Last week, one of the most severe ransomware infections in recent memory occurred. Dubbed WannaCry, the malware hit over 70 countries, and nearly brought the UK's National Health Service (NHS) to its knees. It then extended its reach to computers in China, while at the same time evolving to circumvent the kill switch discovered and activated by a researcher. Now, it looks like someone else has finally been able to create a decryptor for WannaCry.
According to The Hacker News, Adrien Guinet, a security researcher for Quarkslab, has been able to make use of a flaw in the way WannaCry operates, thus allowing him to create a decryptor. In essence, the ransomware generates a pair of keys on the victim's computer - a public and private key for encryption / decryption - which rely on prime numbers. Although WannaCry erases the keys from the system, thus forcing the victim to pay $300 to the cybercriminals, there's a catch. Guinet says that the malware "does not erase the prime numbers from memory before freeing the associated memory."
Using this information, Guinet created WannaKey, which attempts to retrieve the prime numbers. It only works on Windows XP, and to work, needs two conditions to be met: the computer mustn't have been restarted post-infection, and the associated memory mustn't have been erased or allocated by some other processes. Even if your situation ticks all the required boxes, his solution "might not work in every case!", according to the researcher.
Luckily, building on Guinet's find, researcher Benjamin Delpy has created WanaKiwi. This decryptor works in the same fashion as WannaKey, but is compatible with Windows XP, Vista, 7, Server 2003, and Server 2008, and needs to be run via the command line. Matt Suiche of Comae Technologies has offered a few examples of how to manually decrypt your WannaCry-affected files using WanaKiwi.
Though probably not as comprehensive a solution as some would expect, it's certainly a welcome development, especially in light of more exploit tools threatened to be released in June.
Source: The Hacker News
3 Comments - Add comment