Various news outlets report the release of
Wannakey, a decryption utility for files encrypted by the WannaCry ransomware. According to the author of the software, it "has only been tested and known to work under Windows XP."
From the Wired article noted below:
Now one French researcher says he's found at least a hint of a very limited remedy. The fix still seems too buggy, and far from the panacea WannaCry victims have hoped for. But if Adrien Guinet's claims hold up, his tool could unlock some infected computers running Windows XP, the aging, largely unsupported version of Microsoft's operating system, which analysts believe accounts for some portion of the WannaCry plague.
[...] Guinet says he's successfully used the decryption tool several times on test XP machines he's infected with WannaCry. But he cautions that, because those traces are stored in volatile memory, the trick fails if the malware or any other process happened to overwrite the lingering decryption key, or if the computer rebooted any time after infection.
Coverage:
Previous stories:
"Biggest Ransomware Attack in History" Hits Around 100 Countries, Disrupts UK's NHS
WannaCrypt Ransomware Variant -- Lacking Kill Switch -- Seen in Wild [Updated]
(Score: 2, Informative) by Anonymous Coward on Friday May 19 2017, @08:28PM (2 children)
From MS - SMB Ports 445/139 (TCP) & 137/138 (UDP) protection via:
Disable SMBv1 on the SERVER, configure the following registry key:
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled
Enable SMBv2 on the SERVER, configure the following registry key:
Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB2
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled
---
Disable SMBv1 on the CLIENT, run the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
Enable SMBv2 & SMBv3 on the CLIENT, run the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
sc.exe config mrxsmb20 start= auto
---
* The above is per https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012/ [microsoft.com]
APK
P.S.=> For a SINGLE 'standalone' non-networked PC (no home network/LAN but TCP/IP connected online) turn off Server & Workstation services.
That shuts off any "handles" (port 445) this thing propogates thru + turn off NetBIOS over TCP/IP in your internet connection & uncheck/disable Client for Microsoft Networks + File and Print Sharing. Port 139 & 445 always pop up issues over time. It also makes your packet trains smaller (no encapsulation of LanMan)
I covered all this 11++ yrs. ago in a security guide I wrote for users with a single system & apparently, its advice STILL STANDS THE "TEST OF TIME" https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=HOW+TO+SECURE+Windows+2000/XP&btnG=Google+Search&gbv=1/ [google.com] vs. even today's threats like this one.
* This effectively makes this threat a non-issue + saves you CPU cycles/RAM & other I/O wasted on services you don't NEED as a single PC user only... & you don't. They're just wastes with a single PC really. Many services are (covered in guide above based on CIS Tool guidance (who took fixes to their ware from "yours truly" too, no less)) & again, no more encapsulated packet bulk.
AND?
Don't be STUPID & click on attachments in bogus malicious emails this thing propogates thru also (Chrome/Opera/Webkit users - BEWARE of the ShellControlFile issue that just popped up (.scf file) noted here-> http://www.theregister.co.uk/2017/05/17/chrome_on_windows_has_credential_theft_bug/ [theregister.co.uk] ) ... apk
(Score: 0) by Anonymous Coward on Friday May 19 2017, @08:53PM (1 child)
its advice STILL STANDS THE "TEST OF TIME"
But does it pass the HairyFeet Challenge?
(Score: 3, Funny) by aristarchus on Saturday May 20 2017, @03:25AM
But does it pass the HairyFeet Challenge?
No, but then nothing ever did, since it was only a test to defend Hairykrishnafeet from the fact that he had sold out, was no longer a Tolkien hippy, but is now a "reverse-racist" old fogey, or in plain words, a Trump-voting Microsoft lackey. Anyone would need a defense from that much shame.