Slash Boxes

SoylentNews is people

posted by cmn32480 on Friday May 19, @11:56AM   Printer-friendly
from the maybe-there-is-hope dept.

Various news outlets report the release of
Wannakey, a decryption utility for files encrypted by the WannaCry ransomware. According to the author of the software, it "has only been tested and known to work under Windows XP."

From the Wired article noted below:

Now one French researcher says he's found at least a hint of a very limited remedy. The fix still seems too buggy, and far from the panacea WannaCry victims have hoped for. But if Adrien Guinet's claims hold up, his tool could unlock some infected computers running Windows XP, the aging, largely unsupported version of Microsoft's operating system, which analysts believe accounts for some portion of the WannaCry plague.

[...] Guinet says he's successfully used the decryption tool several times on test XP machines he's infected with WannaCry. But he cautions that, because those traces are stored in volatile memory, the trick fails if the malware or any other process happened to overwrite the lingering decryption key, or if the computer rebooted any time after infection.


Previous stories:
"Biggest Ransomware Attack in History" Hits Around 100 Countries, Disrupts UK's NHS
WannaCrypt Ransomware Variant -- Lacking Kill Switch -- Seen in Wild [Updated]

Original Submission

Related Stories

"Biggest Ransomware Attack in History" Hits Around 100 Countries, Disrupts UK's NHS 88 comments

NSA-created cyber tool spawns global ransomware attacks

From Politico via Edward Snowden via Vinay Gupta:

Leaked alleged NSA hacking tools appear to be behind a massive cyberattack disrupting hospitals and companies across Europe, Asia and the U.S., with Russia among the hardest-hit countries.

The unique malware causing the attacks - which has spread to tens of thousands of companies in 99 countries, according to the cyber firm Avast - have forced some hospitals to stop admitting new patients with serious medical conditions and driven other companies to shut down their networks, leaving valuable files unavailable.

The source of the world-wide digital assault seems to be a version of an apparent NSA-created hacking tool that was dumped online in April by a group calling itself the Shadow Brokers. The tool, a type of ransomware, locks up a company's networks and holds files and data hostage until a fee is paid. Researchers said the malware is exploiting a Microsoft software flaw.

Thoughts on a similar scenario were published by the Harvard Business Review two days before this incident.

One or more anti-virus companies may have been hacked prior to WannaCrypt infecting 75000 Microsoft Windows computers in 99 countries. First, anti-virus software like Avast fails to make HTTP connections. Second, five million of ransomware emails are rapidly sent. Although many centralized email servers were able to stem the onslaught, many instances of anti-virus software had outdated virus definitions and were defenseless against the attack. Indeed, successful attacks were above 1%. Of these, more than 1% have already paid the ransom. Although various governments have rules (or laws) against paying ransom, it is possible that ransoms have been paid to regain access to some systems.

Also, file scrambling ransomware has similarities to REAMDE by Neal Stephenson. Although the book is extremely badly written, its scenarios (offline and online) seem to come true with forceful regularity.

Further sources: BBC (and here), Russia Today, DailyFail, Telegraph, Guardian.

Telefónica reportedly affected. NHS failed to patch computers which affected US hospitals in 2016. 16 divisions of the UK's NHS taken offline with aid of NSA Fuzzbunch exploit. The fun of a public blockchain is that ransom payments of £415,000 have been confirmed. Cancellation of heart surgery confirmed. Doctors unable to check allergies or prescribe medication. Patient access to emergency treatment denied in part due to hospital telephone exchange being offline.

It also appears that one of the affected parties refused to answer a Freedom of Information request in Nov 2016 about cyber-security due to impact on crime detection. Similar parties provided responses to the same request.

WannaCrypt Ransomware Variant -- Lacking Kill Switch -- Seen in Wild [Updated] 71 comments

[Update at 20170515_022452 UTC: Instructions for what to do on each affected version of Windows can be found at: -- I've had excellent luck in the past following his advice on when and how to update Windows. Clear, hands-on instructions are a big win in my book. --martyb]

Previously: "Biggest Ransomware Attack in History" Hits Around 100 Countries, Disrupts UK's NHS.

tl;dr: If you have not already patched your Windows computer(s), you may be at risk from a new variant of the WannaCrypt ransomware worm which lacks a kill switch and was seen over the weekend. Sysadmins are preparing for a busy Monday when countless other users return to work and boot up their PC.

