A way has been found to decrypt files after the WannaCry attack. Wana Decryptor (WannaCry, WanaCrypt0r, WNCRY, WannaCrypt), what is it and how to decrypt files Wanna decryptor 2 0 decrypt files

Collection of information.

On May 12, an epidemic of Wana Decryptor malware began, which encrypts data on the user’s computer.

How does Wana Decryptor infect users' computers?
Wana Decrypt0r exploits a vulnerability in the operating SMB service Windows systems. This vulnerability is present in all modern versions of Windows, from Windows 7 to Windows 10.

This vulnerability is fixed by a patch MS17-010(Security update for Windows SMB Server) which was still released March 14, 2017(if you have it disabled automatic update, then install the patch manually)

Download the security patch.

How does it work Wana Decryptor.
Free Automated Malware Analysis Service - powered by VxStream Sandbox - Viewing online file analysis results for "@ [email protected]"

When launched for the first time, the malware extracts the file into the same folder as the installer. The file is a password-protected archive 7zip files from which are used in the operation of malware

The ransom message uses the same language that the computer user uses. On currently Wana Decrypt0r supports the following languages:

Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, Vietnamese,

Further WanaCrypt0r downloads the TOR browser (Download Tor) which is used to communicate with the ransomware virus control servers. When this process is completed, the virus executes a command with which it installs full access to all available directories and files.

CMD/BATCH:

Icacls. /grant Everyone:F /T /C /Q

This is necessary in order to encrypt as much as possible more files on an infected computer.
It also tries to terminate the following processes:

CMD/BATCH:

Taskkill.exe /f /im mysqld.exe taskkill.exe /f /im sqlwriter.exe taskkill.exe /f /im sqlserver.exe taskkill.exe /f /im MSExchange* taskkill.exe /f /im Microsoft.Exchange. *

This will encrypt the databases.

The ransomware encrypts files with the following extensions

Code:

Der, .pfx, .key, .crt, .csr, .pem, .odt, .ott, .sxw, .stw, .uot, .max, .ods, .ots, .sxc, .stc, .dif, .slk, .odp, .otp, .sxd, .std, .uop, .odg, .otg, .sxm, .mml, .lay, .lay6, .asc, .sqlite3, .sqlitedb, .sql, .accdb , .mdb, .dbf, .odb, .frm, .myd, .myi, .ibd, .mdf, .ldf, .sln, .suo, .cpp, .pas, .asm, .cmd, .bat, . vbs, .dip, .dch, .sch, .brd, .jsp, .php, .asp, .java, .jar, .class, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mkv, .flv, .wma, .mid, .djvu, .svg, .psd, .nef, .tiff, .tif, .cgm, .raw, .gif , .png, .bmp, .jpg, .jpeg, .vcd, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .tbk, .PAQ, .ARC, .aes, . gpg, .vmx, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .hwp, .snt, .onetoc2, .dwg, .pdf, .wks, .rtf, .csv, .txt, .vsdx, .vsd, .edb, .eml, .msg, .ost, .pst, .potm, .potx, .ppam, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt , .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotx, .dotm, .dot, .docm, .docb, .docx, . doc

Encrypted files have additional expansion WNCRY after standard

After encrypting the files, two files are added to the directory:

• @[email protected]- ransomware message
• @[email protected]- decipherer

Next, an attempt is made to clear shadow copies and other built-in file recovery options using Windows(system restore, backups, etc.)

CMD/BATCH:

C:\Windows\SysWOW64\cmd.exe /c vssadmin delete shadow /all /quiet & wmic shadowcopy delete & bcdedit /set (default) boostatuspolicy ignoreallfailures & bcdedit /set (default) recoveryenabled no & wbadmin delete catalog -quiet

!!When you try to execute cleaning commands, a UAC prompt will be triggered and if you answer NO, the command will not be executed, which gives a high chance of recovering information. If you have UAC disabled (for example, if you have a server OS), then please accept my condolences.

When the user clicks on the check payment button, the ransomware will connect to the TOR C2 servers to check whether the payment was made. If the payment has been made, the files will be decrypted in automatic mode, if the payment has not been made, you will see a response similar to the one below.

How to decrypt files after WanaCrypt0r?
If you answered no in the UAC request, then this will help. The ShadowExplorer program will also help.
On this moment There is no way to decrypt files without the help of attackers if shadow copies are cleaned.

