All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 19 posts ] 
Author Message
 Post subject: wannacry ransomware - what to do if payment fails
PostPosted: May 14th, 2017, 14:18 
Offline

Joined: May 14th, 2017, 14:04
Posts: 6
Location: hong kong
I have been hit with wannacry ransomware. DECADES of family photos and videos are now inaccessible. I plan to pay tomorrow (and only because it takes time for me to be approved to open a bitcoin account in my country). However, I expect only a 1% chance at most that the author will make good on his word. This is because there are others who have paid and nothing has happened.

So assuming the payment route fails what should I do next? On one hand I want to use recovery tools and see if there are data in the "blank areas" of my hard drive that can be recovered (kind of like how people accidentally delete all their photos but the photos are still "there"). On the other hand I don't want to tamper with anything in the unlikely case suddenly the author lets me decrypt I need to leave the ransomware intact (and possibly the doublepulsar backdoor too) so I have a way to possibly have a conversation with the author (he has never replied so far from the "contact us" box).

Is there any way I can clone the drives so that it also clones the data in the areas that are marked as "nothing there" (when there might be something there?). I am very desperate, my gut is wrenching and I'm popping antacid nonstop. Any help or advice would be greatly appreciated.


Top
 Profile  
 
 Post subject: Re: wannacry ransomware - what to do if payment fails
PostPosted: May 14th, 2017, 18:12 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 2921
Location: Adelaide, Australia
have you been to https://www.nomoreransom.org/
also try the forums at bleepingcomputer.

I did see this, not sure if actual help for your problem,but maybe:
https://www.bleepingcomputer.com/news/security/wana-decrypt0r-ransomware-outbreak-temporarily-stopped-by-accidental-hero-/


Top
 Profile  
 
 Post subject: Re: wannacry ransomware - what to do if payment fails
PostPosted: May 14th, 2017, 18:22 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 9691
Location: Australia
https://www.bleepingcomputer.com/news/security/wana-decryptor-wanacrypt0r-technical-nose-dive/

Quote:
There are three hard coded bitcoin addresses in the WanaCrypt0r ransomware. These bitcoin addresses are 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94, 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw, and 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn. Maybe I am missing something, but what I do not understand is if so many people are utilizing the same bitcoin address, how will the ransomware developers be able to differentiate the victims that have paid from those who have not?

For example, people have paid ransom to my assigned bitcoin address, yet the program still states I did not pay.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: wannacry ransomware - what to do if payment fails
PostPosted: May 14th, 2017, 18:56 
Offline
User avatar

Joined: December 19th, 2006, 8:49
Posts: 8121
Location: Portugal
fzabkar wrote:
https://www.bleepingcomputer.com/news/security/wana-decryptor-wanacrypt0r-technical-nose-dive/

Quote:
There are three hard coded bitcoin addresses in the WanaCrypt0r ransomware. These bitcoin addresses are 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94, 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw, and 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn. Maybe I am missing something, but what I do not understand is if so many people are utilizing the same bitcoin address, how will the ransomware developers be able to differentiate the victims that have paid from those who have not?

For example, people have paid ransom to my assigned bitcoin address, yet the program still states I did not pay.


This wouldn't be a problem if the user were to talk to the hacker and provide him with the sending address.

When you send bitcoins even if you send them to the same reciever address the one recieving (and all people as a matter of fact) would be able to see the address sending the money.

So if the person infected could provide the sending address to the hacker then he would know if the money was from this person and would provide the key ....

Of course it's way more easy to generate multiple reciever address and let each victim have one.... If the hacker recieves the money on that specific address he will know to what victim/key it would belong.

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.


Top
 Profile  
 
 Post subject: Re: wannacry ransomware - what to do if payment fails
PostPosted: May 14th, 2017, 19:47 
Offline

Joined: November 7th, 2015, 13:04
Posts: 107
Location: Austin metro area TX USA
Yes, purchase the necessary larger-than-your-internal HD external HD and immediately usb or dvd boot Macrium Reflect, AOMEI Backupper, EaseUS ToDo, Image for Windows, or anything similar, make full images of your OS and Data partitions onto detachable reliable external HD. If/when you get your stuff back, you make another set of full images onto said external HD.

_________________
"Take care of thy backups and thy restores shall take care of thee." Ben Franklin
http://collegecafe.fr.yuku.com/forums/4 ... hnologies/


Top
 Profile  
 
 Post subject: Re: wannacry ransomware - what to do if payment fails
PostPosted: May 14th, 2017, 22:40 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 2921
Location: Adelaide, Australia
Yes, I echo what RolandJS said.
Before trying anything, Image your drives that are affected.

common replies to this are:

1-But I cant afford another drive
2-I don't know how to do this
3-I don't want to do this, is there an easier way
4-I don't have time to do this

Answers:
1- You will then need a decryptor. If there isn't one, you will need to pay. If the criminals do not provide a key or decryptor, your files are gone.

2-Find someone that does, or learn. Only do disk operations when you are sure you know what you are doing. if you image over the wrong drive, you can permanently destroy your files.

3-Stop and think what is going to be easier, taking a risky shortcut or just biting the bullet and doing some work. If you image your drive first, you can try "easy" options and at least have some options if you have no success.

4-This is unfortunate as the criminals don't care. It is going to take time, and it is going to be inconvenient.

from what I have heard, you can thank the NSA for developing the exploit, but keeping it to themselves - to then get stolen and leaked to ransomware developers. maybe they are working on a decryptor?

The SMB exploit has been fixed that is causing this latest Hullabaloo, so get the windows update released by MS the last few days. If you haven't updated windows, then do this now.


Top
 Profile  
 
 Post subject: Re: wannacry ransomware - what to do if payment fails
PostPosted: May 15th, 2017, 6:28 
Offline

Joined: December 6th, 2012, 8:49
Posts: 133
Location: españa
HaQue wrote:
The SMB exploit has been fixed that is causing this latest Hullabaloo, so get the windows update released by MS the last few days. If you haven't updated windows, then do this now.


I agree,

although the SMB exploit (eternalblue), is not the cause of the infection. Is responsible for the rapid diffusion through local computer networks, so the damages were more important in large companies. The first infection is done by traditional methods (e-mail, links ...... etc).

The patch would not prevent infection, but if it would prevent propagation through local networks


Top
 Profile  
 
 Post subject: Re: wannacry ransomware - what to do if payment fails
PostPosted: May 15th, 2017, 7:37 
Offline

Joined: May 14th, 2017, 14:04
Posts: 6
Location: hong kong
Apparently anything really LONG needs "moderator approval" here. I posted a long message with multiple quotes and replies but it's been held for about 10 hours. But shorter messages it lets me. So I will try to separate the long post and post one by one until it doesn't let me again.

RolandJS wrote:
(shortened due to restriction)


Which of these and which options to choose to make sure it clones every sector, even the "unassigned sectors" (which may have something behind it for "undelete")?


Top
 Profile  
 
 Post subject: Re: wannacry ransomware - what to do if payment fails
PostPosted: May 15th, 2017, 7:46 
Offline

Joined: May 14th, 2017, 14:04
Posts: 6
Location: hong kong
I am guessing that I cannot have more than one quote per post because it did it to me again for a short post. I will try posting without quoting people now.

Replying to HaQue regarding noransom site
Been there, unfortunately my strain isn't one of them.

regarding bleepingcomputer
I came over from here from there.

regarding kill-switch
I was infected before they kill-switched it.

reply to Spildit regarding identifying who paid
The ransomer wouldn't reply to me regarding anything legitimate that would facilitate paying him and identifying that I paid.


Top
 Profile  
 
 Post subject: Re: wannacry ransomware - what to do if payment fails
PostPosted: May 15th, 2017, 7:49 
Offline

Joined: May 14th, 2017, 14:04
Posts: 6
Location: hong kong
For everyone's information. Messaged the ransomer the exact unique amount I would pay beforehand. Paid that amount. Nothing happened, as completely expected. Still had to try because what was lost was priceless.


Top
 Profile  
 
 Post subject: Re: wannacry ransomware - what to do if payment fails
PostPosted: May 15th, 2017, 9:29 
Offline

Joined: December 6th, 2012, 8:49
Posts: 133
Location: españa
Paying is not going to make sure you have the files back.

I have doubts that the authors of this ramsonware know how to decrypt the files .........


Top
 Profile  
 
 Post subject: Re: wannacry ransomware - what to do if payment fails
PostPosted: May 15th, 2017, 9:39 
Offline

Joined: May 14th, 2017, 14:04
Posts: 6
Location: hong kong
I am cloning "sector by sector" with EaseUS Todo as I speak. One thing that happened was that putting in an exactly identical 3 TB drive model (hence same size and sectors) it told me I had insufficient space. I had to put in a 4 TB drive to "sector by sector" copy a 3 TB drive. Is this normal?


Top
 Profile  
 
 Post subject: Re: wannacry ransomware - what to do if payment fails
PostPosted: May 15th, 2017, 10:07 
Offline

Joined: May 14th, 2017, 14:04
Posts: 6
Location: hong kong
colanco wrote:
Paying is not going to make sure you have the files back.

I have doubts that the authors of this ramsonware know how to decrypt the files .........


There was a "test decrypt" and it decrypted a handful of files.


Top
 Profile  
 
 Post subject: Re: wannacry ransomware - what to do if payment fails
PostPosted: May 15th, 2017, 11:24 
Offline

Joined: November 7th, 2015, 13:04
Posts: 107
Location: Austin metro area TX USA
arbee66 wrote:
RolandJS wrote:
(shortened due to restriction)
Which of these and which options to choose to make sure it clones every sector, even the "unassigned sectors" (which may have something behind it for "undelete")?
As far as I know, any major backup/restore/clone utility can make a one-pass sector-by-sector clone or full image. As for walking you through the steps, I cannot as I am in and out of classrooms all week, and moving during the weekends.

_________________
"Take care of thy backups and thy restores shall take care of thee." Ben Franklin
http://collegecafe.fr.yuku.com/forums/4 ... hnologies/


Top
 Profile  
 
 Post subject: Re: wannacry ransomware - what to do if payment fails
PostPosted: May 15th, 2017, 13:34 
Offline
User avatar

Joined: December 19th, 2006, 8:49
Posts: 8121
Location: Portugal
colanco wrote:
although the SMB exploit (eternalblue), is not the cause of the infection. Is responsible for the rapid diffusion through local computer networks, so the damages were more important in large companies. The first infection is done by traditional methods (e-mail, links ...... etc).

The patch would not prevent infection, but if it would prevent propagation through local networks


If you have a router and/or a decent firewall that should protect the SMB server ports from outside (WAN) access, problem would be LAN propagation.

Also Microsoft released patches and that includes a patch for XP.

But if you are running XP like me by now you would want to have SMB disabled ages ago .... If you do a netstat -a -n you will not want to see open ports on your XP machine. Just disable all services that you don't need even if you are connecting by a NAT Router and you have a hardware+software firewall...

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.


Top
 Profile  
 
 Post subject: Re: wannacry ransomware - what to do if payment fails
PostPosted: May 15th, 2017, 14:32 
Offline

Joined: December 6th, 2012, 8:49
Posts: 133
Location: españa
Spildit wrote:
If you have a router and/or a decent firewall that should protect the SMB server ports from outside (WAN) access, problem would be LAN propagation.



One of the main companies affected in Spain, is "telefóncia" and its director of cyber security is a well known Spanish hacker (Chema Mártinez) who knows where he steps and in my opinion did an excellent job since the damages did not affect critical systems of the company.

A undistinguished security director, closes all the doors and converts the network terminals into little less than paperweight without practically access to the outside, but surely safe .....

The difficulty is that the terminals are functional, taking the risks under control


Top
 Profile  
 
 Post subject: Re: wannacry ransomware - what to do if payment fails
PostPosted: June 16th, 2017, 8:37 
Offline

Joined: June 16th, 2017, 8:19
Posts: 1
Location: united states
arbee66 wrote:
I have been hit with wannacry ransomware. DECADES of family photos and videos are now inaccessible. I plan to pay tomorrow (and only because it takes time for me to be approved to open a bitcoin account in my country). However, I expect only a 1% chance at most that the author will make good on his word. This is because there are others who have paid and nothing has happened.


Hello! You were able to decrypt the files?


Top
 Profile  
 
 Post subject: Re: wannacry ransomware - what to do if payment fails
PostPosted: June 16th, 2017, 12:12 
Offline

Joined: November 29th, 2006, 10:08
Posts: 6895
Location: UK
https://www.techworm.net/2017/05/free-w ... eased.html

_________________
PC Image Data Recovery
www.pcimage.co.uk


Top
 Profile  
 
 Post subject: Re: wannacry ransomware - what to do if payment fails
PostPosted: June 16th, 2017, 20:01 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 2921
Location: Adelaide, Australia
Unfortunately it is still a requirement the PC hasnt been rebooted, or memory alloc hasnt changed for where the keys were.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 19 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 38 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group