WannaCrypt (aka WCry), is a ransomware worm that wreaked havoc across the internet this past weekend. It disabled Windows computers at hospitals, telecoms, FedEx, and banks (among many others). Files on user's machines were encrypted and the worm demanded $300 or $600 worth of Bitcoin to decrypt (depending on how quickly you responded). Reports first surfaced Friday night and were stopped only because a researcher discovered a domain name in the code, which when registered, caused the malware to stop infecting new machines.

We're not out of the woods on this one. Not surprisingly, a variant has been seen in the wild over the weekend which has removed the domain check. Just because you may not have been hit in the initial wave of attacks does not necessarily mean you are immune.

Back in March, Microsoft released updates to Windows to patch vaguely-described vulnerabilities. Approximately one month later, a dump of purported NSA (National Security Agency) hacking tools were posted to the web. The WannaCrypt ransomware appears to be based on one of those tools. Surprisingly, the Microsoft patches blocked the vulnerability that was employed by WannaCrypt.

In a surprising move, Microsoft has just released emergency patches for out-of-mainstream-support versions of Windows (XP, 8, and Server 2003) to address this vulnerability.

Sources: Our previous coverage linked above as well as reports from the BBC Ransomware cyber-attack threat escalating - Europol, Motherboard Round Two: WannaCrypt Ransomware That Struck the Globe Is Back, and Ars Technica WCry is so mean Microsoft issues patch for 3 unsupported Windows versions.

What actions, if any, have you taken to protect your Windows machine(s) from this threat? How up-to-date are your backups? Have you tested them? If you are a sysadmin, how concerned are you about what you will be facing at work on Monday?

Original Submission

WannaCry Ransomware Attack Linked to North Korea by Symantec 23 comments

Symantec and FireEye have linked the recent WannaCry ransomware attacks to North Korea:

Cybersecurity researchers at Symantec Corp. and FireEye Inc. have uncovered more evidence tying this month's WannaCry global ransomware attacks to North Korea.

The cyberattack that infected hundreds of thousands of computers worldwide was "highly likely" to have originated with Lazarus, a hacking group linked to the reclusive state, Symantec said. The software used was virtually identical to versions employed in attacks earlier this year attributed to the same agency, the company said in a report late Monday. FireEye on Tuesday agreed WannaCry shared unique code with malware previously linked to North Korea. "The shared code likely means that, at a minimum, WannaCry operators share software development resources with North Korean espionage operators," Ben Read, a FireEye analyst, said in an emailed statement.

[...] The initial attack was stifled when a security researcher disabled a key mechanism used by the worm to spread, but experts said the hackers were likely to mount a second attack because so many users of personal computers with Microsoft operating systems couldn't or didn't download a security patch released in March labeled "critical."

Also at NYT, Reuters, Ars Technica, and The Hill. Symantec blog (appears scriptwalled).

Here's a screenshot of Wana Decrypt0r 2.0. Note the Wikipedia licensing section.

Previously: Security In 2017: Ransomware Will Remain King
"Biggest Ransomware Attack in History" Hits Around 100 Countries, Disrupts UK's NHS
WannaCrypt Ransomware Variant -- Lacking Kill Switch -- Seen in Wild [Updated]
Decryption Utility for WannaCry is Released

Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough

Mark All as Read

Mark All as Unread

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Funny) by SomeGuy on Friday May 19, @12:17PM (9 children)

    by SomeGuy (5632) on Friday May 19, @12:17PM (#512131)

    Windows XP, the aging, largely unsupported version of Microsoft's operating system, which analysts believe accounts for some portion of the WannaCry plague.

    Oh, sure, lets blame the old cheapskate Luddites running Windows XP for all of this.

    As far as I can tell, Windows 10 was vulnerable to this attack until just very recently. Next time, older Windows may not even be a target. But lets go ahead and perpetuate the illusion that having the "latest and greatest" will always keep you absolutely 100.000000000% safe.

    Keep on opening those e-mail attachments! You are SAFE!

    • (Score: 0) by Anonymous Coward on Friday May 19, @01:18PM

      by Anonymous Coward on Friday May 19, @01:18PM (#512152)

      I know someone who was surprised to hear about all this and admitted she has been clicking on all email links sent to her. The scariest part to her was that an email containing a bible verse could be dangerous. That just isnt something that seemed possible before ransomware, but now even your mom is scared of email.