How to prevent ransomware infection?

1. There is no absolute protection.
2. Do not turn off automatic Windows updates; this will allow you to quickly (more or less) close OS vulnerabilities.
3. Use an antivirus or be prepared to deal with the consequences.
4. Don't trust no one on the network, do not open unverified files that you received without an anti-virus scan.
5. Use backup, and than information is more important the more attention you pay to the issue of copy safety.

A program that will help you avoid ransomware activation -

Good afternoon

It is easy to remove the WannaCrypt virus (Wana Decrypt0r 2.0) from your computer, simple instructions Below will work for any modern version of Windows. But it is not yet possible to decrypt .WNCRY files for free. All major antivirus manufacturers software are working on such a decoder, but there has been no significant progress in this direction yet.

If you remove a virus from your computer, there is a high probability that you will never be able to decrypt the encrypted files. WannaCrypt (Wana Decrypt0r 2.0) uses very effective methods encryption and the chances that a free decryptor will be developed are not so many.

You need to decide whether you are willing to lose your encrypted files or not. If you are ready, use the instructions below; if you are not ready, pay a ransom to the creators of the virus. In the future, be sure to start using any system Reserve copy your files and documents, there are a lot of them now, both paid and free.

1. Close network port 445 T:

• Run command cmd line on behalf of the administrator (instructions: ).
• Copy the following text: Netsh advfirewall firewall add rule dir=in action=block protocol=tcp localport=445 name="Block_TCP-445"
• Paste it into the command line and press the Enter key, the system should respond with “OK”.

When the Internet is turned on, a movie and advertising starts in the background.

3. Configure the display of hidden and system folders , for this:

• Press the Win R keys simultaneously;
• Type "control.exe" in the window and press Enter;
• IN search bar In the Control Panel (top right), write “Explorer Options”;
• Click on the "Explorer Options" shortcut in the main window;
• In the new window, go to the "View" tab;
• Find "Hidden files and folders" and select "Show hidden files, folders and drives";
• Click "Apply" then "OK".

4. Open Explorer, go to the following folders:

• %ProgramData%
• %APPDATA%
• %TEMP%

(just copy each folder name into the address bar of Explorer).

In each of the specified folders, carefully review all subfolders and files. Remove anything that contains a mention of the WannaCrypt virus (Wana Decrypt0r 2.0) in its name.

Look for suspicious registry entries in the following folders:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
• HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

6. Restart your computer.

How to remove Wana Decrypt0r 2.0

The Internet world and PC users have been stunned with the new kind data encryption ransomware, called Wana Decrypt0r 2.0, which has already infected thousands of work stations in a very short time. It infected more than 99 countries, simultaneously including the United States, Latin America, Europe, and Asian countries. Wana Decrypt0r 2.0 is known under several names: WCry, WNCry, WannaCry and so on. Once successfully installed, it begins scanning the workstation looking for files and programs that it can encrypt. It uses an algorithm RSA encryption and AES to lock files and replaces the extension with its default name.wcry, .wcryt, .wncry or .wncrrytt. Its related foreclosure note is kept in text file, named as @Please read [email protected]. This note contains information about ransomware and bitcoin and the address Email in order to pay the ransom. Research shows that Wana Decrypt0r 2.0 requires you to pay 300 US dollars in the virtual currency Bitcoin in exchange for the decryption key. It is highly recommended that you immediately scan your station with a powerful anti-malware tool to completely remove all associated files and useful Wana Decrypt0r 2.0. It is very important that all its elements are removed so that it cannot encrypt any other files and data.

How does Wana Decrypt0r 2.0 get distributed?

Technically, Wana Decrypt0r 2.0 is capable of infecting Windows-based PCs. It exploits the EternalBlue vulnerability in Windows 7, 8, 10 and versions Windows Server. Interestingly, if you did not receive Microsoft patches, index MS17-010, CVE-2017-0146 and CVE-2017-0147 in March, 2017, then you are most likely to become infected with this malware. Like other ransomware, it is still unknown that it uses tablets or spam email attachment campaigns to distribute it or not. However, you should be very careful when opening any kind of email attachment or clicking arbitrary hyperlinks while browsing.

