Security

Researchers Release WannaCry Decryption Tool

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Follow on: Google +

Users may be able to recover files without paying a ransom using a tool that searches a system’s memory to recover the decryption key

A group of researchers have released a tool that may be able to recover files locked by WannaCry, the malware that has infected more than 300,000 computers in 150 countries, without the need to pay a ransom.

The tool was released on Friday, a week after the initial WannaCry outbreak on 12 May.

Permanent lock

That date is significant since WannaCry threatens to begin permanently locking users’ files if they haven’t paid a ransom of about $300 (£230) in Bitcoin a week after the initial infection.

“Today (19 May) marks the 7th infection day (started on the 12th)— which means that many users would potentially lose their files forever from today as stated in the initial infection window,” wrote Dubai-based researcher Matthieu Suiche in a blog post.

ransomware

Suiche worked to develop the tool with security researcher Adrien Guinet and Benjamin Delpy, who put in hours outside of his day job at the Banque de France.

It uses a technique developed by Guinet that involves searching for prime numbers stored by the malware in the computer’s memory in order to deduce the decryption key.

‘Luck’ needed

But since those numbers are erased when the system is switched off, the tool, called Wanakiwi, only works if a system hasn’t been rebooted since it was infected.

The prime numbers may also be overwritten in the system’s memory over time, causing the tool to fail, Suiche acknowledged. It also won’t work if WannaCry permanently locks the files after the one-week deadline has passed, he said.

“You need some luck for this to work and so it might not work in every case,” wrote Guinet in describing the WannaKey key-recovery tool upon which WannaKiwi is based.

That said, Wanakiwi has been successfully tested on every affected system, from Windows XP to Windows 7, including Windows 2003, Vista and 2008, according to Suiche.

Europol confirmed on Twitter its European Cybercrime Centre had tested the tool and found it “to recover data in some circumstances”.

Delpy told Reuters he had been contacted by banking, energy and government intelligence agencies from European countries and India for the fix.

While WannaCry made its initial impact more than a week ago, Suiche said his firm is continuing to see new systems hit.

“The infection wave is far from being over,” he wrote.

Windows 7 infections

More than 97 percent of WannaCry infections affected Windows 7, according to Kaspersky Lab, contrary to initial fears that organisations such as the NHS had made themselves vulnerable by relying on outdated Windows XP systems.

The findings varied according to different methods employed by various security firms, but security ratings firm BitSight also found 67 percent of infections had hit Windows 7, according to Reuters.

Ransom, gun, laptop, crime © Tatiana Popova, Shutterstock 2014Researchers also disclosed that unlike most ransomware variants, WannaCry doesn’t seem to have spread via malicious email attachments, with a number of security firms saying they were unable to find a single infected email message.

Instead, researchers said it appears to have spread by searching for publicly accessible SMB ports and then using an exploit known as EternalBlue to gain access to the network.

SMB exploit

It then used a second NSA exploit called DoublePulsar to install malware on the affected network, according to Malwarebytes.

“The exploit technique is known as HeapSpraying and is used to inject shellcode into vulnerable systems allowing for the exploitation of the system,” the firm said in an advisory. “The code is capable of targeting vulnerable machine by IP address and attempting exploitation via SMB port 445.”

Both EternalBlue and DoublePulsar were allegedly developed by the NSA before being leaked to the public by a hacking group called Shadow Brokers.

Malwarebytes advised users to install patches regularly and to turn off protocols such as SMB if they’re not needed.

Do you know all about security in 2017? Try our quiz!