Page 1 of 2 12 LastLast
Results 1 to 10 of 11
  1. #1
    Pinball Wizard
    Join Date
    Nov 2014
    Location
    yes
    Posts
    9,529
    Rep Power
    293

    WannaCry Ransomware hits 99 Countries - WARNING

    It has been an unanticipated day for millions of users across the globe as a massive ransomware targeted 99 countries, small and large companies including healthcare hospitals and telecom companies.

    A relatively unusual kind of ransomware cyber-attack has taken the world by storm, causing calamities in National Health Service hospitals and businesses around the UK, and advancing to telecommunications in Spain, where it shambled the largest telecom company Telefonica, along with Telenor in Hungary.

    What is WannaCry Ransomwar
    e?
    It's a dangerous ransomware which encrypts each and every file and folder on your computer and makes them inaccessible to you. To decrypt the files and folders, WannaCry Hackers are demanding $300 worth of Bitcoins.

    It's a ransomware which completely encrypts your data. To decrypt the data encrypted, WannaCry Hackers are demanding $300 value of Bitcoin.

    Wanna Cryptor, WanaCrypt0r 2.0, WannaCry or Wcry has infected thousands of computers worldwide, causing millions of dollars of damage. Kaspersky Lab said more than 90 countries had been affected so far and there seems to be no stop to the ransomware.

    The enormous malware that engulfed Europe, Asia and other parts of the world appears to be spreading at a faster rate than anticipated by security experts. Cyber security experts have long warned regarding a ransomware attack, and it appears that their worst fears have now taken full effect.

    “The spread is immense,” says Adam Kujawa, the director of malware intelligence at Malwarebytes, which discovered the original version of WannaCry. “I’ve never seen anything before like this. This is nuts.”
    Ransomware cyber-attacks dominated the cyber threat landscape in 2016, costing businesses more than $1 Billion worldwide. The ones most affected by this crime are small and medium sized businesses who pay the highest price as they don’t possess the means to obscure themselves against such a massive ransomware cyber-attack.

    Should I be concerned if I am a victim?

    There’s nothing you can do once you’re infected by the ransomware as it encrypts any and all files on your computer completely unless you meet the demands upon which the hackers will decrypt the data once they receive funds from you. But, if you have a backup of the files you should be able to restore them after cleaning the computer.

    What should you do if you're a business:


    Businesses suffer a lot due to a ransomware attack. Your data such as financial reports, cash flows, user base, client details amongst numerous others gets lost. That very data can be sold to your competitors so they get an upper edge over you.

    What should you do if you're an individual:


    If you're an individual and your data in the folders has been encrypted, there's a high chance that your information such as pictures, videos, documents, financial statements, bank details, social account passwords amongst others are completely lost.

    That very information can be used to blackmail you or be sold to the highest bidder. One should always be careful of the intricate details they save on their devices as you never know when they might get used against you.

    Should I give money to Wana Decrypt0r 2.0 to decrypt my file?
    Undeniably, the most simple, fast and reliable method to recover any files that have been encrypted by the Wana decrypt0r 2.0 ransomware is to restore them from any possible backup taken before the ransomware took place.

    To answer the question whether you should pay, let’s be clear first: WannaCry hackers are criminals that you’re coming to face with, so there’s no guarantee as to what might fall through when you do make any payment. It just might be equal to simply throwing your hard-earned money away. Or it might work out in your favor where you do recover your files.

    Only you can decide whether or not to pay criminals the ransom. We recommend, Don’t Do It. Making any payments to WannaCry ransomware only reassures their criminal enterprise’ agenda, and puts millions of people and businesses at risk of finding their files encrypted by the ransomware as WannaCry certainly won’t be catering to each payment received.

    As an alternative, pick up from the harsh experience. Most importantly, start off by backing up your data so that this never has to happen to you ever again!

    How Does WanaCrypt0r 2.0 work?
    What’s sad is that the ransomware did not spread due to people clicking on bad links. Nonetheless, the only way to prevent this attack was to have your system updated with the latest update.

