How to Decrypt WannaCry Ransomware virus
HOW TO DECRYPT RANSOMWARE IN PC
If you are suffering from same.
Here is the Code to decrypt WannaCry Ransomware
WNcry@2ol7
Some More Useful Information :
• Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
• Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
• Ransom: between $300 to $600. There is code to ‘rm’ (delete) files in the virus. Seems to reset if the virus crashes.
• Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
• Kill switch: If the website is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).
Binary blob in PE crypted with pass ‘WNcry@2ol7‘
Cryptography details:
• Each infection generates a new RSA-2048 keypair.
• The public key is exported as blob and saved to 00000000.pky
• The private key is encrypted with the ransomware public key and saved as 00000000.eky
• Each file is encrypted using AES-128-CBC, with a unique AES key per file.
• Each AES key is generated CryptGenRandom.
• The AES key is encrypted using the infection specific RSA keypair.
If you need Help fixing your computer or decryption . Just Mail me . I will help you fixing it. DO share to help your friends/family on whatsapp 8978457339.
• Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
• Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
• Ransom: between $300 to $600. There is code to ‘rm’ (delete) files in the virus. Seems to reset if the virus crashes.
• Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
• Kill switch: If the website is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).
• Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
• Ransom: between $300 to $600. There is code to ‘rm’ (delete) files in the virus. Seems to reset if the virus crashes.
• Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
• Kill switch: If the website is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).
• Each infection generates a new RSA-2048 keypair.
• The public key is exported as blob and saved to 00000000.pky
• The private key is encrypted with the ransomware public key and saved as 00000000.eky
• Each file is encrypted using AES-128-CBC, with a unique AES key per file.
• Each AES key is generated CryptGenRandom.
• The AES key is encrypted using the infection specific RSA keypair.
• The public key is exported as blob and saved to 00000000.pky
• The private key is encrypted with the ransomware public key and saved as 00000000.eky
• Each file is encrypted using AES-128-CBC, with a unique AES key per file.
• Each AES key is generated CryptGenRandom.
• The AES key is encrypted using the infection specific RSA keypair.
Post a Comment
Post a Comment