Everyone is talking about the WANNACRY Ransomware outbreak that has impacted the Microsoft windows Machines using Exploit MS17-010
All security Professional are discussing how does it impact the infected PC’s and all the details analysis of how he does it spread and what files it encrypts
but one report got me really interested and drove me to think of an Idea of how to get ride of this Encryption
Most of the security Experts are talking about how to stop it but it is too late
now how to decrypt the infected PC’s
in the analysis of bleepingcomputer.com
When you click on the Check Payment button, the ransomware connects back to the TOR C2 servers to see if a payment has been made. Even If one was made, the ransomware will automatically decrypt your files. If payment has not been made, you will see a response like the one below.
Main Idea :-
if we manged to sniff the network communication to that tor Server address and get back Payment confirmation message received by the Ransomware client.
We can then create a fake server that sends the same confirmation message
direct the clients to talk to this server instead of the Hackers server
Volla.. use his own code against him..
this is somehow similar to what hackers used to do earlier to over come the windows activation
they used to build fake activation server that would trick the Windows into thinking it is activated
The Idea is to trick the Ranmsomware into thinking a payment has been made
This is a thought but needs some further study to make it true
anyone interested to join the study or have any additional thoughts are welcome to share