Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WannaCry, WNCry, WanaCrypt0r, Wana Decrypt0r Ransomware Help & Support Topic


  • Please log in to reply
243 replies to this topic

#211 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:19 PM

Posted 19 May 2017 - 03:26 PM

Ginler, if you can run an application in the OS, try

 

http://www.nirsoft.net/utils/shadow_copy_view.html

 

See if it lets you view any shadow copies that may exist and copy any files out that you may need. Obviously regardless your reinstalling the OS.

 

Edit: I saw where this deletes shadow copies. I am trying to remember if i found an application to recover the deleted shadow copy, then recovered from there.

 

I use ShadowCopyView because it works when VSSAdmin.exe is disabled.

 

https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/

 

ShadowExplorer doesn't.

 

One caveat to disabling VSSAdmin by renaming it...

 

If you run sfc /SCANNOW for any reason, VSSAdmin will be "enabled" again. The System File Checker notices that it's "missing" and will put a copy into the System32 folder, thereby "undoing" the change you made.


Edited by jwoods301, 19 May 2017 - 03:52 PM.


BC AdBot (Login to Remove)

 


m

#212 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:19 PM

Posted 20 May 2017 - 03:03 PM

There is a flaw in the ransomware in regards to how it deletes shadow volume copies. It requires a user to click Yes at the UAC prompt, and if they clicked No, then the shadow volumes will still be there and available to restore from.

#213 paul456

paul456

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 22 May 2017 - 02:20 PM

I have a private non-networked Win7 Pro 64bit PC with the 'free AVG' anti-virus. My Windows Firewall status is Home/Work networks Off, Public networks On.  I currently access internet via a semi-public AP.
 
On 20/5/17 I ran the suggested link to MS17-010 which looking back now, seems to have suggested I download windows6.1-kb4012212-x64_2decefaa02e2058dcd965702509a992d8c4e92b3.msu as the correct file to update Win7 64 bit.
 
I ran that, but as I had already opened a few PDF's during Friday 19th, was afraid to actually reboot my PC until I had backed up all data (it said reboot the final step for the protection to take effect) in case the worm already downloaded in those PDFs. I have not opened any new PDFs since late Friday.  A recent power failure took the decision for me.  Not seen any ill effects since reboot.
 
Can you advise if there is a simple non-techie App tool to monitor & control which Ports are Open or Closed, as you say Port 445 must be shut, and to check or close SNBv1 ?
 
Also, is there an App to check if Wannacry files are on my PC or is lack of any abnormal symptoms on my PC confirmation in itself ?
 
Finally, while reading about this issue on 19/20 May, I felt some relief as somewhere it said the worm can only enter (a private non-networked PC) via infected email attachment, but on perusing this site today, I read (some guy with a small server on standby) one can get infected purely by being connected to the internet, no need for email.  Is this true ?

Edited by paul456, 22 May 2017 - 02:27 PM.


#214 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:19 PM

Posted 22 May 2017 - 04:09 PM

These are online port scanning services which can be used to check for open and vulnerable ports:
  • Shields Up will alert users of any ports that have been opened through firewalls or NAT routers.
  • Online Port Scan allows you to scan individual TCP ports to determine if the device is listening on that port.
  • Subnet Online Port Scanner allows you to scan a host or IP for an open or closed TCP port.
  • MxToolbox Port Scan allows you to check what services are running and open.
  • Open Port Check Tool allows you to check your external IP address and detect open ports on your connection.
  • AuditMyPc Firewall Test will check your computer for ports that are commonly left open and could allow your computer to be compromised.

.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#215 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:19 PM

Posted 22 May 2017 - 05:48 PM

Additionally, the Security Scan at Speedguide.net allows you to check individual ports, as well as the most commonly used ports...

 

https://www.speedguide.net/scan.php


Edited by jwoods301, 22 May 2017 - 11:52 PM.


#216 dovahkiin1

dovahkiin1

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 25 May 2017 - 02:12 AM

Server of our client in company was hit by, and client needed server back quickly so our services backed up encrypted files (in hope for decryption tool), and reinstall the OS. Then wannakiwi came out, but it was to late, because as I said, we reinstalled OS, and now we only have encrypted files.

 

I managed to decrypt many ransomwares via many tools, but this one is beyond my power and knowledge, so I'm asking for any info.

 

Will it be possible to decrypt files hit by WannaCry?

Is there anyone working on this? 

 

Thank you for your answers. 



#217 magnetogptg

magnetogptg

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 25 May 2017 - 02:43 PM

Is there any possibility that if we pay the ransom,whether we will get back our files?(Since there is no unique ID for each infected system). Is there any body have got back their files after paying ransom? Also, Is the malware has the capability to delete the files after the stipulated time?

