Skip to content

Crysis ransomware master keys released to the public

May 25, 2017

A total of 200 master keys can now be used by victims to decrypt and unlock their systems.

The world has been rocked by WannaCry causing disruption and upheaval across core services and businesses alike over the past week, but there is good news for victims of Crysis with the release of 200 master keys to the public.

Posted at the BleepingComputer forum, the keys can be used by victims of the ransomware as well as security firms in the creation of decryption tools.

The keys,uploaded to Pastebin , have been confirmed as valid by security researchers.
Users of the keys have also confirmed that they have regained access to the files.

Ransomware is a particularly nasty form of malware which, once executed on a vulnerable PC, encrypts files and locks users out of their system.

In return for a ransom demand in the virtual currency Bitcoin which can reach thousands of dollars, the victims are told that they will be granted a key to decrypt their files and restore access.

However, there is no guarantee that such keys will work, and to pay up only fuels this expanding criminal industry.

Recently, one strain of the malware dubbed WannaCry caused widespread disruption.
The ransomware targets elderly Windows operating system builds — Windows 10 has been protected with an automatic patch — and enjoyed a successful campaign which is still causing damage and disruption to date.

The ransomware hit the headlines after taking down numerous UK National Health Service (NHS) hospital and trust systems, and since then, has spread worldwide.

In total, 386 samples of malware utilizing WannaCry have been detected in the wild, but if you have accepted automatic updates and keep your system up-to-date, there shouldn’t be any need to worry about becoming infected.

This is not the first time master keys for Crysis have been released; in fact, this is the third time.
However, what sets this release apart is that the keys can also be used to decrypt files which have been encrypted with .wallet and .onion extensions.

This has become a habit of the Crysis operators lately — with this being the third time keys were released in this manner,” ESET researchers say. “Since the last set of decryption keys was published, Crysis ransomware attacks have been detected by our systems over ten thousand times.”

Why the keys have been released remains a mystery — it may be that all who were likely to pay up have done so, and so there is no harm in releasing the keys, or perhaps after enjoying some time in the spotlight the campaign’s operators are happy to get out of the game.

If you have been affected by this strain of ransomware, you can download a decryption tool provided by security firm ESET Here.


WannaCry Decryption Tool WanaKiwi Works on Windows XP, 2003, Vista, 2008 and 7

May 21, 2017

The decryption tool has a higher chance of working if you haven’t rebooted your device after the infection

Now that WannaCry infections have dropped somewhat, saviors come to our help, bringing decryption keys. So far, two have been confirmed to work.
One is WannaKey, that we’ve already reported on, and another is WanaKiwi

Developed by researcher Benjamin Delpy, also known as gentilkiwi, WanaKiwi works on multiple Windows versions. Europol also confirmed the decryption tool is effective.

There’s a catch before running WanaKiwi, however – you have to keep your machine running after the infection.
That means no reboot is allowed.
This is because prime numbers may be overwritten in the system’s memory after a while, which would lower the chances of the tool being effective.

WanaKiwi works on both Windows XP and Windows 7.
This would imply it works for every version of Windows XP to 7, including Windows 2003, Vista and 2008 and 2008 R2,” confirms Matt Suiche from security firm Comae Technologies.

How does it work?

You’ll first have to download wanakiwi (obviously).
Once you run the file, it will automatically look for the 00000000.pky file and you’ll just have to hope for the best while it scans.
Basically, you have to hope that your prime numbers haven’t been overwritten from process address space, hence why you should not reboot your device after it has been infected.

The tool will not work for every user due to its dependencies, but there’s hope for many, many people.
There are hundreds of thousands of people who have been infected by WannaCry, and only a handful of those have chosen to pay the $300 in Bitcoin requested by the attackers.

The WannaCry ransomware spread started a week ago and over 220,000 computers have been infected in the process.
The malware takes advantage of a Windows vulnerability that was being exploited by the NSA, as per a series of documents dumped online by a hacker group called the Shadow Brokers.

Microsoft has released a patch for the affected systems, although users are also advised to install a security solution which will block off attacks.


Researcher Creates Tool to Unlock WannaCry-Infected Windows XP Files

May 19, 2017

A security researcher appears to have discovered a flaw in WannaCry that may provide Windows XP victims of the attack with a way to unlock their files.