    With the help of EternalBlue exploit, the malware installed the NSA backdoor payload called DoublePulsar, and through it went WannaCry, dispersing swiftly and automatically to other computers on the same network – hundreds at one single time.

    The infectious WanaCrypt0r 2.0 malware is notable for multi-lingual ransom demands which support more than two-dozen languages. That begs the question, how does one protect themselves against this ransomware?

    What actually went down?

    Here’s what happened: Attackers installed a virus targeting Microsoft servers running the file sharing protocol Server Message Block (SMB). Only servers that weren’t updated after March 14th, 2017 with the MS17-010 patch were affected; this patch resolved an exploit known as EternalBlue, once a closely guarded secret of the National Security Agent, which was leaked last month by Shadow Brokers.

    Is NSA tied into this attack?

    The incredibly dangerous new kind of self-replicating ransomware is known to be a National Security Agency exploit that was publicly released last month by the shadowy group calling themselves Shadow Brokers.

  2. #2
    Pinball Wizard
    Join Date
    Nov 2014
    Location
    yes
    Posts
    9,529
    Rep Power
    293
    In terms of targeted files, the ransomware encrypts files with the following extensions:

    .der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .ott, .sxw, .stw, .uot, .3ds, .max, .3dm, .ods, .ots, .sxc, .stc, .dif, .slk, .wb2, .odp, .otp, .sxd, .std, .uop, .odg, .otg, .sxm, .mml, .lay, .lay6, .asc, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .frm, .myd, .myi, .ibd, .mdf, .ldf, .sln, .suo, .cpp, .pas, .asm, .cmd, .bat, .ps1, .vbs, .dip, .dch, .sch, .brd, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .3gp, .mkv, .3g2, .flv, .wma, .mid, .m3u, .m4u, .djvu, .svg, .psd, .nef, .tiff, .tif, .cgm, .raw, .gif, .png, .bmp, .jpg, .jpeg, .vcd, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .tbk, .bz2, .PAQ, .ARC, .aes, .gpg, .vmx, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .602, .hwp, .snt, .onetoc2, .dwg, .pdf, .wk1, .wks, .123, .rtf, .csv, .txt, .vsdx, .vsd, .edb, .eml, .msg, .ost, .pst, .potm, .potx, .ppam, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotx, .dotm, .dot, .docm, .docb, .docx, .doc

    The file extensions that the malware is targeting contain certain clusters of formats including:

    Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi).
    Less common and nation-specific office formats (.sxw, .odt, .hwp).
    Archives, media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)
    Emails and email databases (.eml, .msg, .ost, .pst, .edb).
    Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).
    Developers’ sourcecode and project files (.php, .java, .cpp, .pas, .asm).
    Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).
    Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd).
    Virtual machine files (.vmx, .vmdk, .vdi).


    How long will WannaCry attack last?
    Typically, ransomware often has a short life. However, in the case of WannaCry ransomware, nothing can be certain as it keeps on spreading unless you update your system. Moreover, as anti-viruses and VPN understand new versions of the malware, they can prevent infections from initiating and dispersing to various parts of the world.

  3. #3
    Transparent Wall Technician crazed 9.6's Avatar
    Join Date
    Nov 2014
    Posts
    15,647
    Rep Power
    446
    I had been reading about this.
    It is a bad one for sure.

    thnx for bringing this info to us Laser
    "The illusion of freedom will continue for as long as it's profitable to continue the illusion. At the point where the illusion becomes too expensive to maintain, they will take down the scenery, move the tables and chairs out of the way, then they will pull back the curtains and you will see the brick wall at the back of the theater."
    - Frank Zappa

  4. #4

    Fire From Within

    dara's Avatar
    Join Date
    Nov 2014
    Location
    yes i do
    Posts
    10,904
    Rep Power
    393
    I like the story that someone made a small modification in the code, and was able to slow the spread. North America has been spared most of the brunt of this malware... just have to keep doing the basic updates to Windows 10 and have the included security/anti-virus up to avoid this. If you are still running Windows 7 (or below), you should consider moving on up.

