Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WannaCry, WNCry, WanaCrypt0r, Wana Decrypt0r Ransomware Help & Support Topic


  • Please log in to reply
243 replies to this topic

#31 Terrum

Terrum

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 12 May 2017 - 03:31 PM

I found a link with some hashes that are getting regularly updated. Perhaps this is a help to someone out there that is trying to get a working decryptor? https://gist.github.com/Blevene/42bed05ecb51c1ca0edf846c0153974a 



BC AdBot (Login to Remove)

 


m

#32 PhilFCS

PhilFCS

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 12 May 2017 - 03:41 PM

It's using the doublepulsar implant to spread.

Doublepulsar also relies on port 445 as well from what I've seen. Still on large enterprises one low level employee that gets infected through ANY other means (email, browser, pdf, doc, etc) could be an entry point into a huge disaster internally if your admin is counting on "I'll update the server later. We've got 445 blocked from the internet."

I'm curious are these initial infections all coming from just raw 445 open without any firewalling at all? I mean even just having the built-in windows firewall setup properly should be enough to stave off the initial breach, unless they have a different means of making the initial entry to the network? Does anyone know how it's getting in initially or too early to know?



#33 gmaniakbg

gmaniakbg

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 12 May 2017 - 04:06 PM

Remember the hubbub we heard a while back about double pulsar beacons all over the place. Company called binary edge http://blog.binaryedge.io/2017/04/21/doublepulsar/  was scanning the internetz for it and they found 60k or so infections. I am going on a hell of a speculation here but what if this was some sort of a pre seeding operation and now they just pulled the rip cord ?

 

Correction 400k infections.


Edited by gmaniakbg, 12 May 2017 - 04:16 PM.


#34 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:03 PM

Posted 12 May 2017 - 04:19 PM

Anyone who is infected should give Shadow Explorer a try. Though this ransomware tries to clear shadow volume copies, if a user does not click yes to the UAC prompt, or some other issue occurs, the copies may not be deleted.

This is a slim chance but worth trying.

You can try recovering using this tool:

https://www.bleepingcomputer.com/download/shadowexplorer/

A guide on how to use the tool can be found here:

How to recover files and folders using Shadow Volume Copies

#35 aquaxetine

aquaxetine

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 12 May 2017 - 04:26 PM

Can someone send me the ransom ? I have a decrypter i think but need to test is asap...



#36 Terrum

Terrum

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 12 May 2017 - 04:37 PM

Can someone send me the ransom ? I have a decrypter i think but need to test is asap...

Sent you a PM.



#37 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:03 PM

Posted 12 May 2017 - 04:45 PM

If you were sent a decryptor, please submit a sample to http://www.bleepingcomputer.com/submit-malware.php?channel=168

Thx

#38 aquaxetine

aquaxetine

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 12 May 2017 - 04:46 PM

I am testing now, but can not promise it will work ;)


Edited by aquaxetine, 12 May 2017 - 04:47 PM.


#39 aquaxetine

aquaxetine

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 12 May 2017 - 05:08 PM

If you were sent a decryptor, please submit a sample to http://www.bleepingcomputer.com/submit-malware.php?channel=168

Thx

Can you PM ME ASAP



#40 Terrum

Terrum

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 12 May 2017 - 05:33 PM

 

We have been given a workaround:

 

• Boot in Safe mode no connection
• Restore windows , 2 commands:
# cd restore
# rstrui.exe
• Restart and connect on internet ! not LAN
• Install Malwarebytes and clean virus
• Install Shadowexplorer and decrypt files one by one
Otherwise the files remain encrypted.

 

Unfortunately this doesn't apply to me or many other people in similar environments to me, as most server operating systems have the Windows Shadow Copy service disabled (or only works when manually enabled).



#41 James Litten

James Litten

    Ԁǝǝ˥q


  • BC Advisor
  • 1,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:09:03 PM

Posted 12 May 2017 - 05:46 PM

Cisco's TALOS team has an initial analysis of what it drops and how it proceeds. Some of it is still mysterious as far as the spreading by SMB is concerned but I imagine that is what Microsoft knew about and patched in MS17-010.

http://blog.talosintelligence.com/2017/05/wannacry.html

 

EDIT: Here is Grinler's write up on the same thing released minutes after I posted this...

https://www.bleepingcomputer.com/news/security/wana-decryptor-wanacrypt0r-technical-nose-dive/


Edited by James Litten, 12 May 2017 - 07:44 PM.


#42 toolbox123

toolbox123

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 12 May 2017 - 05:48 PM

If you get infected try this website:

 

https://www.nomoreransom.org/

 

Hope it helps.



#43 gmaniakbg

gmaniakbg

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 12 May 2017 - 05:57 PM

This came down one of my intel feeds hope it helps. It concerns initial distribution that was used in GB.

 

Phishing emails seems coming from alertatnb[@]serviciobancomer[.]com, pointing to the compromised website which serves the malware.

emails have already been sent out since 2 days ago (from the 10th May)



#44 TechGeekMSP

TechGeekMSP

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 12 May 2017 - 06:04 PM

we use opendns.com for DNS server lookups, its supposed to check web sites to see if they are part of a malware or ransomeware site. It has stopped a variant of cyptolocker from getting the encryption key. Its passive set it ups on your router and should help prevent it.



