WannaCry, WNCry, WanaCrypt0r, Wana Decrypt0r Ransomware Help & Support Topic

BleepingComputer's ongoing coverage of whatever you want to call this thing (WanaCrypt0r, WannaCry, Wana Decrypt0r) can be found below. Many of these articles have been updated with new info as it has been discovered.
 

May 12th 2017 8:40 AM: Telefonica Tells Employees to Shut Down Computers Amid Massive Ransomware Outbreak

May 12th 2017 1:07 PM: Wana Decryptor Ransomware Using NSA Exploit Leaked by Shadow Brokers Is on a Rampage

May 12th 2017 5:24 PM: WannaCry / Wana Decryptor / WanaCrypt0r Info & Technical Nose Dive

May 13th 2017 4:14 AM: Wana Decryptor Ransomware Outbreak Temporarily Stopped By "Accidental Hero"

May 13th 2017 5:05 AM: Microsoft Releases Patch for Older Windows Versions to Protect Against Wana Decryptor

May 14th 2017 8:00 AM: Honeypot Server Gets Infected with WannaCry Ransomware 6 Times in 90 Minutes

May 14th 2017 9:00 PM: Microsoft Exec Blames WannaCry Ransomware on NSA Vulnerability Hoarding Program

May 15th 2017 2:01 AM: With the Success of WannaCry, Imitations are Quickly In Development

May 15th 2017 6:55 AM​: WannaCry Ransomware Version With Second Kill Switch Detected and Shut Down

May 15th 2017 1:00 PM: Someone Created a WannaCry Version That Doesn't Use a Kill Switch

 

This is a dedicated help and support topic for the WannaCry, Wcry, WanaCrypt0r, and Wana Decrypt0r Ransomware. This ransomware is being spread very heavily today and I am sure we will be seeing a lof of victims.

This ransomware is currently being spread by the EternalBlue exploit. More info here:

Wana Decrypt0r Ransomware Using NSA Exploit Leaked by Shadow Brokers Is on a Rampage
 
First Variant: .wcry
Second Variant: .WCRY (+ .WCRYT for temp)
Third Varianmt: .WNCRY (+ .WNCRYT for temp)
 
The ransomware will display a lock screen that contains the same information. This screen acts as the decryptor as well, but should be terminated as it will encrypt new files as it is running.
 

 
 
The ransomware will also drop a ransom note named @Please_Read_Me@.txt, which can be seen below.

 

Does anyone have a screen shot of what the "Contact Us" page looks like?

Awesome, thank you

Can I receive an example of  WanaCrypt?

So how do we go about decrypting our files after the virus is removed? It seems like it's the same variation of the old Ransom:Win32.Vigorf.A. All anti-viruses and threads I have seen tell you just how to remove the virus, but has anyone managed to decrypt their files? Also which KB update fixes this exploit? It seems to only affect Windows 7/2008 machines (and probably XP too).

My dedicated server have been hit by WannaDecryptor but i've done nothing that could have leaded to an infection of it, how is it possible ?
(and by nothing, I mean litterally nothing, It was on a standby since 3 days, I've connected via the windows remote desktop sooner today and tonight I was infected)

So how do we go about decrypting our files after the virus is removed? It seems like it's the same variation of the old Ransom:Win32.Vigorf.A. All anti-viruses and threads I have seen tell you just how to remove the virus, but has anyone managed to decrypt their files? Also which KB update fixes this exploit? It seems to only affect Windows 7/2008 machines (and probably XP too).

Downloading windows 10 iso, will try to catch the virus on VM, because can't find virus example in Google)

My PC has been affected. Fortunately I have stopped the process but lost some important files. How to recover it?

My PC has been affected. Fortunately I have stopped the process but lost some important files. How to recover it?

Can you send me an example of this files? 

