Researchers offer fixes for WannaCry ransomware

By on
Researchers offer fixes for WannaCry ransomware

Two researchers claim their tools can bypass WannaCry encryption on Windows XP and 7 – if you're lucky and haven't rebooted.

Victims hit by the recent WannaCry attack may be able to avoid paying the US$300 to US$600 ransom demand, as two researchers say they found ways to access the secret decryption key.

We still advise following the tips in our ransomware suvival guide, but the tools from these researchers offer some hope for those who have been infected.

The first workaround to emerge was from Adrien Guinet of France-based research firm Quarkslab, who made software available that he says granted him access to the decryption key on a system running Windows XP, allowing him to bypass the payment demand and recover his files.

"This software has only been tested and known to work under Windows XP," wrote Guinet, in a message alongside his GitHub post. "In order to work, your computer must not have been rebooted after being infected. Please also note that you need some luck for this to work and so it might not work in every case!"

So far it appears the software, known as WannaKey (pictured above), hasn't been tested fully in the wild so it's difficult to say whether it's a reliable work around.

WannaCry is the most recent widespread ransomware campaign, which infected and encrypted data on networks across the world last week. The infection is able to block users from accessing files that are normally only recoverable through a US$300 to US$600 payment.

While WannaCry propagated via a Windows vulnerability through the SMB (server message block) network protocol, it also exploited vulnerabilities in the Microsoft Cryptographic API built into Windows to create and hide a decryption key. More modern versions of Windows erase this key through memory cleanups, but Guinet identified a flaw in Windows XP that allowed for some instances where WannaKey is able to scour the system memory for traces of the variables used to generate the key. Importantly, this only works if the computer has not been powered down, so it is advised that affected machines are left running.

If a match is found during the scan, a key will be generated which can then be used to decrypt affected files. "If you are lucky (that is the associated memory hasn't been reallocated and erased), these prime numbers might still be in memory," added Guinet.

A second WannaCry software workaround appears to have been successful at sourcing the decryption key on a Windows 7 machine. Matt Suiche, researcher and founder of Comae Technologies, reports that a tool known as WannaKiwi, which works in a similar way to Wannakey, has been able to decrypt data on a machine running Windows 7. 

Suiche gives similar advice to Guinet: “DO NOT REBOOT your infected machines and TRY wanakiwi ASAP.”

This article originally appeared at IT Pro. Main picture courtesy of Adrien Guinet of Quarkslab.

Copyright © ITPro, Dennis Publishing

Most Read Articles


What would you like to see more of on BiT?
How To's
Photo Galleries
View poll archive

Log In

  |  Forgot your password?