How to decrypt Wana Decrypt0r 2.0

According to cyber criminals, they manipulate you into paying ransom money in order to obtain the required decryption key. But cyber experts fully agree to recommend paying the ransom. There have been many situations in the past where the original decryption key was not provided by the vendor, even after the money was paid. So it's always better to try alternative ways such as using files backup copies, virtual shadow copies or even a free data recovery tool are available on the Internet. At the same time, do not forget to check the operation of the station with a powerful anti-malware tool and remove all associated Wana Decrypt0r 2.0 elements.

How does Wana Decrypt0r 2.0 get into PC

Of such kind malware infection shows how vulnerable in this modern information age of the era. This could disrupt the performance of the PC and at the same time, we could lose our multi-million dollar losses. There have been several reports where one computer is infected with malware, thousands of Windows PCs in one day. Thus, to successfully remove Wana Decrypt0r 2.0, it is also important to know this malware targets the infected PC and easily enters it.

Typically, it accesses components of files and codes from real programs, which are often offered as freeware. They piggybacks on the legal free program and installs very quietly. Suppose we get this virus installed with some Java program so that every time this java file, this infection also becomes active and starts its suspicious activity. Typically they are self-replicating and can reproduce. Moreover, it can travel through corrupted email messages, peer-to-peer file, suspicious hyperlinks, etc. It is capable of using computer network and security holes in order to repeat itself and gets installed very quietly. Programs downloaded from the Internet, especially from untrusted sources, are also a large source of computer malware attacks.

How can Wana Decrypt0r 2.0 be dangerous?

Any type of PC malware is always dangerous, and if it is the caliber of Wana Decrypt0r 2.0 then the situation has become even worse. It can take control of the entire browser, blocks access to important applications and features, and additionally uses security settings to bring so many other malware into the backdoor. Get the content of the web pages you visit automatically and keyword receives bold and hyperlinks from malicious URLs on it. You are bound to get redirected through phishing and dangerous websites that mainly contain porn content.

Basic behavior Wana Decrypt0r 2.0 is to spy on your online activities and put your confidential information in the field of surveillance. It can use suspicious browser plugins, add-ons and even key loggers and key strokes in order to spy and record user activities and leak highly sensitive data such as IDs, password, geo-location and IP addresses, bank details, etc. By changing your Internet connection settings, your computer is connected to a cyber forensic server, thus your computer is illegally accessed by unauthorized third parties. It will take over the default browser home page And search system and will show irrelevant suspicious websites in search results. Most websites in search results are commercial domains, which are of absolutely no value to search queries. Therefore, it is important to remove Wana Decrypt0r 2.0 as soon as its early symptoms get noticed.

Wana Decrypt0r 2.0 Removal Instructions

Plan a: get rid of Wana Decrypt0r 2.0 with manual process (recommended by cyber experts and top technicians only)

Plan b : Remove Wana Decrypt0r 2.0 from Windows PC using the tool automatic deletion(safe and easy for all PC users)

Windows OS Plan A: Get rid of Wana Decrypt0r 2.0 manually

Before performing the manual process, there are a few things that need to be confirmed. The first thing is that you must have technical knowledge and rick experience in removing PC malware manually. Must have in-depth knowledge of records system registry and files. Must be able to undo incorrect steps and must be aware of the possible negative consequences that may arise from your mistake. If you do not carry out this basic technical knowledge, the plan will be very risky and should be avoided. In such a case, it is highly recommended to enable Plan B, which is lighter and will help you detect and remove Wana Decrypt0r 2.0 easy with automatic tool. (With SpyHunter and RegHunter)

Step 1: Remove Wana Decrypt0r 2.0 from control panel

Step 2: Remove Wana Decrypt0r 2.0 from browsers

On Chrome: Open Google Chrome>click Chrome menu> select Tools > click extension > select Wana Decrypt0r 2.0 extensions > trash

On Firefox: Open Firefox > go to the right corner to open the browser menu > select Add-ons > select and remove Wana Decrypt0r 2.0 extensions

In Internet Explorer: Open IE > click Tools > click on manage add-ons, tools and extensions > select extensions Wana Decrypt0r 2.0 and its elements and delete them.

