WannaCry Ransomware Decryption Tool Released; Unlock Files Without Paying Ransom
We all are aware of the fact that a particular ransomware named WannaCry wreaked havoc globally last Friday and in case your personal computer has become a victim of this destructive ransomware, you should consider yourself to be fortunate to get back your locked files without having to pay any ransom to the cyber hackers.
An effective way for retrieving the secret encryption keys which are being employed by WannaCry for free has been discovered by an individual named Adrien Guinet who happens to be a French security researcher. This will work on various operating systems such as Windows 7, Windows XP, Windows Vista, as well as Windows Server 2003 and 2008 OS.
WannaCry Decryption Keys
The encryption scheme of the ransomware functions by generating a couple of keys on the computer of the victim and these actually rely on prime numbers, a “private” key as well as a “public” key for the purpose of decrypting and encrypting the files of the system respectively.
This key is deleted by the ransomware from the system so that the victim will not be able to access the private key and decrypt the locked files on his own and this will force the victims to pay ransom to the hacker for retrieving the decryption key.
However, Guinet asserts that WannaCry has no capability of deleting the prime numbers from the memory prior to clearing the associated memory.
Guinet released a decryption tool known as WannaKey depending on this finding and this particular tool will try to get back the two prime numbers which are utilized in the formula for generating encryption keys from the memory and it will work only on Windows XP.
According to the French security researcher, it is able to do so by looking for them in the wcry.exe process which helps to generate the RSA private key. The main problem lies in the fact that the prime numbers are not erased from the memory by the CryptReleaseContext and CryptDestroyKey prior to clearing the associated memory.
Consequently, this implies that the method is going to work only if the computer which has been affected hasn’t been rebooted after being attacked.
The associated memory hasn’t been erased and allocated by any other procedure.
The French researcher also states that it is imperative for the computer not to be rebooted after being attacked which will help it to function properly. Besides this, he says, you also need to be fortunate enough for this to work for you and in some cases, you might not get positive results.
He also asserts that this isn’t any error from the authors of WannaCry since they employ the Windows Crypto API correctly.
While only primary numbers are pulled from the memory of the infected computer by the ransomware, only those who can use those prime numbers for generating the decryption key manually will be able to use this tool.
WanaKiwi: WannaCry Decryption Tool
The good thing is that based on the findings of Guinet, a simple-to-use tool known as “WanaKiwi” has been developed by Benjamin Delpy, a security researcher, and it helps to simplify the entire procedure of the decryption of the WannaCry-infected file.
The victims simply require to run the awesome tool on their infected computers after downloading it and for this, they need to use the command line (cmd).
Furthermore, Matt Suiche from Comae Technologies has confirmed that WanaKiwi is going to work on Windows 7, Windows XP, Windows Vista as well as Windows Server 2003 and 2008. This individual has also demonstrated the way to use this particular tool for decrypting your files.
In spite of the inability of WanaKiwi to work for every single user mainly because of its dependencies, it nevertheless provides some hope to the victims of the ransomware that they will be able to retrieve their locked files for free even from Windows XP which happens to be the largely unsupported and aging edition of Microsoft’s operating system.