  5. #5
    Transparent Wall Technician crazed 9.6's Avatar
    Join Date
    Nov 2014
    Posts
    15,647
    Rep Power
    446
    Quote Originally Posted by dara View Post
    I like the story that someone made a small modification in the code, and was able to slow the spread. North America has been spared most of the brunt of this malware... just have to keep doing the basic updates to Windows 10 and have the included security/anti-virus up to avoid this. If you are still running Windows 7 (or below), you should consider moving on up.
    so you are saying I gotta trash my Windows 95 ???

    damn !!
    "The illusion of freedom will continue for as long as it's profitable to continue the illusion. At the point where the illusion becomes too expensive to maintain, they will take down the scenery, move the tables and chairs out of the way, then they will pull back the curtains and you will see the brick wall at the back of the theater."
    - Frank Zappa

  6. #6
    Pinball Wizard
    Join Date
    Nov 2014
    Location
    yes
    Posts
    9,529
    Rep Power
    293
    Windows 95, what are you still logging into AOL using dial up?

  7. #7
    Transparent Wall Technician crazed 9.6's Avatar
    Join Date
    Nov 2014
    Posts
    15,647
    Rep Power
    446
    C/P from thehackernews.com
    WannaCry Ransomware: Everything You Need To Know Immediately
    Monday, May 15, 2017 Mohit Kumar

    By now I am sure you have already heard something about the WannaCry ransomware, and are wondering what's going on, who is doing this, and whether your computer is secure from this insanely fast-spreading threat that has already hacked nearly 200,000 Windows PCs over the weekend.

    The only positive thing about this attack is that — you are here — as after reading this easy-to-understandable awareness article, you would be so cautious that you can save yourself from WannaCry, as well as other similar cyber attacks in the future.

    Since this widely spread ransomware attack is neither the first nor the last one to hit users worldwide, prevention is always the key to protect against such malware threats.

    What is WannaCry? How to Protect your Computer from WannaCry Ransomware? Follow These Simple Steps.

    In this article, we have provided some of the most important primary security tips that you should always follow and advised to share with everyone you care for.

    What is Ransomware & Why WannaCry is More Dangerous?
    A message on the screen with a ransom demand, countdown timer, and bitcoin wallet to pay funds
    For those unaware, Ransomware is a computer virus that usually spreads via spam emails and malicious download links; specially designed to lock up the files on a computer, until the victim pays the ransom demand, usually $300-$500 in Bitcoins.

    But what makes WannaCry so unique and nasty is its ability to self-spread without even need to click any link or a file.

    The WannaCry ransomware, also known as Wanna Decryptor, leverages a Windows SMB exploit, dubbed EternalBlue, that allows a remote hacker to hijack computers running on unpatched Microsoft Windows operating system.

    Once infected, WannaCry also scans for other unpatched PCs connected to the same local network, as well as scans random hosts on the wider Internet, to spread itself quickly.

    What Has Happened So Far
    We have been covering this story since Friday when this malware was first emerged and hit several hospitals across the globe, eventually forcing them to shut down their entire IT systems over the weekend, hence rejecting patients appointments, and cancel operations.

    Later this cyber attack brought down many organizations to their knees.

    Instead of repeating same details again, read our previous articles dig deeper and know what has happened so far:
    Day 1: OutCry — WannaCry targeted over 90,000 computers in 99 countries.
    Day 2: The Patch Day — A security researcher successfully found a way to slow down the infection rate, and meanwhile, Microsoft releases emergency patch updates for unsupported versions of Windows.
    Day 3: New Variants Arrives — Just yesterday, some new variants of WannaCry, with and without a kill-switch, were detected in the wild would be difficult to stop for at least next few weeks.

    Isn’t the Cyber Attack Over?
    Absolutely not.
    This is just beginning. As I reported yesterday, security researchers have detected some new versions of this ransomware, dubbed WannaCry 2.0, which couldn’t be stopped by the kill switch.