    • (Score: 3, Interesting) by kaszz on Friday May 19, @01:20PM (2 children)

      by kaszz (4211) on Friday May 19, @01:20PM (#512153) Journal

      Great as now it seems Windows XP will be safer with time while keeping the software base and having ReactOS [] accomplish better and better compatibility. 32-bit architecture is a sweet spot in terms of memory pointer size, accessible memory and processor efficiency.

      4 GB ought to be enough for anybody!

      As for sweet spot, a 24-bit system with 24-bits per memory position gives 48 MB system memory size. Maybe 8-bit as a unit for processing isn't optimal either. Maybe 6-bits is better?

      Bit size: System memory size:
      19 bits 1.19 MB
      20 bits 2.50 MB
      21 bits 5.25 MB
      22 bits 11 MB
      23 bits 23 MB
      24 bits 48 MB
      25 bits 100 MB
      26 bits 208 MB
      27 bits 432 MB
      28 bits 896 MB
      29 bits 1856 MB
      30 bits 3840 MB
      31 bits 7936 MB
      32 bits 16384 MB

      That 32-bit x86 systems seem to max out at 4 GByte perhaps indicate a unnecessary bottleneck in that 8-bits per memory address is used. If instead 32-bits is used more memory can be accessed with the same address limit.

      • (Score: 2) by butthurt on Friday May 19, @10:47PM (1 child)

        by butthurt (6141) on Friday May 19, @10:47PM (#512422) Journal

        There existed a 64-bit version of Windows XP, but it saw little uptake.

        On x86, Physical Address Extension allows the use of more than 4 GB of memory.

        The 32-bit size of the virtual address is not changed, so regular application software continues to use instructions with 32-bit addresses and (in a flat memory model) is limited to 4 gigabytes of virtual address space.

        -- []

        • (Score: 2) by kaszz on Friday May 19, @11:46PM

          by kaszz (4211) on Friday May 19, @11:46PM (#512439) Journal

          PAE still leaves the CPU to handle up to 64 GB ie 36-bit addresses. Though it's all hidden to the scheduler side of things. Perhaps the kernel needs to deal with it too for program jumps etc? Data access seems to still be that each address in userland have 8-bits.

          So in PAE, the CPU has at least 36-bit virtual addressing. There may be less physical address lines than this. Each process in userland may however only use up to 32-bits.

          As for 64-bit Windows XP. The Microsoft ecosystem is very much a Win32 thing. And things will evolve around that unless a big bat is used. Which Microsoft did with their later 64-bit OS, ie to get 32-bit certification you got to present a workable driver for 64-bit and so on.

    • (Score: 2) by nobu_the_bard on Friday May 19, @03:03PM (3 children)

      by nobu_the_bard (6373) on Friday May 19, @03:03PM (#512207)

      Actually you could blame Microsoft of that aspect; it wouldn't have been a problem if Windows XP could still get updates automatically. The original patches were released in March; XP and Vista probably had patches created around that time as well because of the extended life contracts some large corporations and governments have with them. They could have just pushed it automatically if they hadn't taken down the public update mechanisms. Tons of systems would have been updated for months before the ransomware hit. Instead, the patches need to be installed manually, and were only released as a response to the malware on a Saturday, so many many systems did not get patched until well after the ransomware was crippled.

      Also the patch doesn't work great on Windows Server 2003 systems, or so that has been my experience. Had to leave a few systems unpatched after I rolled back the update... Though this might partly be from the applications those servers are running being extremely fiddly.

      Windows 10 (and 7/8/8.1/etc) had the updates available in March. I had very few newer systems I had to worry about because of that.

      • (Score: 2) by bob_super on Friday May 19, @04:45PM (1 child)

        by bob_super (1357) on Friday May 19, @04:45PM (#512249)

        Yes, you could blame MS for not wanting to support a 16-year-old system with ever-declining users, and dedicating their resources to making sure patches don't break it for those rare users who do bother to patch.
        But that would put you at odds with the realities of running a profitable company.

        • (Score: 2) by butthurt on Friday May 19, @11:18PM

          by butthurt (6141) on Friday May 19, @11:18PM (#512433) Journal

          > [...] you could blame MS for not wanting to support a 16-year-old system [...]

          According to the tabloids, Microsoft, as recently as 2015, offered--for a fee--support for Windows XP (which isn't quite 16 years old). They imply that the support is still available:

          The Government Digital Service, set up by David Cameron , decided not to extend a £5.5million one-year support deal with Microsoft for Windows XP.

          -- []

          Windows XP - which was released more than 15 years ago - is still used in hospitals across Britain despite it no longer being serviced by Microsoft.

