Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Breaking: WannaCry has been decrypted, if you follow the rules

    Home Forums AskWoody blog Breaking: WannaCry has been decrypted, if you follow the rules

    This topic contains 12 replies, has 4 voices, and was last updated by  GoneToPlaid 2 months, 1 week ago.

    • Author
      Posts
    • #116454 Reply

      woody
      Da Boss

      For those of you who were infected with WannaCry, very good news. If you see the WannaCry ransom screen: DON’T REBOOT. Matt Suiche has confirmed that
      [See the full post at: Breaking: WannaCry has been decrypted, if you follow the rules]

      3 users thanked author for this post.
    • #116491 Reply

      anonymous

      So is the DEFCON level  going to be changed as I’m in group “B”  and no not want problems

      • #116545 Reply

        anonymous

        I believe the regulars are busy, and may not respond. So I’ll give a go.

        If you have been a faithful Group B and understand what you have been doing for more than 60ish days; then please, relax.

        At least on this issue currently at hand. No matter what WinOS (you did not say), the green light (DEFCON3) after March 2017, had you install at least one patch to prevent this breach. Stand down, and wait for word.

        If you are still concerned, more information about your situation from your chair is needed. Inviting correction from any regular…

        Paul

        1 user thanked author for this post.
        • #116558 Reply

          woody
          Da Boss

          That’s exactly right.

          As noted in an earlier post, I’m trying to strike a new balance with the go-ahead. In the interim, as long as you installed the MS17-010 patch, there’s nothing pressing.

          1 user thanked author for this post.
    • #116548 Reply

      anonymous

      Hi, I am Win 7, i think  I jumped the gun a little, i have the march 2017 patch installed already when i first read it, i though there were new ransomware exploits found, and the May ‘s patches was needed

      • #116550 Reply

        anonymous

        I’m glad to read you as more comfortable already. That is good.

        You are not foolish to worry, and you are at the right place. You simply have misread a very confusing, fast developing threat that has already passed. The fact that you are reading this is proof you were not hit 7 days ago with the first strike.

        Any new threats are very vague at this point, the only known point of failure was already addressed by Microsoft for Win7 (that’s you) in the March 2nd Tues cycle. As Group B, you followed special directions, and were already protected by the AskWoody team several weeks in advance.

        I know it was scary, when all the announcements of impending doom named *every* OS patch under the sun, *except* yours. But that is because you already had it weeks ago.

        AskWoody cannot see the future, but they are some of the best minds involved in the present. Stick with it. You’re doing it right.

        Paul

    • #116553 Reply

      anonymous

      I had responded, but failed moderation. Possibly because I assumed you are the same anonymous as above, without verification. And though I sign my posts, I have not joined.

      I withdraw and hope you are addressed. What I do know, is if you can read this, your machine has not been encrypted.

      Someone credentialed may come by soon.

      Paul

      • #116564 Reply

        PKCano
        AskWoody MVP

        I had responded, but failed moderation.

        Paul,
        Your post did not fail moderation. Anonymous posters have to be moderated EVERY time they post. It is not instantaneous, and sometimes may take a good while.
        On the other hand, registered posters do not have to be moderated so their posts are immediately available. (That’s an invitation to register).

        • #116565 Reply

          anonymous

          Thanks again, PKCano. I get it. I guess I’m just not there yet. I do not expect immediate, but it had been some time. And regret that even this adds to the load in your stack. You have a special skill for patience. Since I have already troubled you — engage humour:

          What do you mean your elapsed time is different than mine?

          I will reconsider joining before troubling you again.

          Paul

          1 user thanked author for this post.
          • #117053 Reply

            woody
            Da Boss

            Join!

            All it takes is an email address – and you can use a disposable one…

    • #117059 Reply

      anonymous

      Oh, thank you, Woody. I was just coming back by here, to this thread, because I wanted to note the possible change a day makes. And to raise attention that my reassurances above *might* be outdated already. I defer to people who know better the protections offered by the May2017 cycle for this latest information on threats that occurred more than 9days ago.

      Annon #116553 may have a point, and I lack information.

      Concerned but not Worried,
      Paul

    • #117079 Reply

      GoneToPlaid
      AskWoody Lounger

      I am on Group B. Following, I am only talking about the Security Only updates. Installed on my Win7 machines are the March and May updates. I uninstalled the April update after first testing it on one of my machines and encountering many issues —  including breaking the ability of Windows Update to download any new updates. Thus I skipped the April update for my other Win7 machines. So far the May update seems to be okay on all of my Win7 computers.

      For Group B users, I would recommend that they install the May update in addition to the March update since the May update includes additional security fixes. Note that new malware has recently been discovered which not only uses over a half dozen stolen NSA tools, but also appears to be a “test run” for future malware which could easily be fully weaponized.

      In addition to making sure that you have installed the March and May updates, you need to also make sure not only that your antivirus (AV) product is up-to-date, but also that your AV product is even capable of performing behavioral analysis in order to detect malware such as WannyCry and similar ransomware. Some AV products detect and immediately stop the ransomware. Other AV products currently only detect additional dropped files after the ransomware has already infected the computer. And of course some AV products detect nothing at all.

      All Windows 7 and 8x users should disable SMB1 unless for some reason they still have some Windows XP computers on their network. If those users still have XP computers on their network, it would be far better to disable SMB1 and to immediately either replace or upgrade those XP computers.

      Microsoft has published instructions for how to disable SMB1. Note that on most Windows 7 computers, the DWORD called SMB1 does not exist. You have to create it and set it to zero. This was a source of confusion for at least one person here. Microsoft’s instructions for disabling SMB1:

      https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows-server

       

      • This reply was modified 2 months, 1 week ago by  GoneToPlaid. Reason: Added additional information
    • #117093 Reply

      GoneToPlaid
      AskWoody Lounger

      Hmm…a utility which searches, in computer memory, for the prime numbers which were used to generate the encryption key, in order to regenerate the encryption key. Brilliant! Now, does anyone see a huge problem with this now publicly disclosed method since it has now been publicly shown that this can indeed be done? The road to Hell is paved with good intentions — in this case, to help people to potentially recover their files which were encrypted by WannaCry.

      Matt Suiche, apparently with nothing other than good intentions, really didn’t think this through. He has now publicly shown that all encryption methods, starting on the source computer, can be defeated at the source by installing malware on the source which searches in memory and in real time for the prime numbers which are used to generate encryption keys. Such malware, from a heuristics and behavioral analysis standpoint within antivirus programs, potentially could be extremely difficult if not impossible to reliably detect.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Breaking: WannaCry has been decrypted, if you follow the rules

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information:


    Comments are closed.