A French security researcher has reportedly found a potential rescue tool for Windows XP WannaCry victims after discovering a flaw in the malware, according to various published reports.

Adrien Guinet of QuarksLab in Paris released a potential fix in Github, which relies on snagging private key traces from the infected computer’s memory to decrypt the files, according to a report in Wired.
But there is a caveat: the potential fix may fail if the malware, or other processes, overwrote the decryption key traces, or if the user rebooted the computer after the infection, according to Wired.

Other security researchers have had mixed results in testing Guinet’s WannaCry workaround, with some saying it did not work when they tested it and others noting Guinet appears to have found a legitimate flaw in WannaCry.

Read more about Guinet here.


TripAdvisor resets passwords after some accounts were improperly accessed

May 16, 2017

The travel booking site wouldn’t say how many users were affected.

TripAdvisor has reset an unknown number of accounts after the company warned that some accounts may have been compromised.

The travel booking site said that while it hadn’t been hacked, fraudsters had “attempted to verify email and password combinations” from data stolen from other companies.

A spokesperson for the company wouldn’t name the source of the breached data or say how many accounts were compromised, and declined to comment further.

But the number of accounts was significant enough to alert the California attorney general, who requires businesses to notify customers of a data breach or an exposure affecting more than 500 California residents.

TripAdvisor sent emails to customers whose accounts it believes was accessed by an unauthorized person.
The company said that it had “invalidated” old passwords and asked users to reset their passwords through an online form.

It’s the latest example of a company responding by force-resetting passwords in the wake of a breach of another company.

Amazon, for example, regularly resets user passwords it believes are weak or when passwords have been compromised by another site.
Customers who reuse the same password across different sites are put at greater risk of compromising accounts on other sites and services.
That’s why companies like Facebook will actively buy hacked data on the dark web to match up with their own user’s accounts to see if they are at risk, mitigating any further account compromises.

In the past two years, we’ve seen a spike in massive breaches at MySpace, LinkedIn, Tumblr, and AdultFriendFinder, collectively making up over one billion user accounts.


How to Update Avast with Fix for Internet Connectivity Problem

May 15, 2017

The company has a fix for your Internet problems

Last week, an update made to Avast’s security solution took down the Internet for users.
Now, the company has released a fix for all your problems

The fix, according to Avast, is being distributed via a micro-update to Avast Web Shield.
If you want to download the fix, you’ll have to turn off the Avast Web Shield which, in turn, will allow your Internet to work again.
This, of course, was known from back when the problem occurred, as the company’s forums were full of this solution.

You’ll then have to go to Protections >> Antivirus from the user interface and turn the Web Shield OFF.
Alternatively, you can right-click the Avast tray icon, go to Avast shield control, and choose “disable permanently” so you can turn off all shields.

Then, you’ll have to go to your Avast installation folder, which can usually be found in C:\Program Files\AVAST Software\Avast.
There you’ll need to double-click on the AvEmUpdate.exe file and confirm the prompt.
The fix will be applied silently.

A few minutes of wait-time are required and then you’ll need to restart your computer.
Repeat the process to turn the Web Shield back on and you’ll be safe again and be able to access the Internet once more.

Previous solutions worked too

The version that worked to solve the issue last week involved uninstalling the entire software from your computer and installing a fresh copy since the fix didn’t apply via the regular update method.

Other options involved disabling the Web Shield or disabling Avast completely, but that put users at risk of getting infected.
With WannaCry running rampant these days, it’s probably not a good idea to nix security software on your device.


WannaCry Ransomware Variant with No Kill Switch Discovered

May 14, 2017

Security researchers have discovered several variants

As expected, the WannaCry ransomware is not even close to being done, despite one researcher discovering a convenient kill switch.
Other variants have already been discovered in the wild, some with a different kill switch, some with none at all

After security researcher going by the Twitter handle MalwareTech discovered that by purchasing a random domain name the initial spread of the WannaCry ransomware was stopped, it was expected that the attackers would simply remove this domain from the code, add another or just leave the code free of such an easy way out.

Multiple researchers have confirmed that such variants are available online and coming after Internet users everywhere.