#218 vitaguy

vitaguy

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:19 AM

Posted 25 May 2017 - 03:01 PM

Is there any possibility that if we pay the ransom,whether we will get back our files?(Since there is no unique ID for each infected system). Is there any body have got back their files after paying ransom? Also, Is the malware has the capability to delete the files after the stipulated time?

My answers to your three questions (in order): yes, yes, unsure

Here is an example of someone who claims they got their files back (with the implication that they paid the ransom)
https://www.reddit.com/r/AskNetsec/comments/6b5868/has_anyone_actually_recovered_his_files_by_paying/dhq3j3r/

Please read my previous post #202 on this same forum thread if you plan to pay (or not pay) which also addresses your "no unique ID" statement as well as how to handle your unknown answer to your question #3.
https://www.bleepingcomputer.com/forums/t/646476/wannacry-wncry-wanacrypt0r-wana-decrypt0r-ransomware-help-support-topic/?p=4242700

Good luck.

 


Edited by vitaguy, 25 May 2017 - 03:04 PM.


#219 bkanduth

bkanduth

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 25 May 2017 - 03:14 PM

Is there any possibility that if we pay the ransom,whether we will get back our files?(Since there is no unique ID for each infected system). Is there any body have got back their files after paying ransom? Also, Is the malware has the capability to delete the files after the stipulated time?

Hi, we did get the key and out clients files back!
We did use the "contact us" button and did provide the billinginformations of the payments made. But we had to do this a few times, but in the end it did work.



#220 magnetogptg

magnetogptg

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 06 June 2017 - 07:01 AM

Is wanna cry tor C&C are down? Because, even though we have paid the ransom, there is no reply from attackers.

#221 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:10:19 PM

Posted 06 June 2017 - 10:15 AM

Is wanna cry tor C&C are down? Because, even though we have paid the ransom, there is no reply from attackers.

Yes, the C2 for WannaCry is down, there's a very good chance you never get your files back from the attackers now. You can only try data recovery tools/file undeletion tools, but those are not certain to work. 

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#222 magnetogptg

magnetogptg

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 09 June 2017 - 06:02 AM

I have paid the ransom amount and today I got a message from attackers like they have confirmed the payment. But when I click 'Decrypt' and 'start' button. The application crashed and showing 'Load PerfMon Counters has stopped working'.And I was not able to my decrypt files.

Another issue, at the time of infection of ransomware, in C drive there was around 20 GB free space. But now it shows automatically 'no free space'. So I thought because of this issue the decryption process has stopped. Then I deleted some of the unwanted files from C drive and then again ran the application. But still the application has crashed.

Can you please help on this issue and help to decrypt.

 

The screen shots I have attached in this link.

 

http://imgur.com/a/QNzG3

 

K7 antivirus endpoint security status - http://imgur.com/a/kmK9q


Edited by magnetogptg, 09 June 2017 - 07:13 AM.


#223 vitaguy

vitaguy

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:19 AM

Posted 09 June 2017 - 07:13 AM

I have paid the ransom amount and today I got a message from attackers like they have confirmed the payment. But when I click 'Decrypt' and 'start' button. The application crashed and showing 'Load PerfMon Counters has stopped working'.And I was not able to my decrypt files.

Another issue, at the time of infection of ransomware, in C drive there was around 20 GB free space. But now it shows automatically 'no free space'. So I thought because of this issue the decryption process has stopped. Then I deleted some of the unwanted files from C drive and then again ran the application. But still the application has crashed.

Can you please help on this issue and help to decrypt.

 

The screen shots I have attached in this link.

 

http://imgur.com/a/QNzG3

Unfortunately I am not a very technical person and don't know these stuff. Hopefully someone here can help you. Otherwise you might consider contacting these two people that seem to be experts and among those at the forefront of wannacry research and analysis.

https://mikko.hypponen.com/

https://twitter.com/adriengnt

 



#224 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:19 PM

Posted 09 June 2017 - 02:40 PM

I have paid the ransom amount and today I got a message from attackers like they have confirmed the payment. But when I click 'Decrypt' and 'start' button. The application crashed and showing 'Load PerfMon Counters has stopped working'.And I was not able to my decrypt files.

Another issue, at the time of infection of ransomware, in C drive there was around 20 GB free space. But now it shows automatically 'no free space'. So I thought because of this issue the decryption process has stopped. Then I deleted some of the unwanted files from C drive and then again ran the application. But still the application has crashed.

Can you please help on this issue and help to decrypt.

 

The screen shots I have attached in this link.

 

http://imgur.com/a/QNzG3

 

K7 antivirus endpoint security status - http://imgur.com/a/kmK9q

 

The direct link to the Wannakey tool by Adrien Guinet (which may work)...

 

https://github.com/aguinet/wannakey


Edited by jwoods301, 09 June 2017 - 02:45 PM.


#225 MishaZip

MishaZip

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 09 June 2017 - 03:53 PM

wrong topic. sorry


Edited by MishaZip, 09 June 2017 - 03:57 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users