          Up until 2015 the government had a special support deal which meant the computer manufacturer provided security updates for the software.

          But the £5.5million contract was scrapped [...]

          -- []

          > [...] with ever-declining users [...]

          As of November 2016, Windows XP desktop market share makes it the fourth most popular Windows version after Windows 7, Windows 10 and Windows 8.1. Windows XP is still very popular in some countries; Africa as a whole and in Asia, e.g. in China, with it running on one third of desktop computers (and highest ranked in North Korea).

          -- []

          > But that would put you at odds with the realities of running a profitable company.

          A 2015 IDG News Service article corroborates the tabloids

          The Space and Naval Warfare Systems Command, which runs the Navy's communications and information networks, signed a $9.1 million contract earlier this month for continued access to security patches for Windows XP, Office 2003, Exchange 2003 and Windows Server 2003.

          The entire contract could be worth up to $30.8 million and extend into 2017.

          -- []

      • (Score: 2, Insightful) by toddestan on Saturday May 20, @02:49AM

        by toddestan (4982) on Saturday May 20, @02:49AM (#512500)

        Even more curious is Vista. If they patched 7/8.1/10 in March, then why wasn't a patch pushed out to Vista too? Vista was still in extended support until mid-April. The end might have been close, but Microsoft should have made the patch available.

    • (Score: 3, Insightful) by mcgrew on Friday May 19, @03:08PM

      by mcgrew (701) <> on Friday May 19, @03:08PM (#512212) Homepage Journal

      There are some shops that rely on software that no longer runs on new hardware and there is no modern equivalent. There are also poor people with XP computers that had been donated and can't afford a new one. I have two XP computers, but they're never online. I just can't see discarding perfectly good (or would be if Microsoft had ethics) being discarded.

      Free Martian whores! []
  • (Score: 2) by dbe on Friday May 19, @03:17PM (3 children)

    by dbe (1422) on Friday May 19, @03:17PM (#512219)

    For once this decryption code is actually small and can be easily analyzed if you look at the "search_primes.cpp" file.
    It's based on the fact that the WinXP encryption library does not clean its memory from the key primes when returning, so the main:
    1/ gets the memory pages in the context of the wannacry process
    2/ check if it's not used
    3/ retrieve it
    4/ parse through and when a section of the memory entropy is low check if number is prime
    5/ if prime try to divide the N product and report in case of success

    Now i'm not a windows developer but i assumed you would not be able to retrieve processes memory pages like this, maybe it only works in root/admin mode? unless XP has no such context?
    Also this is not cracking anything but just hopping that the memory was not overwritten so i'd say you have a pretty low chance of getting the keys back this way but it's cool to see nonetheless.

    • (Score: 2) by kaszz on Friday May 19, @04:43PM (2 children)

      by kaszz (4211) on Friday May 19, @04:43PM (#512248) Journal

      How long is the key btw? and what algorithm does it use?

      As the hack only works when not rebooting. Maybe next time people could trigger suspend to disc or such to preserve the necessary data?

      At least some memory dumper would be handy. I'll presume core can't be dumped on Windows..

      • (Score: 2) by edIII on Friday May 19, @10:13PM (1 child)

        by edIII (791) Subscriber Badge on Friday May 19, @10:13PM (#512410)

        There ain't shit anybody can do once you have an elevated process encrypting files. We've designed it so that an elevated process encrypting files is protected against tampering and snooping :) Gaining access to keys after the fact is a major problem for you, not so much for the attackers. So we've done our best to lock that out. How well that is done on XP is anyone's guess, but the fact a decrypt utility exists for XP is telling.

        The big two problems?

        1) Running as administrator.
        2) Running attachments in email.

        The fundamental problem? Running Microsoft at all. It was great growing up, I still really enjoy the interface, but it is an old insecure toy now that needs to be put away by the adults. I'd have more respect for Microsoft if it completely broke with compatibility and designed a new OS (without telemetry).

        Regardless of OS though, if you have a long enough backup window with versioning control there is nothing people can do to you like this. I'm completely safe and secure. If my system locked up now with a ransom, I would just laugh my ass off. I would be pretty upset they got a copy, but not worried about me having continued access.

        No different then recovering data deleted by an employee upset on termination day.

        • (Score: 2) by kaszz on Friday May 19, @11:34PM

          by kaszz (4211) on Friday May 19, @11:34PM (#512436) Journal

          People can put away Microsoft, I would say it's technically doable now. Microsoft security sucks but that doesn't happen unless someone is choosing the crap. And there's a tendency for people doing the Windows thing to be less competent in security than for other systems.

