-a-rampage/

That article is where I found this forum post. Assuming the Windows exploit is fixed, where can I find the exploit fix? Is it a Windows Update? If so, which KB?


 

 

My dedicated server have been hit by WannaDecryptor but i've done nothing that could have leaded to an infection of it, how is it possible ?
(and by nothing, I mean litterally nothing, It was on a standby since 3 days, I've connected via the windows remote desktop sooner today and tonight I was infected)

Which Server OS version do you use? If it's Server 2008, it's probable that you haven't used Windows Update to fix the critical exploit that was deployed back in March to fix this. I'm guilty of this also - but I can't seem to find which KB fixes this exploit.

 

 

 

So how do we go about decrypting our files after the virus is removed? It seems like it's the same variation of the old Ransom:Win32.Vigorf.A. All anti-viruses and threads I have seen tell you just how to remove the virus, but has anyone managed to decrypt their files? Also which KB update fixes this exploit? It seems to only affect Windows 7/2008 machines (and probably XP too).

Downloading windows 10 iso, will try to catch the virus on VM, because can't find virus example in Google)

 

You probably won't be able to catch the virus on anything newer than Server 2012/2016 or Windows 8/10, it only seems to be hitting older operating systems where the exploit isn't fixed due to lack of Windows Updates (correct me if I'm wrong).

 

I do have the virus archived though, I can share it with you if you wish, if it's not against the forum's rules.

 

If you can - it will be great. I'll share here if will find something interesting there

 

I will PM you the link.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users