New variants today are now spreading with a modified kill-switch domain.
Someone, likely different to the original attackers, made a very small change to the malware so it connects to a slightly different domain.
That allowed it to continue propagating again
,” Chris Doman, security researcher at AlienVault, told us.
Thankfully some researchers are already registering the new domains as they identify them.
The cat-and-mouse will likely continue until someone makes a larger change to the malware, removing the kill-switch functionality completely.
At that point, it will be harder to stop new variants

What is WannaCry?

WannaCry is a ransomware that is a lot stronger than other similar malware due to the worm component that helps it spread through networks.
This is the main reason why computers in the NHS network went down one after another, or why Renault had to stop production at multiple sites.
Once one computer in a network it infected, it’s only a matter of time before the rest are too.
Other companies have also suffered, including FedEx and Telefonica, as well as Germany’s railway system.

At this point in time, over 200,000 computers have been affected in over 150 countries, despite the kill switch.

The only solution to block this attack is to update your operating system or to make sure you have an anti-malware solution installed to protect you from the malware.
Even though this is a nasty ransomware, it’s still detectable and, therefore, easy to block.

Microsoft has released a patch to fix the vulnerability back in April.
This vulnerability was actually exposed by a hacker group called Shadow Brokers who dumped online a series of documents belonging to the NSA which detailed a zero-day exploit.
Security researchers warned at the time that it wouldn’t be too long before an attack was deployed.

Following the launch of the WannaCry attack, Microsoft went ahead and released a patch for Windows XP and Server 2003 , even though both were no longer supported.


WannaCrypt ransomware: Microsoft issues emergency patch for Windows XP

May 13, 2017

Microsoft takes unusual step of providing direct support to unsupported systems as targets in 74 countries – including vast swathes of UK hospitals – have been impacted by ransomware attack across the globe

Microsoft has taken the unprecedented step of issuing patches for unsupported operating systems – like Windows XP – in the wake of the massive WannaCrypt ransomware attacks against organisations across the globe.

Businesses, governments and individuals in 74 countries across the globe have been victims of more than 45,000 attacks by this one strain of ransomware in the space of just a few hours.

Wannacrypt ransomware demands $300 in Bitcoin for unlocking encrypted files – a price which doubles after three days.
Users are also threatened with having all their files permanently deleted if the ransom isn’t paid in a week.

Hospitals across the UK have had systems knocked offline by the ransomware attack, with patient appointments cancelled and doctors and nurses resorting to pen and paper and NHS England declaring the cyberattack as a ‘major incident’ – a total of 45 NHS organisations are now own to be affected.

Cybersecurity researchers have suggested the ransomware attacks are so potent because they exploit a a known software flaw dubbed EternalBlue.
This Windows flaw is one of many zero-days which apparently was known by the NSA — before being leaked by the Shadow Brokers hacking collective.
Microsoft released a patch for the vulnerability earlier this year – but only for the most recent operating systems.

One thing many of the targets have in common is that they’re running old Windows operating systems like Windows XP, Windows 8 and Windows Server 2003, which now only usually receive patches if the organisation using them are receiving special custom support.

However, in order to ensure as many systems as possible are protected against WannaCrypt ransomware and other attacks, Microsoft has made security patches for Windows XP and other operating systems broadly available to download.

This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind,” the company told customers in a blog post.

Customers can now download security updates for:
Windows Server 2003 SP2 x64
Windows Server 2003 SP2 x86
Windows XP SP2 x64
Windows XP SP3 x86
Windows XP Embedded SP3 x86
Windows 8 x86
Windows 8 x64

Microsoft is continuing to work with customers to provide assistance as the situation evolves.

In response to the attacks against the UK’s National Health Service, Home Secretary Amber Rudd is set to chair an emergency Cobra crisis-committee meeting to coordinate a government response to the incident.

Meanwhile,. The National Cyber Security Centre has issued a statement to say it is “working round the clock with UK and international partners and with private sector experts to lead the response to these cyber attacks“.

Ciaran Martin, CEO of the National Cyber Security Centre, said that in order to protect against this sort of attack, organisations should “make sure your security software patches are up to date” and “make sure that you are running proper anti-virus software