          So the problem boils down to people. And that would mean there are types of people that should not handle IT systems.

  • (Score: 2) by Gaaark on Friday May 19, @04:08PM (1 child)

    by Gaaark (41) Subscriber Badge on Friday May 19, @04:08PM (#512233) Homepage Journal

    Cry baby cry, make your mother sigh...

    Makes me glad i'm off windows.

    Side note: Bell (in Canada) got hacked, and i got informed by haveibeenpwned 1 day before Bell told me. Bell says no passwords were taken, but pwned says there were.
    Anywho, i changed my password. My wife asked me what the new password was, then asked me why i couldn't have a nice simple password.

      Yes, she uses windows, but mostly uses her tablet (android) because she can't get online with her windows laptop: she keeps getting redirected to some website (she keeps saying windows is better than linux, but wont let me try to fix her laptop, so......)

    Too many people are just lazy with clicking, passwords, security....... sigh.

    --- That's not flying: that's... falling... with more luck than I have. ---
    • (Score: 0) by Anonymous Coward on Friday May 19, @08:13PM

      by Anonymous Coward on Friday May 19, @08:13PM (#512352)

      "keeps saying windows is better than linux"... Do you know how many times I've heard that while fixing their malware infested porn terminal? I sometimes want to install Linux but change the themes to look like Windows and be done with it.

  • (Score: 2, Informative) by Anonymous Coward on Friday May 19, @08:28PM (2 children)

    by Anonymous Coward on Friday May 19, @08:28PM (#512363)

    From MS - SMB Ports 445/139 (TCP) & 137/138 (UDP) protection via:

    Disable SMBv1 on the SERVER, configure the following registry key:

    Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1

    REG_DWORD: 0 = Disabled
    REG_DWORD: 1 = Enabled

    Default: 1 = Enabled

    Enable SMBv2 on the SERVER, configure the following registry key:

    Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB2

    REG_DWORD: 0 = Disabled
    REG_DWORD: 1 = Enabled

    Default: 1 = Enabled


    Disable SMBv1 on the CLIENT, run the following commands:

    sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

    sc.exe config mrxsmb10 start= disabled

    Enable SMBv2 & SMBv3 on the CLIENT, run the following commands:

    sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi

    sc.exe config mrxsmb20 start= auto


    * The above is per,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012/ []


    P.S.=> For a SINGLE 'standalone' non-networked PC (no home network/LAN but TCP/IP connected online) turn off Server & Workstation services.

    That shuts off any "handles" (port 445) this thing propogates thru + turn off NetBIOS over TCP/IP in your internet connection & uncheck/disable Client for Microsoft Networks + File and Print Sharing. Port 139 & 445 always pop up issues over time. It also makes your packet trains smaller (no encapsulation of LanMan)

    I covered all this 11++ yrs. ago in a security guide I wrote for users with a single system & apparently, its advice STILL STANDS THE "TEST OF TIME" [] vs. even today's threats like this one.

    * This effectively makes this threat a non-issue + saves you CPU cycles/RAM & other I/O wasted on services you don't NEED as a single PC user only... & you don't. They're just wastes with a single PC really. Many services are (covered in guide above based on CIS Tool guidance (who took fixes to their ware from "yours truly" too, no less)) & again, no more encapsulated packet bulk.


    Don't be STUPID & click on attachments in bogus malicious emails this thing propogates thru also (Chrome/Opera/Webkit users - BEWARE of the ShellControlFile issue that just popped up (.scf file) noted here-> [] ) ... apk

    • (Score: 0) by Anonymous Coward on Friday May 19, @08:53PM (1 child)

      by Anonymous Coward on Friday May 19, @08:53PM (#512370)

      its advice STILL STANDS THE "TEST OF TIME"

      But does it pass the HairyFeet Challenge?

      • (Score: 3, Funny) by aristarchus on Saturday May 20, @03:25AM

        by aristarchus (2645) on Saturday May 20, @03:25AM (#512511) Journal

        But does it pass the HairyFeet Challenge?

        No, but then nothing ever did, since it was only a test to defend Hairykrishnafeet from the fact that he had sold out, was no longer a Tolkien hippy, but is now a "reverse-racist" old fogey, or in plain words, a Trump-voting Microsoft lackey. Anyone would need a defense from that much shame.

        came from aris5tarcfhus..; wee probably shouldn't run it