    What's even worse is that the new WannaCry variant believed to be created by someone else, and not the hackers behind the first WannaCry ransomware.

    It has been speculated that now other organized cybercriminal gangs, as well as script-kiddies can get motivated by this incident to create and spread similar malicious ransomware.

    Who's Behind WannaCry & Why Would Someone Do This?
    While it's still not known who is behind WannaCry, such large-scale cyber attacks are often propagated by nation states, but this ongoing attack does not bear any link to foreign governments.

    "The recent attack is at an unprecedented level and will require a complex international investigation to identify the culprits," said Europol, Europe's police agency.

    Why are they hijacking hundreds of thousands of computers around the globe? Simple — to extort money by blackmailing infected users.
    wannacry-bitcoin
    By looking at the infection rate, it seems like the criminals responsible for this absurd attack would have made lots and lots of dollars so far, but surprisingly they have made relatively little in the way of profits, according to @actual_ransom, a Twitter account that’s tweeting details of every single transaction.

    At the time of writing, the WannaCry attackers have received 171 payments totaling 27.96968763 BTC ($47,510.71 USD).

    How to Protect Yourself from WannaCry Ransomware?
    Here are some simple tips you should always follow because most computer viruses make their ways into your systems due to lack of simple security practices:

    1. Always Install Security Updates
    If you are using any version of Windows, except Windows 10, with SMB protocol enabled, make sure your computer should always receive updates automatically from the Microsoft, and it’s up-to-date always.

    2. Patch SMB Vulnerability
    Since WannaCry has been exploiting a critical SMB remote code execution vulnerability (CVE-2017-0148) for which Microsoft has already released a patch (MS17-010) in the month of March, you are advised to ensure your system has installed those patches.
    Moreover, Microsoft has been very generous to its users in this difficult time that the company has even released the SMB patches (download from here) for its unsupported versions of Windows as well, including Windows XP, Vista, 8, Server 2003 and 2008.
    Note: If you are using Windows 10, you are not vulnerable to SMB vulnerability.

    3. Disable SMB
    Even if you have installed the patches, you are advised to disable Server Message Block version 1 (SMBv1) protocol, which is enabled by default on Windows, to prevent against WannaCry ransomware attacks.
    -Here's the list of simple steps you can follow to disable SMBv1:
    Go to Windows' Control Panel and open 'Programs.'
    Open 'Features' under Programs and click 'Turn Windows Features on and off.'
    Now, scroll down to find 'SMB 1.0/CIFS File Sharing Support' and uncheck it.
    Then click OK, close the control Panel and restart the computer.

    4. Enable Firewall & Block SMB Ports
    Always keep your firewall enabled, and if you need to keep SMBv1 enabled, then just modify your firewall configurations to block access to SMB ports over the Internet. The protocol operates on TCP ports 137, 139, and 445, and over UDP ports 137 and 138.

    5. Use an Antivirus Program
    An evergreen solution to prevent against most threats is to use a good antivirus software from a reputable vendor and always keep it up-to-date.
    Almost all antivirus vendors have already added detection capability to block WannaCry, as well as to prevent the secret installations from malicious applications in the background.

    6. Be Suspicious of Emails, Websites, and Apps
    Unlike WannaCry, most ransomware spread through phishing emails, malicious adverts on websites, and third-party apps and programs.
    So, you should always exercise caution when opening uninvited documents sent over an email and clicking on links inside those documents unless verifying the source to safeguard against such ransomware infection.
    Also, never download any app from third-party sources, and read reviews even before installing apps from official stores.

    7. Regular Backup your Files:
    To always have a tight grip on all your important documents and files, keep a good backup routine in place that makes their copies to an external storage device which is not always connected to your computer.
    That way, if any ransomware infects you, it can not encrypt your backups.

    8. Keep Your Knowledge Up-to-Date
    There's not a single day that goes without any report on cyber attacks and vulnerabilities in popular software and services, such as Android, iOS, Windows, Linux and Mac Computers as well.

