Security Researchers Release WannaCry Ransomware Decryption Tools

Two security researchers have separately released decryption tools that will help victims of the WannaCry ransomware regain access to their infected machines without having to pay the $300 ransom.

The sweeping ransomware campaign led by WannaCry has disrupted daily lives around the world but a cure may be at hand for those infected by the malware. Adrien Guinet, a French national and security researcher from Quarkslab has uncovered a way to retrieve the keys used by WannaCry to encrypt and slave files on a victim’s computer. The researcher has also released a tool which works on a number of older Windows operating systems including Windows XP, Windows Vista, Windows Server 2003 and Windows Server 2008.

WannaCry effectively works by generating a pair of encryption keys reliant on prime numbers. The “public” key and a “private” key are devised by the ransomware malware to encrypt and then decrypt the system’s files, respectively.

The malware predictably erases the ‘private key’ from the infected machine to block the victim from regaining access to the files, effectively forcing the victim to pay the ransom.

However, the researcher found out that WannaCry does not wipe out the prime numbers from memory entirely, a discovery that is certain to bring respite for a number of infected users. With this in mind, the researcher developed a software that recovers the prime numbers associated with the RSA private key used by WannaCry.

He wrote in a github release:

It does so by searching for them in the wcry.exe process. This is the process that generates the RSA private key. The main issue is that the CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory.

Further, this particular technique won’t work on Windows 10 since “CryptReleaseContext does cleanup the memory” unlike Windows XP where the prime numbers are not erased.

“If you are lucky (that is the associated memory hasn’t been reallocated and erased), these prime numbers might still be in memory,” the researcher added.

Those who are lucky will simply need to follow the easy steps described by the researcher here and hit the “decrypt” button to regain access to files.

Benjamin Delpy, another security researcher, has also developed and released ‘WanaKiwi’, a simple decrypt tool, as freeware.

Available for download from a github page, the tool runs on the command line (DOS prompt) and also works on commercial operating systems Windows XP, Windows Vista, Windows 7. The tool also works on enterprise OS editions Windows Server 2003 and Windows Server 2008.

Image credit: