Menu
Is free
registration
home  /  Firmware/ Unlocking wanna descriptor. Wanna Cry Virus

Unlock wanna descriptor. Wanna Cry Virus

Today, perhaps, only a person who is very far from the Internet knows about the massive infections of computers with the WannaCry ("I want to cry") ransomware Trojan that began on May 12, 2017. And the reaction of those who know, I would divide into 2 opposite categories: indifference and panic. What does this mean?

And the fact that fragmentary information does not give a complete understanding of the situation, give rise to speculation and leave behind more questions than answers. In order to understand what is really happening, to whom and what it threatens, how to protect against infection and how to decrypt files corrupted by WannaCry, today's article is devoted.

Is the "devil" really so scary?

I don't understand what kind of fuss aroundWannaCry? There are many viruses, new ones appear constantly. What's special about this one?

WannaCry (other names WanaCrypt0r, Wana Decrypt0r 2.0, WannaCrypt, WNCRY, WCry) is not an ordinary cyber-malware. The reason for his notoriety is the enormous amount of damage caused. According to Europol, he disrupted more than 200,000 computers under Windows control in 150 countries of the world, and the damage suffered by their owners amounted to more than $ 1,000,000,000. And this is only in the first 4 days of distribution. Most of the victims are in Russia and Ukraine.

I know that viruses enter PCs through adult sites. I do not visit such resources, so I am not in danger.

Virus? This is also a problem for me. When viruses start up on my computer, I run the utility *** and after half an hour everything is fine. And if it doesn't help, I reinstall Windows.

Virus to virus - strife. WannaCry is a ransomware Trojan, a network worm capable of spreading over local networks and the Internet from one computer to another without human intervention.

Most malicious programs, including ransomware, start working only after the user “swallows the bait,” that is, clicks on a link, opens a file, etc. you don't have to do anything to get infected with WannaCry!

Once on a computer with Windows, the malware encrypts the bulk of user files in a short time, after which it displays a message demanding a ransom in the amount of $ 300-600, which must be transferred to the specified wallet within 3 days. In case of delay, he threatens to make decryption of files impossible in 7 days.


At the same time, the malware looks for loopholes to penetrate other computers, and if it finds it, infects the entire local network. This means that backup copies of files stored on neighboring machines also become unusable.

Removing a virus from your computer does not decrypt files! Reinstalling the operating system is the same. On the contrary, if infected with ransomware, both of these actions can make it impossible for you to recover files even if you have a valid key.

So yes, "damn" is quite scary.

How WannaCry spreads

You're lying. The virus can penetrate my computer only if I download it myself. And I am vigilant.

Many malware can infect computers (and mobile devices by the way, too) through vulnerabilities - errors in the code of operating system components and programs that open up the opportunity for cyber-attackers to use a remote machine for their own purposes. WannaCry, in particular, spreads through the 0-day vulnerability in the SMB protocol (zero-day vulnerabilities are errors that were not fixed by malware / spyware at the time of their exploitation).

That is, to infect a computer with a ransomware worm, two conditions are sufficient:

  • Connections to a network where there are other infected machines (Internet).
  • The presence of the above loophole in the system.

Where did this infection come from? Are these the tricks of Russian hackers?

According to some reports (I am not responsible for the accuracy), the US National Security Agency was the first to discover the flaw in the SMB network protocol, which is used for legal remote access to files and printers in Windows. Instead of reporting it to Microsoft in order to fix the bug, the NSA decided to use it themselves and developed an exploit for this (a program that exploits the vulnerability).


 Visualization of WannaCry distribution dynamics on intel.malwaretech.com

Subsequently, this exploit (codenamed EternalBlue), which served for some time by the NSA to penetrate computers without the knowledge of the owners, was stolen by hackers and formed the basis for the creation of the ransomware WannaCry. That is, thanks to the not entirely legal and ethical actions of the US government, the virus writers learned about the vulnerability.

I disabled the installation of updatesWindows. Nafig is necessary when and without them everything works.

The reason for such a rapid and large-scale spread of the epidemic is the absence of a "patch" at that time - windows updates capable of closing the Wanna Cry loophole. After all, it took time to develop it.

Today such a patch exists. Users who update the system automatically received it in the first hours after release. And those who believe that updates are unnecessary are still at risk of infection.

Who is at risk of a WannaCry attack and how to defend against it

As far as I know, more than 90% of computers infectedWannaCry, ran under controlWindows 7. I have a "ten", which means that nothing threatens me.

All operating systems that use the SMB v1 network protocol are at risk of WannaCry infection. It:

  • Windows XP
  • Windows Vista
  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows RT 8.1
  • Windows 10 v 1511
  • Windows 10 v 1607
  • Windows Server 2003
  • Windows Server 2008
  • Windows Server 2012
  • Windows Server 2016

Users of systems that do not have the Critical Security Update MS17-010(available for free download from technet.microsoft.com, which is linked). Patches for Windows XP, Windows Server 2003, Windows 8 and other unsupported OS can be downloaded from this page support.microsoft.com... It also describes how to check for a rescue update.

If you do not know the OS version on your computer, press the Win + R key combination and run the winver command.


To strengthen protection, as well as if it is impossible to update the system now, Microsoft provides instructions for temporarily disabling the SMB version 1 protocol. They are located and. Additionally, but not necessarily, you can close the TCP port that serves SMB through firewall 445.

I have the best antivirus in the world ***, with it I can do anything and I am not afraid of anything.

The spread of WannaCry can occur not only by the above-described self-propelled, but also in the usual ways- through social networks, email, infected and phishing web resources, etc. And there are such cases. If you download and run a malicious program manually, then neither antivirus nor patches that close vulnerabilities will save you from infection.

How does the virus work, what does it encrypt

Yes, let him encrypt what he wants. My friend is a programmer, he will decipher everything for me. As a last resort, we will find the key by brute force.

Well, it will encrypt a couple of files, so what? It won't stop me from working on my computer.

Unfortunately, it will not decrypt, since there are no ways to break the RSA-2048 encryption algorithm that Wanna Cry uses and will not appear in the foreseeable future. And it will not encrypt a couple of files, but almost everything.

I will not give a detailed description of the malware's operation; anyone interested can get acquainted with its analysis, for example, in the blog of Microsoft expert Matt Suiche. I will mark only the most significant moments.

Files with the following extensions are encrypted: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks , .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt,. xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z , .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg,. djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl , .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf,. ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx , .der.

As you can see, there are documents, photos, video-audio, archives, mail, and files created in various programs ... The malware tries to reach every directory on the system.

Encrypted objects get double expansion with the postscript WNCRY, for example, "Document1.doc.WNCRY".


After encryption, the virus copies an executable file to each folder @[email protected] - ostensibly for decryption after the ransom, and Text Document @[email protected] with a message to the user.

Then he tries to exterminate shadow copies and Windows restore points. If UAC is running on the system, the user must confirm this operation. If you deny the request, there will be a chance to restore the data from the copies.

WannaCry transmits the encryption keys of the affected system to command centers located in the Tor network, after which it deletes them from the computer. To find other vulnerable machines, it scans the local network and arbitrary IP ranges on the Internet, and once it finds it, it penetrates everything it can get to.

Today, analysts are aware of several modifications of WannaCry with different distribution mechanisms, and new ones are expected to appear in the near future.

What to do if WannaCry has already infected your computer

I see files changing extensions. What's happening? How do you stop this?

Encryption is not a one-step process, although not too long. If you managed to notice it before the ransomware message appeared on the screen, you can save some of the files by immediately turning off the power of the computer. Not by shutting down the system, but by pulling out the plug!

At loading Windows encryption will continue in normal mode, so it is important not to allow it. The next start of the computer should occur or in safe mode in which no viruses are active, or from another bootable media.

My files are encrypted! The virus demands a ransom for them! What to do, how to decrypt?

Decryption of files after WannaCry is possible only if there is a secret key, which the attackers promise to provide as soon as the victim transfers them the ransom amount. However, such promises are almost never fulfilled: why should malware distributors bother when they already got what they wanted?

In some cases, the problem can be solved without a ransom. To date, 2 WannaCry decoders have been developed: Wannakey(by Adrien Guinet) and WanaKiwi(by Benjamin Delpy). The first works only in Windows XP, and the second, created on the basis of the first, - in Windows XP, Vista and 7 x86, as well as in northern systems 2003, 2008 and 2008R2 x86.

The algorithm of operation of both decryptors is based on the search for secret keys in the memory of the encryption process. This means that only those who did not have time to restart their computer have a chance to decrypt. And if not too much time has passed after encryption (the memory has not been overwritten by another process).

So if you windows user XP-7 x86, the first thing to do after the ransom message appears is to disconnect the computer from local network and the Internet and run the WanaKiwi decoder downloaded on another device. Do not perform any other actions on the computer before removing the key!

You can read the description of the work of the WanaKiwi decryptor in another blog by Matt Suiche.

After decrypting the files, run an antivirus to remove the malware and install a patch that closes its distribution paths.

Today WannaCry is recognized by almost everyone antivirus software, except for those that are not updated, so almost any will do.


How to live this life further

The self-propelled epidemic took the world by surprise. For all kinds of security services, it turned out to be as unexpected as the onset of winter on December 1 for public utilities. The reason is carelessness and maybe. Consequences - irreparable loss of data and damages. And for the creators of malware - an incentive to continue in the same spirit.

