You all might be knowing about WannaCry – the ransomware that spread across the world last Friday. This is the malware that took down PCs from all over the world and encrypted the data on all these PCs, asking people to pay ransom in order to get their data back.
To know more about this ransomware, click here..
To know about how to prevent yourself from this ransomware, click here..
If your PC has been infected by WannaCry, you might be lucky to get your locked files back without paying the ransom of $300 to the cyber criminals.
Adrien Guinet, a French security researcher from Quarkslab, has discovered a way to retrieve the secret encryption keys used by the WannaCry ransomware for free, which works on Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008 operating systems. That means it would work on all the versions of windows from XP to 7.
Introduction
Yesterday, Adrien Guinet published a tool called wannakey
to perform RSA key recovery on Windows XP. His tool is very ingenious
as it does not look for the actual key but the prime numbers in memory
to recompute the key itself. In short, his technique is totally bad ass
and super smart.
Although, some file format issue happened with the exported key that didn’t make it compatible with other tools such as wanadecrypt from Benjamin Delpy (@gentilkiwi) on Windows XP, as the Windows Crypt APIs on Windows XP are expecting a very strict input to work unlike Windows 10.
This method relies on finding prime numbers in memory if the memory
hasn’t be reused — this means that after a certain period of time memory
may get reused and those prime numbers may be erased. Also, this means
the infected machine should not have been rebooted.
After reading all the above paragraphs, you might still be wondering - What is this..! So, let me make you understand this using how this tool works. It would be easier for to understand.
How the WannaCry Decryptor works?
First of all, to understand how to decrypt a file, one should know how the file was encrypted... The same was done by security expert "Guinet".
The
WannaCry's encryption scheme works by generating a pair of keys on the
victim's computer that rely on prime numbers, a "public" key and a
"private" key for encrypting and decrypting the system’s files
respectively.
To prevent the victim from accessing the private key and decrypting locked files himself, WannaCry
erases the key from the system, leaving no choice for the victims to
retrieve the decryption key except paying the ransom to the attacker.
Click to view full size image |
But here's the kick: WannaCry "does not erase the prime numbers from memory before freeing the associated memory," says Guinet.
Based on this finding, Guinet released a WannaCry ransomware decryption tool, named WannaKey, that basically tries to retrieve the two prime numbers, used in the formula to generate encryption keys from memory.
Hence, the basic idea of this tool is to fetch the prime numbers -which were used to form the private key- from the memory space. Hence, this would only be possible if the numbers in memory are not lost."It does so by searching for them in the wcry.exe process. This is the process that generates the RSA private key. The main issue is that the CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory." says Guinet
So, that means, this method will work only if:
- The affected computer has not been rebooted after being infected.
- The associated memory has not been allocated and erased by some other process.
"In order to work, your computer must not have been rebooted after being infected. Please also note that you need some luck for this to work , and so it might not work in every case!," Guinet says.
While WannaKey only pulls prime numbers from the memory of the affected computer, the tool can only be used by those who can use those prime numbers to generate the decryption key manually to decrypt their WannaCry-infected PC’s files.
This would not be possible for everyone to undertake a manual process and use an algorithm to make a decryption key with the help of prime numbers fetched. Hence, with a view to this, another security researcher, Benjamin Delpy, developed an easy-to-use tool called "WanaKiwi," based on Guinet's finding, which simplifies the whole process of the WannaCry-infected file decryption.
All victims have to do is download WanaKiwi tool from Github and run it on their affected Windows computer using the command line (cmd).
Steps to follow:
- Download wanakiwi here
- wanakiwi.exe needs to be in the same folder as your .pky file when you launch it
- Have luck so that your prime numbers haven’t been overwritten from the process address space.
WanaKiwi works on Windows XP, Windows 7,
Windows Vista, Windows Server 2003 and 2008, confirmed Matt Suiche from
security firm Comae Technologies, who has also provided some demonstrations showing how to use WanaKiwi to decrypt your files.
Although the tool won't work for every user due to its dependencies, still it gives some hope to WannaCry's victims of getting their locked files back for free from largely unsupported version of Microsoft's operating system.
Although the tool won't work for every user due to its dependencies, still it gives some hope to WannaCry's victims of getting their locked files back for free from largely unsupported version of Microsoft's operating system.