Antiy Responses to Ransomware WannaCry FAQ 2

Antiy Responses to Ransomware WannaCry FAQ 2

Antiy CERT

1.I found that someone has said that the author of ransomware “Wannacry” apologized in a sudden and released the main decryption key that can decrypt encrypted documents on the Internet. Is this true?


False. It is the main key of ransomware “TeslaCrypt”, which cannot decrypt the encrypted documents of “Wannacry”. Antiy has not found the main key that can decrypt ransomware “Wannacry” yet until May 14th, 2017.

2. I have found the decryption tool of ransomware “Wannacry”. Can this tool decrypt my encryption documents?



No, it can’t. The tool named TeslaDecoder can decrypt ransomware TeslaCrypt.

3. Is the command “net stop server” valid?

The command can shut down port 445, but you need to set this service to disable at the same time. Then the port 445 can be permanently switched off after restarting to prevent the intrusion of ransomware “Wannacry”. Otherwise, the service will still be automatically started by default when the system restarts. It is recommended to open the OS firewall and automatic update policy.

4. The computer of Win 10 OS crashed when it was playing music after operating based on the steps in the report. Forced shutdown is not possible, too. Is it related to the firewall operation?

The protection advice given by Antiy is as follows: opening firewall and automatic update, and closing port 445 of TCP protocol, which are not the direct reasons of computer crash.

5.Will the ransomware “Wannacry” affect the networked mobile terminals, MAC terminals, smart home devices and other Internet of Things devices?

Antiy has not monitored the virus version of this family that aims at mobile terminals, MAC terminals smart home devices and other Internet of Things devices until May 14th, 2017.

6.Is there a solution within the intranet? Why should we shut down the computer sharing and printer service? Will it be infected if the computer room is not networked before?

The protection advice given by Antiy is as follows: opening firewall and automatic update, closing port 445 of TCP protocol and so on. Shutting down the computer sharing and printer service means closing port 445, which can prevent the ransomware “Wannacry” from transmitting across the intranet. The computer room cannot be infected if it was not networked and powered off before. However, once it is restarted and gets networked, it is possible to be infected. You can refer to the Instructions of Computer Boot and download the detection tool from the following website:

7.Hello, I have done the test of antivirus software and all kinds of ransomware by manual click execution. I want to know how the ransomware performs itself if we do not click and execute it. Shouldn’t the system backup be the right thing to do now? Once we have the backup at the mobile HDD (Hard Disk Drive), we can reinstall it. Should I reset the default firewall of ESET that I’m using?

Q1: The transmitting mode is to send the overflow data to the 445 port by the randomly generating IP address. It can infect the non-patched system of the LAN (Local Area Network). It transmits and infects computers automatically and can be executed without clicking.

Q2: Backup system can be used as a method, but cannot remove the operating system security risks fundamentally. Backup system takes long, so it is possible for it to be infected during the backup process if the port 445 is not closed.

Q3: It is recommended to use the firewall built in the system, and configure according to Antiy Guide for Rsaomware WannaCry provided on our official website, thus to prevent WannaCry intrusion.

8.Do you need to restart the computer after the firewall opening?

No, just click OK after opening to take immediately effect.

9.Has the banking system been infected?

At present, there have been cases of ATM machine infection. A lot of Windows system equipment is used inside the bank, so it is possible to be infected by Wannacry without the relevant protections.

10.Can the virus be removed after reinstalling the system?

So far, what we have observed is that Wannacry does not modify the MBR of the system hard disk, so the reload system is effective for removing the virus. After reinstalling the system, you need to patch as soon as possible and operate according to the configuration provided in Antiy Guide for Rsaomware Wannacry.

11.Will the closure of these ports have any impact on the computer?

The main role of port 445 is to implement file sharing and printer sharing function in LAN, so the closure will affect the sharing function described above. If you do not need to share the function, it is recommended to close the port to prevent Wannacry intrusion.

12.Will the Windows virtual machine running on the Mac be infected (will the dual Win10 system be infected?)? Will it hijack the Mac system if infected?

It is possible for the Windows virtual machine to be infected if it is without relevant protections. Luckily, this ransomware is not for the Mac and Mac host system will not be infected. Based on the dual Win10 system, it has the risk being infected by WannaCry without relevant protections.