Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WannaCry, WNCry, WanaCrypt0r, Wana Decrypt0r Ransomware Help & Support Topic


  • Please log in to reply
243 replies to this topic

#16 Makpptfox

Makpptfox

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 12 May 2017 - 01:59 PM

 

My dedicated server have been hit by WannaDecryptor but i've done nothing that could have leaded to an infection of it, how is it possible ?
(and by nothing, I mean litterally nothing, It was on a standby since 3 days, I've connected via the windows remote desktop sooner today and tonight I was infected)

Which Server OS version do you use? If it's Server 2008, it's probable that you haven't used Windows Update to fix the critical exploit that was deployed back in March to fix this. I'm guilty of this also - but I can't seem to find which KB fixes this exploit.

 

 

 

So how do we go about decrypting our files after the virus is removed? It seems like it's the same variation of the old Ransom:Win32.Vigorf.A. All anti-viruses and threads I have seen tell you just how to remove the virus, but has anyone managed to decrypt their files? Also which KB update fixes this exploit? It seems to only affect Windows 7/2008 machines (and probably XP too).

Downloading windows 10 iso, will try to catch the virus on VM, because can't find virus example in Google)

 

You probably won't be able to catch the virus on anything newer than Server 2012/2016 or Windows 8/10, it only seems to be hitting older operating systems where the exploit isn't fixed due to lack of Windows Updates (correct me if I'm wrong).

 

I do have the virus archived though, I can share it with you if you wish, if it's not against the forum's rules.

 


Yes I was... Hope there will be a solution to decrypt, do you think it will be released to the public if the NHS resolve the crypted problem ?



BC AdBot (Login to Remove)

 


m

#17 psychopomp

psychopomp

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:26 PM

Posted 12 May 2017 - 02:01 PM

 

 

My dedicated server have been hit by WannaDecryptor but i've done nothing that could have leaded to an infection of it, how is it possible ?
(and by nothing, I mean litterally nothing, It was on a standby since 3 days, I've connected via the windows remote desktop sooner today and tonight I was infected)

Which Server OS version do you use? If it's Server 2008, it's probable that you haven't used Windows Update to fix the critical exploit that was deployed back in March to fix this. I'm guilty of this also - but I can't seem to find which KB fixes this exploit.

 

 

 

So how do we go about decrypting our files after the virus is removed? It seems like it's the same variation of the old Ransom:Win32.Vigorf.A. All anti-viruses and threads I have seen tell you just how to remove the virus, but has anyone managed to decrypt their files? Also which KB update fixes this exploit? It seems to only affect Windows 7/2008 machines (and probably XP too).

Downloading windows 10 iso, will try to catch the virus on VM, because can't find virus example in Google)

 

You probably won't be able to catch the virus on anything newer than Server 2012/2016 or Windows 8/10, it only seems to be hitting older operating systems where the exploit isn't fixed due to lack of Windows Updates (correct me if I'm wrong).

 

I do have the virus archived though, I can share it with you if you wish, if it's not against the forum's rules.

 

Yes I was... Hope there will be a solution to decrypt, do you think it will be released to the public if the NHS resolve the crypted problem ?

 

Better to stop the botnet somehow. This way also will help to get the decryption keys and slats. Le'ts see



#18 Terrum

Terrum

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 12 May 2017 - 02:04 PM

Did you receive my PM, psychopomp?



#19 Makpptfox

Makpptfox

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 12 May 2017 - 02:29 PM

The windows update is MS17-010 March14



#20 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:26 AM

Posted 12 May 2017 - 02:35 PM

Microsoft Security Bulletin Summary for March 2017
Microsoft Security Bulletin MS17-010 - Security Update for Microsoft Windows SMB Server (4013389)
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#21 Terrum

Terrum

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 12 May 2017 - 02:39 PM

The windows update is MS17-010 March14

Thanks for this! It appears the the KB varies from different OSes. But I've found the applicable one I need and applied the update (For Server 2008 R2 I used this: https://www.manageengine.com/products/desktop-central/patch-management/Windows-Server-2008-R2-Standard-Edition-(x64)/Windows6.1-r2-kb4012212-x64.html ). For anyone that needs it for any other OS, the list is here: https://www.manageengine.com/products/desktop-central/patch-management/MS17-010.html

 

Hoping someone manages to get a working decryptor for our files now!


Edited by Terrum, 12 May 2017 - 02:42 PM.


#22 minuswhale

minuswhale

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 12 May 2017 - 02:45 PM

What is the medium of this and how was it spread? Was it a link to download a file coming in via email? 


Edited by minuswhale, 12 May 2017 - 02:46 PM.


#23 Makpptfox

Makpptfox

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 12 May 2017 - 02:48 PM

Like I said earlier, my dedicated server have been strike by the ransomware without any manipulation on my side. I don't even understand how it is possible.



#24 Terrum

Terrum

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 12 May 2017 - 02:50 PM

What is the medium of this and how was it spread? Was it a link to download a file coming in via email? 

Like I said earlier, my dedicated server have been strike by the ransomware without any manipulation on my side. I don't even understand how it is possible.

It's a Windows exploit, which is why Windows Updates exist - to fix these exploits.

 

You didn't have to visit any dangerous sites and you didn't have to download any files. An exploit in Windows will let a hacker put files into your computer as they wish.

 

Which is why it's always good to keep your computer up-to-date with Windows Update.



#25 Crownedclown

Crownedclown

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 12 May 2017 - 02:54 PM

How come these Large scale companies dont get their windows updated ... are these attacks intentional ? what do you think?



#26 Terrum

Terrum

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 12 May 2017 - 02:56 PM

How come these Large scale companies dont get their windows updated ... are these attacks intentional ? what do you think?

Because they are cheap, lazy, or IT illiterate. Most NHS machines still run on Windows XP :rolleyes:



#27 Crownedclown

Crownedclown

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 12 May 2017 - 03:00 PM

 

How come these Large scale companies dont get their windows updated ... are these attacks intentional ? what do you think?

Because they are cheap, lazy, or IT illiterate. Most NHS machines still run on Windows XP  :rolleyes:

 

 

HAHA.. if you've got infected, ill laugh.. hope not. then if they are using windows XP still, nothing to be astonished here. but what about the telefonica... 



#28 carlj12

carlj12

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 12 May 2017 - 03:02 PM

Please correct me if I'm wrong. If SMB is not opened on the router then there is no way for them to directly exploit the machines on the network. The infected computers either were behind a router with SMB opened or directly connected to the internet OR it was also spread by email.


Edited by carlj12, 12 May 2017 - 03:03 PM.


#29 gmaniakbg

gmaniakbg

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:26 PM

Posted 12 May 2017 - 03:18 PM

It's using the doublepulsar implant to spread.



#30 Terrum

Terrum

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 12 May 2017 - 03:28 PM

Please correct me if I'm wrong. If SMB is not opened on the router then there is no way for them to directly exploit the machines on the network. The infected computers either were behind a router with SMB opened or directly connected to the internet OR it was also spread by email.

This is 100% correct. Unfortunately even big corporations don't have proper firewalls or port closures in place.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users