Step 3: Remove Wana Decrypt0r 2.0 malicious files and registry entries

3. Detect registry entries created by Wana Decrypt0r 2.0 and carefully remove them one by one

• HKLM\SOFTWARE\Classes\AppID\ .exe
• HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Main\Start Page Redirect=”http:// .com"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\virus name
• HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon “Shell” = “%AppData%\ .exe"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
• ‘Random’ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Random

Plan b: Remove Wana Decrypt0r 2.0 with automatic Wana Decrypt0r 2.0 utility

Step1. Scan the infected computer with SpyHunter to remove Wana Decrypt0r 2.0.

1. Click on the Download button to download SpyHunter securely.

Note : While loading SpyHunter on your PC, your browser may display a fake warning such as “This type of file may harm your computer. Do you still want to keep Download_Spyhunter-installer.exe anyway?” Remember that this is a scam message that is actually generated by a PC infection. You should simply ignore the message and click on the "Save" button.

2. Run SpyHunter-Installer.exe to install SpyHunter using the Enigma software installer.

3. Once the installation is complete, gets SpyHunter to scan your computer and search deep to detect and remove Wana Decrypt0r 2.0 and its associated files. Any malware or potentially unwanted programs automatically get scanned and detected.

4. Click on the “Fix threats” button to remove all computer threats, discovered by SpyHunter.

Step 2: Use RegHunter to Maximize PC Performance

1. Click to download RegHunter along with SpyHunter

2. Run RegHunter-Installer.exe to install RegHunter through the installer

Methods used by Wana Decrypt0r 2.0 automatic removal tool

Wana Decrypt0r 2.0 is a very advanced malware infection, so it is very difficult for anti-malware software to get its detection updated for such malware attacks. But with automatic Wana Decrypt0r 2.0 removal tool, there are no such issues. This malware scanner gets regular updates for the latest malware definitions and thus it can scan your computer very quickly and remove all types of malware threats including spyware, malware, Trojans and so on. Many surveys and computer experts claim this as best tool removal of infection for everyone Windows versions PC. This tool will completely disable the connection between the cyber forensic and your computer. It has a very advanced scanning algorithm and a three-step malware removal process so that the scanning process as well as malware removal becomes very fast.

New WannaCry ransomware virus or WanaDecryptor 2.0, which leaves encrypted .wncry files instead of user data, is shaking the Internet. Hundreds of thousands of computers and laptops around the world are affected. Not only ordinary users were affected, but the networks of such large companies as Sberbank, Rostelecom, Beeline, Megafon, Russian Railways and even the Russian Ministry of Internal Affairs.

Such widespread spread of the ransomware virus was ensured by the use of new vulnerabilities in Windows operating systems, which were declassified in documents of the US intelligence services.

WanaDecryptor, Wanna Cry, WanaCrypt or Wana Decryptor - which name is correct?

At the time when the viral attack on the global web began, no one knew exactly what the new infection was called. At first they called her Wana Decrypt0r by the name of the message window that appeared on the desktop. Somewhat later, a new modification of the encryptor appeared - Wanna Decrypt0r 2.0. But again, this is a ransomware window that actually sells the user a decryptor key, which theoretically should come to the victim after he transfers the required amount to the scammers. The virus itself, as it turns out, is called Wanna Cry (Bath Edge).
You can still find different names of it on the Internet. Moreover, users often put the number “0” instead of the letter “o” and vice versa. Various manipulations with spaces also cause great confusion, for example WanaDecryptor and Wana Decryptor, or WannaCry and Wanna Cry.

How WanaDecryptor works

The operating principle of this ransomware is fundamentally different from previous ransomware viruses that we have encountered. Previously, in order for an infection to start working on a computer, it had to be launched first. That is, the long-eared user received a letter by mail with a cunning attachment - a script masquerading as some kind of document. The person launched the executable file and thereby activated the infection of the OS. The Bath Edge virus works differently. He does not need to try to deceive the user; it is enough that the critical vulnerability of the service is available to him public access to SMBv1 files using port 445. By the way, this vulnerability became available thanks to information from the archives of American intelligence agencies published on the website wikileaks.
Once on the victim’s computer, WannaCrypt begins encrypting files en masse using its very strong algorithm. The following formats are mainly affected:

key, crt, odt, max, ods, odp, sqlite3, sqlitedb, sql, accdb, mdb, dbf, odb, mdf, asm, cmd, bat, vbs, jsp, php, asp, java, jar, wav, swf, fla, wmv, mpg, vob, mpeg, asf, avi, mov, mkv, flv, wma, mid, djvu, svg, psd, nef, tiff, tif, cgm, raw, gif, png, bmp, jpg, jpeg, vcd, iso, backup, zip, rar, tgz, tar, bak, tbk, gpg, vmx, vmdk, vdi, sldm, sldx, sti, sxi, hwp, snt, dwg, pdf, wks, rtf, csv, txt, edb, eml, msg, ost, pst, pot, pptm, pptx, ppt, xlsx, xls, dotx, dotm, docx, doc

