May 22, 2017 by

Security Researchers Release WannaCry Ransomware Decryption Tools

Two security researchers have separately released decryption tools that will help victims of the WannaCry ransomware regain access to their infected machines without having to pay the $300 ransom.

The sweeping ransomware campaign led by WannaCry has disrupted daily lives around the world but a cure may be at hand for those infected by the malware. Adrien Guinet, a French national and security researcher from Quarkslab has uncovered a way to retrieve the keys used by WannaCry to encrypt and slave files on a victim’s computer. The researcher has also released a tool which works on a number of older Windows operating systems including Windows XP, Windows Vista, Windows Server 2003 and Windows Server 2008.

WannaCry effectively works by generating a pair of encryption keys reliant on prime numbers. The “public” key and a “private” key are devised by the ransomware malware to encrypt and then decrypt the system’s files, respectively.

The malware predictably erases the ‘private key’ from the infected machine to block the victim from regaining access to the files, effectively forcing the victim to pay the ransom.

However, the researcher found out that WannaCry does not wipe out the prime numbers from memory entirely, a discovery that is certain to bring respite for a number of infected users. With this in mind, the researcher developed a software that recovers the prime numbers associated with the RSA private key used by WannaCry.

He wrote in a github release:

It does so by searching for them in the wcry.exe process. This is the process that generates the RSA private key. The main issue is that the CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory.

Further, this particular technique won’t work on Windows 10 since “CryptReleaseContext does cleanup the memory” unlike Windows XP where the prime numbers are not erased.

“If you are lucky (that is the associated memory hasn’t been reallocated and erased), these prime numbers might still be in memory,” the researcher added.

Those who are lucky will simply need to follow the easy steps described by the researcher here and hit the “decrypt” button to regain access to files.

Benjamin Delpy, another security researcher, has also developed and released ‘WanaKiwi’, a simple decrypt tool, as freeware.

Available for download from a github page, the tool runs on the command line (DOS prompt) and also works on commercial operating systems Windows XP, Windows Vista, Windows 7. The tool also works on enterprise OS editions Windows Server 2003 and Windows Server 2008.

Image credit: 

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

The UK’s NHS Toughens Cybersecurity Defenses after WannaCry Ransomware

The United Kingdom’s National Health Service (NHS) is set to spend £20 million on a new security...

Read more arrow_forward

UK Govt Blames North Korea for WannaCry Ransomware CyberAttack

  The UK government has blamed North Korea for WannaCry - the comprehensive ransomware...

Read more arrow_forward

Researcher who found the Wannacry ‘Kill-Switch’ was arrested by FBI

Researcher who found the ‘Kill-Switch’ for Wannacry Ransomware was arrested by FBI. Marcus...

Read more arrow_forward