#45 blanksnow

blanksnow

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 12 May 2017 - 06:18 PM

I found these keys on pastebin but I can't verify them. It's worth a shot at decryption

 

-----BEGIN PRIVATE KEY-----
MIIEzAIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDvz+6DC3rbkfGw
yN1gNs9NhfJkNpzMAIRR7ZYg/x6kvtxmcsfWA3TeoygGW8lSpSf53/wPhEVgbYGE
VbBeTI/3zNZtEbHkyCSo7qHyYQoSWbJqbDqFZ3aRjFAnXAaXZGkDN5ZI5Zar16jw
0XcwLdMToKOfzf6R34YKjJ8KiPVOuF0COglhPLEMT2eJHY83gMmJNgHJnMFsDdVe
iGS+jXG8G2MBYBixAoLCqpuC3sRoCpOQyvaJKJ4nE18F1lIdbSVxQ26r++Ov5/ET
IS4/E51wO/1q1RSrHBhhgFt3tsmD9rRYBVYnsOx7UecV9FAazuHvqTLtX9oen9kK
nAQrTStDAgMBAAECggEBAMeL6PbIJanxDgDBk1vNH8BtNd3nh59EytX1cZfxUYla
e8EPv3M4mxXrA5IO7D3FybblhzNOKABt/nikaMZ+xMk4fDBzqegqFj8vmjg6QQw1
8P0XI7b/+axw6f1mWOG+npcbuQTdbft9z0jbs2a2qs3JPH3sBelR6pJ6opg8kIq3
x+DwTGw0XZbFBArggCXtC/nhBeZbFjaGNdeWhQKwyR5p3mzWYNfwsOOzidyznKSd
v6KGpg7I4htRL6RpBfw9HoFOYpP98V+rVokzNWJuBnlcpeByACKqfxX5PMZbWXIJ
z9qgwBDtpw8CawI2HJwqvx0o78pLqjLJQdKrGCqLNTECgYEA+04DlI84yI24JqHN
gvax+7RhQK9AnyN+bNg5bNYGw1zsKxv77AxlThc9HJCI1EgkXrzNZLl5SzZs2cng
PSDni60wZuQ1PbMujd9dkzBI6DTMk99tC+aKuLItCELkxDz5HOFAnGRIBUyK1l+1
r5gMvklb83ivAr4O+dmGrtoS1xkCgYEA9ErzAWMkz+7Hkuy6PDWN7riBSfA7fIHN
QV/O1iP1TkHz01MSgxMtzIW9MK4s5w8C+ikrTe7N6coDnr2mhPORtDshMacXULl7
nOTXyyiJ6Vj+zA0wQKpqxKUt6p8f5td24t48KYF5NiO3ILBOPwG1HZu9Na0hJd/7
5/dG3V4X7LsCgYBNtQTkZhkP4sqjn3q12WSVyWQdJVPdIZORQpcXMWMr+8rHVcLj
bb3RlNv/vi2hPqGIbecxEy0PdcfY3FSrckZG6YnC9yQDbSmjEwOTZOXWb6UmwHqu
qF4S2H2WRWEJ0TTSmlBpS5T9lnqD6Vp77o9aM8LsGVA8j9p/paTA4ova2QKBgHpG
ZXmFSXC2YLheuxzV5XPecAA1OWEpizY0oU+38dm40zUsOHDZEax0KG0MUTdZ4TCb
mKxKYlCpp8Q1wvp6+6wNiKDUtKvYG1I9jPGIGfdtbyNtWoCTjBtfXis4eHxPzpbh
i5Vu09/QYqH+/Ts2PJRUVpFeVeAiS3Eg6Rx2M11vAoGALiV9fnzHRM+0lrsgkGNm
l4HiH38NYj7xBQE68bqFWf206Ztr/0S2JV2cPFm/yO7CN+/4G5O+FHqV09P/QGcj
jeGAWnn++gobKy53OFguXy1PLzLKfeLsQ52qLaa5PLGtk4Kd3FOaFs4oWdKJp4e5
PfhFjlV3/G1AQ4QFEszWgZSgDTALBgNVHQ8xBAMCABA=
-----END PRIVATE KEY-----


-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA78/ugwt625HxsMjdYDbP
TYXyZDaczACEUe2WIP8epL7cZnLH1gN03qMoBlvJUqUn+d/8D4RFYG2BhFWwXkyP
98zWbRGx5MgkqO6h8mEKElmyamw6hWd2kYxQJ1wGl2RpAzeWSOWWq9eo8NF3MC3T
E6Cjn83+kd+GCoyfCoj1TrhdAjoJYTyxDE9niR2PN4DJiTYByZzBbA3VXohkvo1x
vBtjAWAYsQKCwqqbgt7EaAqTkMr2iSieJxNfBdZSHW0lcUNuq/vjr+fxEyEuPxOd
cDv9atUUqxwYYYBbd7bJg/a0WAVWJ7Dse1HnFfRQGs7h76ky7V/aHp/ZCpwEK00r
QwIDAQAB
-----END PUBLIC KEY-----






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users