The encrypted file's extension changes to .wncry. The ransomware virus can add two more files to each folder. The first is an instruction that describes how to decrypt the wncry file Please_Read_Me.txt, and the second is the decryptor application WanaDecryptor.exe.
This dirty trick works quietly and peacefully until it hits all hard disk, after which it will display a WanaDecrypt0r 2.0 window asking you to give money. If the user did not allow it to finish finishing and the antivirus was able to remove the cryptor program, the following message will appear on the desktop:

That is, the user is warned that some of his files have already been affected and if you want to get them back, return the cryptor back. Yeah, now! Do not do this under any circumstances, otherwise you will lose the rest. Attention! No one knows how to decrypt WNCRY files. Bye. Perhaps some kind of decryption tool will appear later - we'll wait and see.

Protection against Wanna Cry virus

In general, the Microsoft patch MS17-010 for protection against the Wanna Decryptor ransomware was released on May 12, and if the service on your PC Windows updates works fine then
more likely operating system already protected. Otherwise, you need to download this Microsoft patch for your Windows versions and install it immediately.
Then it is advisable to disable SMBv1 support altogether. At least until the wave of the epidemic subsides and the situation calms down. This can be done either from the command line with Administrator rights by entering the command:

dism /online /norestart /disable-feature /featurename:SMB1Protocol

Or through the panel Windows management. There you need to go to the “Programs and Features” section, select “Turn on or off” from the menu Windows components" A window will appear:

Find the item “Support for file sharing SMB 1.0/CIFS”, uncheck it and click on “OK”.

If suddenly problems arise with disabling SMBv1 support, then to protect against Wanacrypt0r 2.0 you can take a different route. Create a rule in the firewall used in the system that blocks ports 135 and 445. For the standard Windows firewall, you need to enter command line following:

netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=135 name=»Close_TCP-135″
netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=445 name=»Close_TCP-445″

Another option is to use a special free Windows application Worms Doors Cleaner:

It does not require installation and allows you to easily close gaps in the system through which an encryption virus can get into it.

And of course we must not forget about antivirus protection. Use only proven antivirus products - DrWeb, Kaspersky Internet Security, E-SET Nod32. If you already have an antivirus installed, be sure to update its database:

Finally, I’ll give you a little advice. If you have very important data that is extremely undesirable to lose, save it to a removable HDD and put it in the closet. At least for the duration of the epidemic. This is the only way to somehow guarantee their safety, because no one knows what the next modification will be.

The news of recent days has shaken up everything in the world - the Wanna Decrypt0r virus attack. The thing is sharp and merciless. So if you were lucky enough not to catch it, but you haven’t updated the operating system for a long time, then urgently update it security updates. At the same time, you can manually block the ports through which the ransomware reaches its victims, just in case.

More information about the virus, its work, spread, and profitability can be found here:

Protective measures

For example, this can be done using the following commands:

netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=135 name="Block_TCP-135"

netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=445 name="Block_TCP-445"

The commands block access to TCP ports 135 and 445. It is through them that the virus spreads on local networks.

By the way, the good news is that this thing does not encrypt Tekla Files. But DWG and 3ds are very good. Another reason to model with Tekla Structures.

UPD 1

Patch for pirated versions of win7 to prevent crashes blue screen after installing patches from wannaCry:

Checking for a patch that covers the WannaCry vulnerability

• Go to the link above and check the update code for your higher system, for example for Windows 7 or Windows Server 2008 R2, the code will be 4012212 or 4012215
• Open cmd.exe (command prompt)
• Write: wmic qfe list | findstr 4012212
• Press Enter
• If you see something like this in the response, it means that the patch is already installed and you can sleep peacefully: http://support.microsoft.com/?kbid=4012212 P2 Security Update KB4012212 NT AUTHORITY\system 3/18/2017
• If the answer returns you an empty string, try checking the next patch from the list
• If no patch is found, it is recommended to immediately install the software update