According to analysts, WanaCry has paid distributors very good dividends, which means that attacks like this will be repeated. And those who are carried away now will not necessarily be carried away later. Of course, if you don't worry about it in advance.

So, so that you don't have to ever cry over encrypted files:

  • Do not refuse to install updates to the operating system and applications. This will protect you from 99% of threats that spread through unpatched vulnerabilities.
  • Keep on.
  • Back up important files and store them on another physical medium, or better - on several. V corporate networks make the best use of distributed storage databases, home users can adopt free cloud services like Yandex Drive, Google Drive, OneDrive, MEGASynk, etc. Do not keep these applications running when you are not using them.
  • Choose reliable operating systems. Windows XP is not.
  • Install a comprehensive class antivirus Internet Security and additional protection from ransomware, for example, Kaspersky Endpoint Security. Or analogues of other developers.
  • Increase your literacy level in countering encryption Trojans. For example, the anti-virus vendor Dr.Web has prepared training courses for users and administrators of various systems. A lot of useful and, importantly, reliable information is contained in the blogs of other A / V developers.

And most importantly: even if you have suffered, do not transfer money to cybercriminals for decryption. The probability that you will be deceived is 99%. In addition, if no one pays, the extortion business will become meaningless. Otherwise, the spread of such an infection will only grow.

May 2017 will go down in the annals of history as a rainy day for service information security... On this day, the world learned that a safe virtual world can be fragile and vulnerable. A ransomware virus called Wanna decryptor or wannacry has hijacked over 150 thousand computers around the world. Infection cases have been recorded in more than a hundred countries. Of course, the global infection was stopped, but the damage is estimated in the millions. The waves of the ransomware virus spreading still excite some individual machines, but this plague has so far been contained and stopped.

WannaCry - what it is and how to protect yourself from it

Wanna decryptor belongs to a group of viruses that encrypt data on a computer and extort money from the owner. Typically, the ransom amount for your data ranges from $ 300 to $ 600. During the day, the virus managed to infect a municipal network of hospitals in the UK, a large television network in Europe and even part of the computers of the Russian Ministry of Internal Affairs. Thanks to a lucky coincidence, they stopped it by registering a verification domain, which was sewn into the code of the virus by its creators, to manually stop the spread.

The virus infects the computer in the same way as in most other cases. Sending letters, social profiles and just surfing in essence - these methods give the virus the opportunity to penetrate your system and encrypt all your data, but it can penetrate without your explicit actions through the system vulnerability and the open port.

WannaCry crawls through port 445, exploiting a vulnerability in the Windows operating system that was recently closed by released updates. So if this port is closed for you or you recently updated Windows from the office. site, then you can not worry about infection.

The virus works according to the following scheme - instead of data in your files, you get incomprehensible squiggles in the Martian language, but to get a normal computer again, you will have to pay cybercriminals. Those who launched this plague on computers ordinary people, use bitcoin payment, so it will not be possible to track down the owners of the malicious Trojan. If you do not pay within 24 hours, then the ransom amount will increase.

The new version of the Trojan translates as "I want to cry" and the loss of data can bring some users to tears. So it is better to take preventive measures and prevent infection.

The ransomware exploits a vulnerability in Windows that Microsot has already fixed. You just need to update your operating system to MS17-010 security protocol dated March 14, 2017.

By the way, only those users who have a licensed operating system can upgrade. If you are not one of those, then just download the update package and install it manually. You just need to download from trusted resources so as not to catch the infection instead of prevention.

Of course, protection can be of the highest level, but a lot depends on the user himself. Remember not to open suspicious links that come to you by mail or on your social profile.

How to cure the Wanna decryptor virus

Those whose computer has already become infected should prepare for a lengthy treatment process.

The virus runs on the user's computer and creates several programs. One of them begins to encrypt data, the other provides communication with the ransomware. An inscription appears on the work monitor, where they explain to you that you have become a victim of a virus and offer to transfer money as soon as possible. At the same time, you cannot open any file, and the extensions consist of incomprehensible letters.

The first action the user tries to take is data recovery using the built-in Windows services. But when you run the command, either nothing happens, or your efforts will go to waste - getting rid of Wanna Decryptor is not so easy.

The WannaCry virus "thundered" all over the world on May 12, on that day a number of medical institutions in the UK announced that their networks were infected, the Spanish telecommunications company and the Russian Ministry of Internal Affairs reported repelling a hacker attack.

WannaCry (in the common people it has already been nicknamed Vona region) belongs to the category of ransomware (cryptor) viruses, which encrypts when it enters a PC custom files cryptographically strong algorithm, subsequently - reading these files becomes impossible.

