A researcher has released a tool that can recover the decryption key for the WannaCry ransomware on infected Windows XP systems.
The tool, called Wannakey, is the work of Adrien Guinet of Quarkslab, a French security firm. Wannakey takes advantage of a quirk in the way that WannaCry uses the Windows Crypto API on XP machines. The API doesn’t remove the prime numbers used to compute the private key from memory before it frees that memory.
“This is not really a mistake from the ransomware authors, as they properly use the Windows Crypto API. Indeed, for what I’ve tested, under Windows 10, CryptReleaseContext
does cleanup the memory (and so this recovery technique won’t work). It can work under Windows XP because, in this version, CryptReleaseContext
does not do the cleanup,” Guinet said in the documentation for Wannakey.
“If you are lucky (that is the associated memory hasn’t been reallocated and erased), these prime numbers might still be in memory.”
The tool only works on Windows XP PCs and Guinet said that if the computer was rebooted after it was infected, Wannakey won’t be able to recover the private key.
WannaCry has hit the Internet hard in the last week, infecting hundreds of thousands of machines around the world, many of them in Russia. The ransomware is unusual in many respects, particularly its use of exploit code for a vulnerability in Microsoft’s SMB protocol implementation. The NSA reportedly discovered the vulnerability and developed the exploit code for it, a tool known as EternalBlue. Once the WannaCry malware is on a new PC, it encrypts the user’s files and then begins scanning the local network for other vulnerable computers.
WannaCry is seen as the first self-replicating ransomware variant, something that security experts have been warning about for a couple of years.
Although Microsoft no longer officially supports Windows XP, the company last week released a patch for the SMB vulnerability in XP as well as other unsupported. older Windows releases.
“Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download,” Phillip Misner of the Microsoft Security Response Center said.
Image: Show Jian Ming, CC by-nd license.