My dedicated server have been hit by WannaDecryptor but i've done nothing that could have leaded to an infection of it, how is it possible ?
(and by nothing, I mean litterally nothing, It was on a standby since 3 days, I've connected via the windows remote desktop sooner today and tonight I was infected)

Which Server OS version do you use? If it's Server 2008, it's probable that you haven't used Windows Update to fix the critical exploit that was deployed back in March to fix this. I'm guilty of this also - but I can't seem to find which KB fixes this exploit.

 

So how do we go about decrypting our files after the virus is removed? It seems like it's the same variation of the old Ransom:Win32.Vigorf.A. All anti-viruses and threads I have seen tell you just how to remove the virus, but has anyone managed to decrypt their files? Also which KB update fixes this exploit? It seems to only affect Windows 7/2008 machines (and probably XP too).

Downloading windows 10 iso, will try to catch the virus on VM, because can't find virus example in Google)

 

You probably won't be able to catch the virus on anything newer than Server 2012/2016 or Windows 8/10, it only seems to be hitting older operating systems where the exploit isn't fixed due to lack of Windows Updates (correct me if I'm wrong).

I do have the virus archived though, I can share it with you if you wish, if it's not against the forum's rules.

 

My dedicated server have been hit by WannaDecryptor but i've done nothing that could have leaded to an infection of it, how is it possible ?
(and by nothing, I mean litterally nothing, It was on a standby since 3 days, I've connected via the windows remote desktop sooner today and tonight I was infected)

Which Server OS version do you use? If it's Server 2008, it's probable that you haven't used Windows Update to fix the critical exploit that was deployed back in March to fix this. I'm guilty of this also - but I can't seem to find which KB fixes this exploit.

 

 

 

So how do we go about decrypting our files after the virus is removed? It seems like it's the same variation of the old Ransom:Win32.Vigorf.A. All anti-viruses and threads I have seen tell you just how to remove the virus, but has anyone managed to decrypt their files? Also which KB update fixes this exploit? It seems to only affect Windows 7/2008 machines (and probably XP too).

Downloading windows 10 iso, will try to catch the virus on VM, because can't find virus example in Google)

 

You probably won't be able to catch the virus on anything newer than Server 2012/2016 or Windows 8/10, it only seems to be hitting older operating systems where the exploit isn't fixed due to lack of Windows Updates (correct me if I'm wrong).

 

I do have the virus archived though, I can share it with you if you wish, if it's not against the forum's rules.

 

If you can - it will be great. I'll share here if will find something interesting there

Installed via a Windows exploit. Added link to info in first post of topic.

More info here:

https://www.bleepingcomputer.com/news/security/wana-decrypt0r-ransomware-using-nsa-exploit-leaked-by-shadow-brokers-is-on-a-rampage/

That article is where I found this forum post. Assuming the Windows exploit is fixed, where can I find the exploit fix? Is it a Windows Update? If so, which KB?

 

 

My dedicated server have been hit by WannaDecryptor but i've done nothing that could have leaded to an infection of it, how is it possible ?
(and by nothing, I mean litterally nothing, It was on a standby since 3 days, I've connected via the windows remote desktop sooner today and tonight I was infected)

Which Server OS version do you use? If it's Server 2008, it's probable that you haven't used Windows Update to fix the critical exploit that was deployed back in March to fix this. I'm guilty of this also - but I can't seem to find which KB fixes this exploit.

 

 

 

So how do we go about decrypting our files after the virus is removed? It seems like it's the same variation of the old Ransom:Win32.Vigorf.A. All anti-viruses and threads I have seen tell you just how to remove the virus, but has anyone managed to decrypt their files? Also which KB update fixes this exploit? It seems to only affect Windows 7/2008 machines (and probably XP too).

Downloading windows 10 iso, will try to catch the virus on VM, because can't find virus example in Google)

 

You probably won't be able to catch the virus on anything newer than Server 2012/2016 or Windows 8/10, it only seems to be hitting older operating systems where the exploit isn't fixed due to lack of Windows Updates (correct me if I'm wrong).

 

I do have the virus archived though, I can share it with you if you wish, if it's not against the forum's rules.

 

If you can - it will be great. I'll share here if will find something interesting there

 

I will PM you the link.