Breaking: WannaCry has been decrypted, if you follow the rules

Topic

New Reply

For those of you who were infected with WannaCry, very good news. If you see the WannaCry ransom screen: DON’T REBOOT. Matt Suiche has confirmed that
[See the full post at: Breaking: WannaCry has been decrypted, if you follow the rules]

3 users thanked author for this post.

Elly, John in Mtl, SueW

Reply | Quote

Replies

So is the DEFCON level  going to be changed as I’m in group “B”  and no not want problems

Reply | Quote

I believe the regulars are busy, and may not respond. So I’ll give a go.

If you have been a faithful Group B and understand what you have been doing for more than 60ish days; then please, relax.

At least on this issue currently at hand. No matter what WinOS (you did not say), the green light (DEFCON3) after March 2017, had you install at least one patch to prevent this breach. Stand down, and wait for word.

If you are still concerned, more information about your situation from your chair is needed. Inviting correction from any regular…

Paul

1 user thanked author for this post.

Noel Carboni

Reply | Quote

That’s exactly right.

As noted in an earlier post, I’m trying to strike a new balance with the go-ahead. In the interim, as long as you installed the MS17-010 patch, there’s nothing pressing.

1 user thanked author for this post.

JDeC

Reply | Quote

Hi, I am Win 7, i think  I jumped the gun a little, i have the march 2017 patch installed already when i first read it, i though there were new ransomware exploits found, and the May ‘s patches was needed

Reply | Quote

I’m glad to read you as more comfortable already. That is good.

You are not foolish to worry, and you are at the right place. You simply have misread a very confusing, fast developing threat that has already passed. The fact that you are reading this is proof you were not hit 7 days ago with the first strike.

Any new threats are very vague at this point, the only known point of failure was already addressed by Microsoft for Win7 (that’s you) in the March 2nd Tues cycle. As Group B, you followed special directions, and were already protected by the AskWoody team several weeks in advance.

I know it was scary, when all the announcements of impending doom named *every* OS patch under the sun, *except* yours. But that is because you already had it weeks ago.

AskWoody cannot see the future, but they are some of the best minds involved in the present. Stick with it. You’re doing it right.

Paul

Reply | Quote

I had responded, but failed moderation. Possibly because I assumed you are the same anonymous as above, without verification. And though I sign my posts, I have not joined.

I withdraw and hope you are addressed. What I do know, is if you can read this, your machine has not been encrypted.

Someone credentialed may come by soon.

Paul

Reply | Quote

anonymous wrote:

I had responded, but failed moderation.

Paul,
Your post did not fail moderation. Anonymous posters have to be moderated EVERY time they post. It is not instantaneous, and sometimes may take a good while.
On the other hand, registered posters do not have to be moderated so their posts are immediately available. (That’s an invitation to register).

Reply | Quote

Thanks again, PKCano. I get it. I guess I’m just not there yet. I do not expect immediate, but it had been some time. And regret that even this adds to the load in your stack. You have a special skill for patience. Since I have already troubled you — engage humour:

What do you mean your elapsed time is different than mine?

I will reconsider joining before troubling you again.

Paul

1 user thanked author for this post.

ch100

Reply | Quote

Join!

All it takes is an email address – and you can use a disposable one…

Reply | Quote

Oh, thank you, Woody. I was just coming back by here, to this thread, because I wanted to note the possible change a day makes. And to raise attention that my reassurances above *might* be outdated already. I defer to people who know better the protections offered by the May2017 cycle for this latest information on threats that occurred more than 9days ago.

Annon #116553 may have a point, and I lack information.

Concerned but not Worried,
Paul

Reply | Quote

I am on Group B. Following, I am only talking about the Security Only updates. Installed on my Win7 machines are the March and May updates. I uninstalled the April update after first testing it on one of my machines and encountering many issues —  including breaking the ability of Windows Update to download any new updates. Thus I skipped the April update for my other Win7 machines. So far the May update seems to be okay on all of my Win7 computers.

For Group B users, I would recommend that they install the May update in addition to the March update since the May update includes additional security fixes. Note that new malware has recently been discovered which not only uses over a half dozen stolen NSA tools, but also appears to be a “test run” for future malware which could easily be fully weaponized.

In addition to making sure that you have installed the March and May updates, you need to also make sure not only that your antivirus (AV) product is up-to-date, but also that your AV product is even capable of performing behavioral analysis in order to detect malware such as WannyCry and similar ransomware. Some AV products detect and immediately stop the ransomware. Other AV products currently only detect additional dropped files after the ransomware has already infected the computer. And of course some AV products detect nothing at all.

All Windows 7 and 8x users should disable SMB1 unless for some reason they still have some Windows XP computers on their network. If those users still have XP computers on their network, it would be far better to disable SMB1 and to immediately either replace or upgrade those XP computers.

Microsoft has published instructions for how to disable SMB1. Note that on most Windows 7 computers, the DWORD called SMB1 does not exist. You have to create it and set it to zero. This was a source of confusion for at least one person here. Microsoft’s instructions for disabling SMB1:

https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows-server

 

Reply | Quote

Hmm…a utility which searches, in computer memory, for the prime numbers which were used to generate the encryption key, in order to regenerate the encryption key. Brilliant! Now, does anyone see a huge problem with this now publicly disclosed method since it has now been publicly shown that this can indeed be done? The road to Hell is paved with good intentions — in this case, to help people to potentially recover their files which were encrypted by WannaCry.

Matt Suiche, apparently with nothing other than good intentions, really didn’t think this through. He has now publicly shown that all encryption methods, starting on the source computer, can be defeated at the source by installing malware on the source which searches in memory and in real time for the prime numbers which are used to generate encryption keys. Such malware, from a heuristics and behavioral analysis standpoint within antivirus programs, potentially could be extremely difficult if not impossible to reliably detect.

Reply | Quote