Jump to content
Posted 26 September 2017 - 06:23 AM
Posted 26 September 2017 - 03:10 PM
Most crypto malware will typically delete (though not always) all shadow copy snapshots (created if System Restore was enabled) with vssadmin.exe so that you cannot restore your files from before they had been encrypted using native Windows Previous Versions or programs like Shadow Explorer and ShadowCopyView. However, it never hurts to try in case the malware did not do what it was supposed to do...it is not uncommon for these infections to sometimes fail to delete the Shadow Volume Copies or the encryption process was interrupted.
There is a flaw in the ransomware in regards to how it deletes shadow volume copies. It requires a user to click Yes at the UAC prompt, and if they clicked No, then the shadow volumes will still be there and available to restore from.
...WannaKey should be able to retrieve the prime numbers used for key generation. The user must then make use of these numbers to calculate the private decryption key....WanaKiwi is a more user-friendly tool that works on Windows XP, Windows 7, Windows Vista, Windows Server 2003, and Windows Server 2008...
If these tools do now work (the infected machine was rebooted or the OS was reinstalled), there is no other known way to decrypt files encrypted by WannaCry Ransomware without paying the ransom. If possible, your best option is to restore from backups.
...the C2 for WannaCry is down, there's a very good chance you never get your files back from the attackers now. You can only try data recovery tools/file undeletion tools, but those are not certain to work.
xXToffeeXx~, Post #221
There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.
Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.
The BC Staff
0 members, 0 guests, 0 anonymous users