A Windows XP bug makes it possible to recover files encrypted by WannaCry
Written by net-security.org   
Friday, 19 May 2017 09:03

In an unusual turn of events, a Windows bug has been found to work in favor of victims instead of attackers, allowing WannaCry[1] victims that run Windows XP to decrypt the files encrypted by the ransomware.

recover files encrypted WannaCry

The fact was discovered by Adrien Guinet, a researcher with security firm QuarksLab, who also created software[2] that should help victims to recover the prime numbers of the RSA private key used by WannaCry.

But the software works only on Windows XP machines, only on computers that haven’t been rebooted after infection, and only if the computer’s memory hasn’t been reallocated and erased.

The tool searchers for the prive numbers in the wcry.exe process (the process that generates the RSA private key).

“The main issue is that the CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory,” Guinet explained.

“This is not really a mistake from the ransomware authors, as they properly use the Windows Crypto API. Indeed, for what I’ve tested, under Windows 10, CryptReleaseContext does cleanup the memory (and so this recovery technique won’t work). It can work under Windows XP because, in this version, CryptReleaseContext does not do the cleanup. Moreover, MSDN [Microsoft Developer Network] states this, for this function: ‘After this function is called, the released CSP handle is no longer valid. This function does not destroy key containers or key pairs.” So, it seems that there are no clean and cross-platform ways under Windows to clean this memory.”

Other researchers tested the tool, and it worked for some but not for others. As Guinet noted, “you need some luck for this to work.”

It’s good to note that the massive WannaCry onslaught started late last week[3] was aided by the use of the EternalBlue exploit, which worked only on Windows 7 and 2008 R2.

But while the exploit doesn’t work on Windows XP, the ransomware works on it just fine – if it’s delivered by other means (e.g. phishing email). And a new WannaCry delivery campaign can easily be started in the future.

If it is, Windows XP users will be able to try this tool out – they just need to remember not to reboot their infected machine.


  1. ^ WannaCry (www.helpnetsecurity.com)
  2. ^ software (github.com)
  3. ^ started late last week (www.helpnetsecurity.com)
Number of HTTPS phishing sites triples
Written by net-security.org   
Friday, 19 May 2017 08:06

When, in January 2017, Mozilla and Google made Firefox[1] and Chrome[2] flag HTTP login pages as insecure, the intent was to make phishing pages easier to recognize, as well as push more website owners towards deploying HTTPS.

HTTPS phishing triples

But while the latter aim was achieved, and the number of phishing sites making use of HTTPS has increased noticeably, the move also had one unintended consequence: the number of phishing sites with HTTPS has increased, too.

HTTPS phishing triples

“While the majority of today’s phishing sites still use the unencrypted HTTP protocol, a threefold increase in HTTPS phishing sites over just a few months is quite significant,” noted[3] Netcraft’s Paul Mutton.

One explanation may be that fraudsters have begun setting up more phishing sites that use secure HTTPS connections.

Another may be that they have simply continued compromising websites to set up the phishing pages, but as more legitimate sites began using HTTPS, more phishing pages ended up having HTTPS. Finally, it’s possible that fraudsters are intentionally compromising HTTPS sites so that their phishing login pages look more credible.

Whatever the reason – and it might simply be a combination of them all – the change made some phishing attempts even more effective. And so the battle between attackers and defenders continues.


  1. ^ Firefox (www.helpnetsecurity.com)
  2. ^ Chrome (www.helpnetsecurity.com)
  3. ^ noted (news.netcraft.com)
<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>

Page 1 of 20