Tagged: WannaCry Ransomware

Marcus Hutchins, who had stopped the spread of WannaCry RansomWare, has apparently been arrested.

Marcus Hutchins works as a Cyber-Securty Researcher at Kryptos Logic. It was Marcus who had apparenlty stopped the spread of the WannaCry version 1 RansomWare. He found the Kill Switch after decompliing the WannaCry v1 code. Once he registered a Domain name found in the code, the spread of WannaCry V1 RansomWare slowed down dramatically. Soon after  WannaCry version 2, which removed the kill switch, was spotted on the Internet.

Marcus was in Vegad for the Black Hat and Def Con conferences. He was apparenly arrested after the confernces.

Clik on this line to visit the Motherboard Vice.com website to read more details about the apparent arrest of Marcus Hutchins.

Click on this link to visit The Telegraph newspaper website to read their post titled: “FBI arrests WannaCry hero Marcus Hutchins in Las Vegas”.

Click on this link to visit the BBC website and read to post titled: “NHS cyber-defender Marcus Hutchins arrested in US”.

Click on this link to view our prior coverage of the WannaCry Ransomware outbreak.

Advertisements

Find the Key needed to unencrypt a Hard Drive encrypted by Petya Ransomware

Click on this link to visit the GitHub site where Leo Stone has posted some code which might just figure out the key required to unencrypt a Hard Drive encrypted by Petya Ransomeware. He suggests to try finding the key using an image copy of the Petya encrypted Hard Disk,. That way the original may not be harmed.  

Disclaimer: if you use Leo Stone’s code and method, you do so at your own risk. Loe also suggested to make and use an image copy of the encrypted hard Drive so as not to potentially damage the original. Leo’s code may find the key, or it may not. Playing around with the encrypted Hard Drive may damage it to the point that even if you pay the Ransom, you may not be able to reteive your data from said hard drive. I again state that following Loe Stone’s method as posted on GitHub is done at your own risk. Do your own Due Diligence. You could lose all the data on the hard drive.

Posted by Vincent Banial

WannaCry Ransomware infected Traffic Cameras in Australia and Honda’s Sayama factory

Posted by Vincent Banial

WannaCry Ransomware is far from dead. It is still out there on the internet, searching for more victims.

Uniquely Toronto recently had extensive coverage about WannaCry Ransomware and Security Patches and had links to Security Patches and steps to better Secure computers against WannaCry.

When Wannacry was first discovered, Automobile manufacturing plants had been affected after WannaCry infected the Auto Plant’s computers. Seems that the IT folks at a Hond Auto Plant in Japan have not been folllowing the Cyber Security news. WannaCry Ransomware infected Honda’s Sayama car production plant this week.

Click on this link to visit the Reuters News post about Wannacry being found on the computer newtwork at Honda’s Sayama car production plant this week.

Apparently the WannaCry Ransomware was also spread to over 50 Traffic cameras via a USB memory stick. That happened in Austalia. Since wannacry encrypts owner created files on a computer, I would assume it would encrypt any JPGS or video files created by the Traffic cameras. Interesting that it is being claimed that it was spread by the use of a USB Memory stick. A good question to ask, would be “Where has that USB stick been plugged into a computer which was connected to the main system network”. USB Memory sticks generally have to be plugged into a computer to acquire ransomware.

Video courtesy of the Rebas Rebas YouTube channel

Click on this link to visit the 3Aw News Radio Station’s post about wannacry infecting Traffice camera in Austalia.

Traffice cameras must be a huge money maker. The wannaCry ransomware infection was started apparently on June 6. So by June 22 at least 8,000 Traffic Tickets may be withdrawn because of the infection of the Traffic camera. Those cameras must generate huge amounts of money for the city and for insurance companies and for the court system of lawyers, judges and clerks. Nice money making scheme with possibly little impact on traffic safety. 8,000 tickets in two weeks!!!

Click on this link to visit the Canadian Global News page to read their post titled: “8,000 red-light camera traffic tickets withdrawn in Australia due to WannaCry virus”.

WannaKey along with WanaKiwi may help to decrypt your WannaCry encrypted files without having to pay the Ransom

WannaKey works with older variants of Windows Server and Windows Workstation Operating Systems such as Windows Server 2003, Windows Server 2008, Windows XP, Windows 7, and Windows Vista.

When WannaCry encrypts your files, it creates a Private Key which is used to create the decrypt key. Then the Private key is erased. On older Windows systems the erase does not remove the data from memory. So if you are lucky and you have “not” rebooted the PC then there is a chance that WannaKey could recover the Private key, because it is still held in the system memory.

Once you have the Private Key then you can use a different program called wanakiwi to decrypt the files on the WannaCry encrypted PC.

The key point to remember is that the above process “MAY’ work. The Computer which was encrypted by WannaCry Ransomware, must “NOT” have been rebooted. Any files to download would be done using a different computer and then run on the encrypted PC via a USB flash Drive.  The WannaCry code did issue the command to erase the Private Key but the bug in older Windows Operating Systems is that Private Key has not been erased from the computer’s main memory.  With a bit of luck, you may be able to decrypt your WannaCry encrypted PC. Note there is no guarantee that this will work. If you are unsure how to go about this, then get a computer professional to help you.

Click on this Link to visit the GitHub page for Wannakey.

Click on thsLink to visit the

Click on this Link to visit the Comae Blog post by Matt Suiche titled “WannaCry — Decrypting files with WanaKiwi + Demos”. Matt goes thru the whole process along with screen shots.

Video is courtesy of the Vishnu Ava YouTube channel

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

Posted by Vincent Banial

Disclaimer: Everything in the post above is subject to change without notice. There could be unintentional errors. Please confirm all info via the linked to websites and web pages. Best Practice is to also always create daily backups. If you try to decrypt a WannaCry encrypted personal computer or server, you do so at your own risk. There is no guarantee that the above info will be successful in decrypting the files.

Running demo of WannaCry v2 Ransomware Binary

WnnaCry Version 2 Ransomware is out. I had mentioned it in a prior post. The main difference is that the Kill SwitchCode has been removed. It is still a Worm which can spread across a Windows Server-based network, using the SMB v1.0 protocol.

In the video below the actual Binary Code of the WannaCry V2 Ransomware is run in a virtual environment.

Video is courtesy of the Colin Hardy YouTube channel.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

 

Posted by Vincent Banial