    What to do if WannaCry infects you?
    Well, nothing.
    If WannaCry ransomware has infected you, you can’t decrypt your files until you pay a ransom money to the hackers and get a secret key to unlock your file.

    Never Pay the Ransom:
    It’s up to the affected organizations and individuals to decide whether or not to pay the ransom, depending upon the importance of their files locked by the ransomware.
    But before making any final decision, just keep in mind: there's no guarantee that even after paying the ransom, you would regain control of your files.
    Moreover, paying ransom also encourages cyber criminals to come up with similar threats and extort money from the larger audience.
    So, sure shot advice to all users is — Don't Pay the Ransom.

    Who is responsible for WannaCry Attack?
    — Is it Microsoft who created an operating system with so many vulnerabilities?
    — Or is it the NSA, the intelligence agency of the United States, who found this critical SMB vulnerability and indirectly, facilitates WannaCry like attacks by not disclosing it to Microsoft?
    — Or is it the Shadow Brokers, the hacking group, who managed to hack the NSA servers, but instead of reporting it to Microsoft, they decided to dump hacking tools and zero-day exploits in public?
    — Or is it the Windows users themselves, who did not install the patches on their systems or are still using an unsupported version of Windows?

    I do not know who can be blamed for this attack, but according to me, all of them shares equal responsibility.

    Microsoft Blames NSA/CIA for WannaCry Cyber Attack
    Microsoft has hit out at the US government for facilitating cyber attacks, like WannaCry, by not disclosing the software vulnerabilities to the respective vendors and holding them for their benefits, like global cyber espionage.
    In a blog post on Sunday, Microsoft President Brad Smith condemned the US intelligence agencies’ unethical practices, saying that the "widespread damage" caused by WannaCry happened due to the NSA, CIA and other intelligence agencies for holding zero-days and allowing them to be stolen by hackers.

    "This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world," Smith said.

    This statement also publicly confirms that the hacking tools and exploits leaked by the Shadow Brokers belong to Equation Group, an elite group of hackers from NSA.
    "Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage," Smith wrote.


    You Should Thank These Experts
    When the outbreak of WannaCry ransomware started on Friday night, It had already infected at least 30,000 computers worldwide, and at that moment nobody had an idea what’s happening and how the ransomware can spread itself like a worm so quickly.
    Since then, in last three days, some cybersecurity experts and companies are continuously working hard, day and night, to analyze malware samples to find every possible way to stop this massive attack.

    Thanks for Your Hard Work 😍 @MalwareTechBlog @msuiche @craiu @gentilkiwi @halsten to Kill the WannaCry.

    I have mentioned some of them, who should be thanked for saving millions of computers from getting hacked:
    -MalwareTech — very skilled 22-years-old malware hunter who first discovered that here’s a kill-switch, which if used could stop ongoing ransomware attack.
    -Matthieu Suiche — security researcher who discovered the second kill-switch domain in a WannaCry variant and prevent nearly 10,000 computers from getting hacked.
    -Costin Raiu — security researcher from Kaspersky Lab, who first found out that there are more WannaCry variants in the wild, created by different hacking groups, with no kill-switch ability.

    Not only this, Benjamin Delpy, Mohamed Saher, Malwarebytes, MalwareUnicorn, and many others. This list of experts is very long, and if I have missed some name, then I'm sorry.

    Thank you.
    Mohit Kumar - Hacking News
    Entrepreneur, Hacker, Speaker, Founder and CEO — The Hacker News and The Hackers Conference.
    "The illusion of freedom will continue for as long as it's profitable to continue the illusion. At the point where the illusion becomes too expensive to maintain, they will take down the scenery, move the tables and chairs out of the way, then they will pull back the curtains and you will see the brick wall at the back of the theater."
    - Frank Zappa

  8. #8
    Transparent Wall Technician crazed 9.6's Avatar
    Join Date
    Nov 2014
    Posts
    15,647
    Rep Power
    446
    thehackernews.com
    May 15, 2017
    Swati Khandelwal

    Google Researcher Finds Link Between WannaCry Attacks and North Korea
    So far, nobody had an idea that who was behind WannaCry ransomware attacks?
    But now there is a clue that lies in the code.
    Neel Mehta, a security researcher at Google, found evidence that suggests the WannaCry ransomware, that infected 300,000 machines in 150 countries over the weekend, is linked to a state-sponsored hacking group in North Korea, known for cyber attacks against South Korean organizations.

