워너크라이 랜섬웨어 복구 방법이 공개되어 번역 포스팅합니다.
(메모리에서 pky 매칭으로 키값 긁어오는 형태로 확인 됩니다.)
1. 일단 랜섬웨어에 감염되면 재부팅은 하지 마십시오.
2. 그리고 아래 파일을 다운로드합니다.
3. wanakiwi.exe 를 실행하기전에 같은 폴더내에 당신의 .pky 파일을 복사합니다.
(*.pky 로 검색하여 검색된 파일 복사 혹은 바탕화면에 XXXXXXXXXXX.pky 복사하셔도 됩니다.)
4. wanakiwi.exe 실행하면 복구됩니다.^^ wanacry 변종은 불가하니 참고바래요.
출처 및 하단 원본 글 : https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d
WannaCry — Decrypting files with WanaKiwi + Demos
Working Windows XP & 7 demos. #FRENCHMAFIA
DO NOT REBOOT your infected machines and TRY wanakiwi ASAP*!
*ASAP because prime numbers may be over written in memory after a while.
Don’t cry yet.
UPDATE: Actually, wanakiwi from Benjamin Delpy (@gentilkiwi) works for both Windows XP (confirmed) and Windows 7 (confirmed). This would imply it works for every version of Windows from XP to 7, including Windows 2003 (confirmed), Vista and 2008 and 2008 R2. See demos in the below GIFs.
Yesterday, Adrien Guinet published a tool called wannakey to perform RSA key recovery on Windows XP. His tool is very ingenious as it does not look for the actual key but the prime numbers in memory to recompute the key itself. In short, his technique is totally bad ass and super smart.
Unfortunately, this only works on Windows XP as those values are cleaned during the
CryptReleaseContext in later version of Windows.
UPDATE: Forget the above statement, this has been successfully tested with wanakiwi up to Windows 7.
As Adrien stated in his README, this is not a mistake from the author but an issue with Windows XP — the author themselves make sure to release the user key as soon as they are done with it. And that key never touches the disks unless encrypted with the attacker public key. Although, some file format issue happened with the exported key that didn’t make it compatible with other tools such as wanadecrypt from Benjamin Delpy (@gentilkiwi) on Windows XP, as the Windows Crypt APIs on Windows XP are expecting a very strict input to work unlike Windows 10. Which is the reason why my initial tests failed with the output key using Wannakey.
Moreover, the output file format was not compatible with the ransomware WannaCry either. Unlike Wanakiwi from gentilkiwi as we can see in the demo below.
- Download wana kiwi here
- wanakiwi.exe needs to be in the same folder as your .pky file when you launch it
- Cross fingers your prime numbers haven’t been erased from memory.
After, doing some tests and discussing with Benjamin — he decided to rewrite his own version using OpenSSL and based on Adrien’s methodology to retrieve the key to directly fix the file format issues and build a version 100% compatible with Windows O.S. from Windows XP to Windows 7. Amazing job! (see below for full working demos!)
Wanakiwi also recreates the .dky files expect from the ransomware by the attackers, which makes it compatible with the ransomware itself too. This also prevents the WannaCry to encrypt further files.
After further testing with Benjamin, we noticed the info leak on the prime numbers in the Microsoft Crypt API was still present on Windows 7. \o/
'IT Security > Tech' 카테고리의 다른 글
|[malware] QakBot 뱅킹 악성코드 - 수많은 AD(Active Directory)계정의 강제 잠금 (4)||2017.06.06|
|[스팸봇] 웹사이트 애널리틱스(분석기) 분석 데이타 필터링 및 Spam bot 차단법 (6)||2017.05.28|
|[랜섬웨어] 워너크라이 랜섬웨어 복구 방법(Wannacry Decrypting tip XP, 7 environment) (9)||2017.05.19|
|[Vulnerability] EnCase Forensic Imager BoF(Buffer overflow) (May 2017) (0)||2017.05.14|
|[Vulnerability] OpenSSL 취약점(heartbleed) (2014/04/10) (0)||2017.05.13|
|[보안업데이트] 랜섬웨어(wanacrypt) Update(March 2017) MS link (0)||2017.05.13|