On this moment The following popular file extensions are known to be encrypted by WannaCry:

  1. Popular files Microsoft Office(.xlsx, .xls, .docx, .doc).
  2. Archive and media files (.mp4, .mkv, .mp3, .wav, .swf, .mpeg, .avi, .mov, .mp4, .3gp, .mkv, .flv, .wma, .mid, .djvu, .png, .jpg, .jpeg, .iso, .zip, .rar).

WannaCry - how the virus spreads

Earlier, we mentioned this method of spreading viruses in the article on, so - nothing new.

On mailbox the user receives a letter with a "harmless" attachment - it can be a picture, video, song, but instead of standard extension for these formats, the attachment will have an executable file extension - exe. When such a file is opened and launched, the system is "infected" and a virus that encrypts user data is loaded directly through a vulnerability in OS Windows.

Perhaps this is not the only WannaCry distribution method - you can become a victim by downloading "infected" files to social networks, torrent trackers and other sites.

WannaCry - how to protect yourself from a ransomware virus

1. Install a patch for Microsoft Windows... On May 14, Microsoft released an emergency patch for the following versions - Vista, 7, 8.1, 10, Windows Server. You can install this patch simply by running a system update through the Windows update service.

2. Using antivirus software with up-to-date databases. Well-known developers of security software, such as Kaspersky, Dr.Web, have already released an update for their products containing information about WannaCry, thereby protecting their users.

3. Save important data to separate media. If your computer is not submitting yet, you can save the most important files to a separate medium (flash drive, disk). With this approach, even by becoming a victim, you will save the most valuable files from encryption.

At the moment, these are all known effective ways protection against WannaCry.

WannaCry decryptor, where to download and is it possible to remove the virus?

Ransomware viruses belong to the category of the most "nasty" viruses, because in most cases, user files are encrypted with a 128bit or 256bit key. The worst thing is, in each case, the key is unique and it takes huge computing power, which makes it almost impossible to cure "ordinary" users.

But what if you become a victim of WannaCry and need a decryptor?

1. Go to the Kaspersky Lab support forum - https://forum.kaspersky.com/ with a description of the problem. The forum is attended by both company representatives and volunteers who actively help in solving problems.

2. As in the case of the well-known CryptXXX ransomware, a universal solution was found to decrypt files that have undergone encryption. No more than a week has passed since the discovery of WannaCry, and specialists from the anti-virus laboratories have not yet managed to find such a solution for it.

3. The cardinal decision would be - complete removal OS from a computer followed by a clean install of a new one. In this situation, all user files and data are completely lost, along with the removal of WannaCry.

The most powerful attack by the Wana Decryptor virus began yesterday on May 12, 2017, thousands of computers were affected around the world. In just a few hours, there were 45,000 infected computers in the world, and this number grew every minute.

The most affected country turned out to be Russia, to this day the virus attack continues and now hackers are trying to take over the banking sector. Yesterday the main attack hit the computers of ordinary users and the network of the Russian Interior Ministry.

The program encrypts access to various files on your computer and offers to access them only after paying with bitcoins. This way hackers can make millions of dollars. There is no way to decrypt WNCRY files yet, but you can recover encrypted files using the ShadowExplorer and PhotoRec programs, but no one can give guarantees.

This ransomware virus is often called Wana Decryptor, however, it also has other names WanaCrypt0r, Wanna Cry or Wana Decrypt0r. Before that, the main virus had a younger brother, Wanna Cry and WanaCrypt0r. Later, the number "0" was replaced with the letter "o", and the main virus became known as Wana Decrypt0r.

At the end, the virus adds the WNCRY extension to the encrypted file, sometimes it is called by this abbreviation.

How does Wana Decryptor infect a computer?

Windows computers have a vulnerability in the SMB service. This hole has in all operating systems Windows version 7 to Windows 10. In March, the corporation released the patch update "MS17-010: Security Update for Windows SMB Server ”, however, the number of infected computers shows that many ignored this update.

At the end of its work, the Wana Decryptor virus will try to delete all copies of files and other system buckets, so that if something happens it cannot be restored. To do this, it will ask the user for administrator rights, the Windows operating system will show a warning from the UAC service. If the user refuses to grant full rights, then copies of the files will remain on the computer and the user will be able to restore them absolutely free.

How to recover files encrypted by Wana Decryptor and protect your computer?

The only way to recover files that were encrypted by a virus is to use the ShadowExplorer and PhotoRec programs. For information on how to recover encrypted files, see the manual for these programs.

To prevent the infection of your computer with the WNCRY ransomware virus, you need to close all vulnerabilities in the system. To do this, download the MS17-010 update https://technet.microsoft.com/ru-ru/library/security/ms17-010.aspx.

In addition, do not forget to install Zemana Anti-malware or Malwarebytes antivirus on your computer, in a paid full version they will block the launch of ransomware viruses.