    This is the fifth day since the WannaCry ransomware attack surfaced, that leverages a critical Windows SMB exploit and still infecting machines across the world using newly released variants that don't have any "kill switch" ability.

    WannaCry: First Nation-State Powered Ransomware?
    Neel discovered that the code found in the WannaCry malware—one that first surfaced in February—was identical to the code used in an early 2015 version of Cantopee, a malicious backdoor developed by Lazarus Group, believed to be a state-sponsored hacking group linked to the North Korean government.

    Security researchers from Kaspersky Lab, Intezer, Symantec, and Comae Technologies immediately followed the tip from Neel and confirmed a strong link between WannaCry and other malware families, including Lazarus, Joanap, and Brambul, which suggests WannaCry was written or modified by the same author.
    wannacry-ransomware-lazarus-group-north-korea.
    Operating since at least 2011, Lazarus Group of hackers believed to be responsible for the 2013 DarkSeoul operation, the devastating 2014 Sony Pictures Hack, and the 2016 Bangladesh $81 Million bank heist.
    However, this finding is not yet sufficient to link the Lazarus Group to WannaCry, because it is possible that WannaCry authors may have purposely copied code from Lazarus' backdoor program in an attempt to mislead researchers and law enforcement as they investigate.
    "We believe that there are sufficient connections to warrant further investigation. We will continue to share further details of our research as it unfolds," says Symantec, the security firm which has tracked the Lazarus over recent years.
    Agreeing to the same, Matt Suiche from Comaeio said:
    "The attribution to Lazarus Group would make sense regarding their narrative which in the past was dominated by infiltrating financial institutions in the goal of stealing money. If validated, this means the latest iteration of WannaCry would, in fact, be the first nation state powered ransomware."

    Is the WannaCry Attack Over? *NO*
    Absolutely Not; this is just the beginning.
    Security researchers have discovered some new variants of this ransomware, which could not be stopped by the kill switch, so you are advised to make sure you have applied the patch for SMB vulnerability and disabled SMBv1 protocol to keep your Windows computers safe from WannaCry and other similar attacks.

    The WannaCry attackers demand ransom fees between $300 to $600 to free the hijacked data. The three bitcoin wallets tied to #WannaCry ransomware have received 225 payments totaling 35.98003282 BTC (approx. $60,000) from ransomware victims.

    Swati - Hacking News
    Swati Khandelwal
    Technical Writer, Security Blogger and IT Analyst.
    She is a Technology Enthusiast with a keen eye on the Cyberspace and other tech related developments.

    patch for SMB vulnerability
    Code:
    http://thehackernews.com/2017/05/wannacry-ransomware-windows.html
    Last edited by crazed 9.6; 05-17-2017 at 03:37 AM.
    "The illusion of freedom will continue for as long as it's profitable to continue the illusion. At the point where the illusion becomes too expensive to maintain, they will take down the scenery, move the tables and chairs out of the way, then they will pull back the curtains and you will see the brick wall at the back of the theater."
    - Frank Zappa

  9. #9
    Transparent Wall Technician crazed 9.6's Avatar
    Join Date
    Nov 2014
    Posts
    15,647
    Rep Power
    446
    WannaCry Coding Mistakes Can Help Files Recovery Even After Infection

    Friday, June 02, 2017
    Swati Khandelwal
    thehackernews.com

    Last month WannaCry ransomware hit more than 300,000 PCs across the world within just 72 hours by using its self-spreading capabilities to infect vulnerable Windows PCs, particularly those using vulnerable versions of the OS, within the same network.

