As the WannaCry ransomware campaign stretches on into its second week, researchers have had more and more success developing tools to help users decrypt the files on infected PCs.
Last week, French researcher Adrien Guinet released a tool called Wannakey that could recover the private keys used to encrypt files on Windows XP machines. The tool succeeds because WannaCry uses the Windows Crypto API in a way that results in the prime numbers used to compute the private key not being removed from memory.
“This is not really a mistake from the ransomware authors, as they properly use the Windows Crypto API. Indeed, for what I’ve tested, under Windows 10, CryptReleaseContext
does cleanup the memory (and so this recovery technique won’t work). It can work under Windows XP because, in this version, CryptReleaseContext
does not do the cleanup,” Guinet said in the documentation for Wannakey.
After Guinet released the tool, others began testing it on different versions of Windows. Now, it’s confirmed that Wannakey works on Windows XP, 7, 2003, Vista, and Server 2008. A separate tool called Wanakiwi that will automatically decrypt files encrypted by WannaCry has been released too, by a researcher named Benjamin Delpy. Wanakiwi works on Windows XP, 7, and 2003.
“Given the fact this method relies on scanning the address space of the process that generated those keys, this means that if this process had been killed by, for instance, a reboot – the original process memory will be lost. It is very important for users to NOT reboot their system before trying this tool,” Delpy said in his documentation.
“Secondly, because of the same reason we do not know how long the prime numbers will be kept in the address space before being reused by the process. This is why it is important to try this utility ASAP.”
Both Wannakey and Wanakiwi only work if the infected machine hasn’t been rebooted since it was compromised. That ensures that the prime numbers used to compute the private key are still in memory and available to the tools.
WannaCry infections are still occurring, although researchers have been able to slow them down significantly by registering a pair of domains hard-coded into the worm. Infected machines try to contact one of those domains and will stop the infection routine if the server at the domain responds. But that’s not a permanent solution.
“It actually means that we’ve barely bought a little time. If another version comes out without this, we’re going to have a very, very serious problem because there won’t be an easy way to slap a band aid on this,” said Juan Andres Guerrero-Saade, a senior security researcher at Kaspersky Lab.
Image: Mario, CC by license.