NHS ransomware: UK government says it's North Korea's fault WannaCry happened
The Foreign Office said it will find, pursue and respond to the malicious activity
19/05/2017:Researcher claims to have bypassed WannaCry encryption
Victims hit by the recent WannaCry attack may be able to avoid paying the $300 to $600 ransom demand, as a researcher says he has found a way to access the secret decryption key.
Adrien Guinet of Franced-based research firm Quarkslab, has made software available that he says granted him access to the decryption key on a system running Windows XP, allowing him to bypass the payment demand and recover his files.
"This software has only been tested and known to work under Windows XP," wrote Guinet, in a message alongside his GitHub post. "In order to work, your computer must not have been rebooted after being infected. Please also note that you need some luck for this to work and so it might not work in every case!"
So far it appears the software, known as WannaKey, hasn't been tested fully in the wild so it's difficult to say whether it's a reliable work around.
WannaCry is the most recent widespread ransomware campaign, which infected and encrypted data on networks across the world last week, most notably the NHS. The infection is able to block users from accessing files that are normally only recoverable through a $300 to $600 payment. WannaCry exploited vulnerabilities in the Microsoft Cryptographic API built into Windows to create and hide a decryption key.
More modern versions of Windows erase this key through memory cleanups, however a flaw in Windows XP allows for some instances where WannaKey is able to scour the system memory for traces of the variables used to generate the key. Importantly, this only works if the computer has not been powered down, so it is advised that affected machines are left running.
If a match is found during the scan, a key will be generated which can then be used to decrypt affected files."If you are lucky (that is the associated memory hasn't been reallocated and erased), these prime numbers might still be in memory," added Guinet.
As the software makes use of an oversight on Windows XP, those affected users running later operating systems will need to look elsewhere for a solution. The advice is to leave affected machines powered on and wait to see if a work around becomes available.
Update: A second WannaCry software workaround appears to have been successful at sourcing the decryption key on a Windows 7 machine. Matt Suiche, researcher and founder of Comae Technologies, reports that a tool known as WannaKiwi, which works in a similar way to Wannakey, has been able to decrypt data on a machine running Windows 7.
16/05/2017:WannaCry attackers may be North Korean
Similarities between the WannaCry ransomware attack that knocked NHS hospitals offline and previous cyber incidents suggest the culprits are based in North Korea, security experts have said.
The evidence is not conclusive, but multiple security researchers have discovered similarities between the code used in early versions of the WannaCry ransomware and attacks on targets including Bangladeshi and Polish banks and Sony Pictures - attacks that were later attributed to North Korea. "The scale of the Lazarus operations is shocking," Kaspersky Lab researchers said in a blog post.
These links were pointed out by a Google researcheron Twitter, and the New York Timesreports that they were corroborated by Symantec. However, Kaspersky researchers noted that this could be a 'false flag operation', designed to trick experts into thinking the attacks were carried out by someone else.
It was also spotted that the code linking WannaCry to the Lazarus attacks was not present in the latest sample of the malware, meaning that the perpetrators could be trying to cover their tracks. Kaspersky Labs called for further scrutiny. "For now, more research is required into older versions of Wannacry," the post said. "We believe this might hold the key to solve some of the mysteries around this attack."
Indeed, others noted that such code overlap doesn't prove anything other than the fact hackers borrow and steal from each other."The similarities we see between malware linked to that group and WannaCry are not unique enough to be strongly suggestive of a common operator," FireEye researcher John Miller told Newsweek.
Whoever the culprits are, they haven't made much cash from the disruption their hack has caused. A White House spokesperson said yesterday that while 300,000 computers in 150 countries were infected, only about $70,000 in ransom had been paid, according to a Reuters report.
In This Article
- 1NHS ransomware: UK government says it's North Korea's fault WannaCry happened
- 2NHS ransomware: UK government says it's North Korea's fault WannaCry happened
- 3NHS ransomware: UK government says it's North Korea's fault WannaCry happened - currently reading
- 4NHS ransomware: UK government says it's North Korea's fault WannaCry happened
- 5NHS ransomware: UK government says it's North Korea's fault WannaCry happened
What you need to know about migrating to SAP S/4HANA
Factors to assess how and when to begin migrationDownload now
Your enterprise cloud solutions guide
Infrastructure designed to meet your company's IT needs for next-generation cloud applicationsDownload now
Testing for compliance just became easier
How you can use technology to ensure compliance in your organisationDownload now
Best practices for implementing security awareness training
How to develop a security awareness programme that will actually change behaviourDownload now