    But that doesn't mean WannaCry was a high-quality piece of ransomware.

    Security researchers have recently discovered some programming errors in the code of the WannaCrypt ransomware worm that might allow victims to restore their locked files without paying for any decryption key.

    After deeply analysing the WannaCry code, security company at Kaspersky Lab found that the ransomware was full of mistakes that could allow some of its victims to restore their files with publicly available free recovery tools or even with simple commands.

    Anton Ivanov, senior malware analyst at Kaspersky Lab, along with colleagues Fedor Sinitsyn and Orkhan Mamedov, detailed three critical errors made by WannaCry developers that could allow sysadmins to restore potentially lost files.

    According to researchers, the issues reside in the way WannaCry ransomware deletes original files after encryption. In general, the malware first renames files to change their extension to ".WNCRYT," encrypt them and then delete the original files.

    Recovering Read-only Files
    Since it is not at all possible for malicious software to directly encrypt or modify read-only files, WannaCry copies the files and creates their encrypted copies.
    While the original files remain untouched but are given a 'hidden' attribute, getting the original data back simply requires victims to restore their normal attributes.
    That wasn't the only mistake within the WannaCry's code, as in some cases, the malware fails to delete the files after encrypting them properly.

    Recovering Files from the System Drive (i.e. C drive)
    Researchers have said that files stored on the important folders, like Desktop or Documents folder, can not be recovered without the decryption key because WannaCry has been designed to overwrite original files with random data before removal.
    However, researchers noticed that other files stored outside of important folders on the system drive could be restored from the temporary folder using a data recovery software.
    “...the original file will be moved to %TEMP%\%d.WNCRYT (where %d denotes a numeric value). These files contain the original data and are not overwritten,” researchers said.

    Recovering Files from the Non-System Drives
    Researchers also found that for non-system drives, the WannaCry Ransomware creates a hidden '$RECYCLE' folder and moves original files into this directory after encryption. You can recover those files just by unhiding the '$RECYCLE' folder.
    Also, due to "synchronization errors" in WannaCry's code, in many cases the original files remain in the same directory, making it possible for victims to restore insecurely deleted files using available data recovery software.

    Programming Blunders: The New Hope for WannaCry Victims
    These programming errors in the code of WannaCry offer hope to many victims.
    "If you were infected with WannaCry ransomware there is a good possibility that you will be able to restore a lot of the files on the affected computer," Kaspersky Lab wrote in a blog post published Thursday.
    "The code quality is very low."
    "To restore files, you can use the free utilities available for data recovery."
    The recovery of files infected by WannaCry was first made possible by French researchers Adrien Guinet and Benjamin Delpy, who made a free WannaCry decryption tool that works on Windows XP, Windows 7, Windows Vista, Windows Server 2003 and Server 2008.
    It's been almost a month since WannaCry epidemic hit computers worldwide, but the hackers behind the self-spread ransomware, which leverages leaked NSA's Windows SMB exploits EternalBlue and DoublePulsar, have not been identified yet.

    While police and cyber security firms continue to search for answers surrounding the origins of the WannaCry campaign, Dark web intelligence firm Flashpoint recently indicated the perpetrators might be Chinese, based on its linguistic analysis.

    Hacking News
    Swati Khandelwal
    Technical Writer, Security Blogger and IT Analyst.
    She is a Technology Enthusiast with a keen eye on the Cyberspace and other tech related developments.

    end C/P
    "The illusion of freedom will continue for as long as it's profitable to continue the illusion. At the point where the illusion becomes too expensive to maintain, they will take down the scenery, move the tables and chairs out of the way, then they will pull back the curtains and you will see the brick wall at the back of the theater."
    - Frank Zappa

  10. #10

    Fire From Within

    dara's Avatar
    Join Date
    Nov 2014
    Location
    yes i do
    Posts
    10,904
    Rep Power
    393
    I blame Kathy Griffin! LOL.

 

 
Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •