Categories: Security

Researchers Release WannaCry Decryption Tool

A group of researchers have released a tool that may be able to recover files locked by WannaCry, the malware that has infected more than 300,000 computers in 150 countries, without the need to pay a ransom.

The tool was released on Friday, a week after the initial WannaCry outbreak on 12 May.

Permanent lock

That date is significant since WannaCry threatens to begin permanently locking users’ files if they haven’t paid a ransom of about $300 (£230) in Bitcoin a week after the initial infection.

“Today (19 May) marks the 7th infection day (started on the 12th)— which means that many users would potentially lose their files forever from today as stated in the initial infection window,” wrote Dubai-based researcher Matthieu Suiche in a blog post.

Suiche worked to develop the tool with security researcher Adrien Guinet and Benjamin Delpy, who put in hours outside of his day job at the Banque de France.

It uses a technique developed by Guinet that involves searching for prime numbers stored by the malware in the computer’s memory in order to deduce the decryption key.

‘Luck’ needed

But since those numbers are erased when the system is switched off, the tool, called Wanakiwi, only works if a system hasn’t been rebooted since it was infected.

The prime numbers may also be overwritten in the system’s memory over time, causing the tool to fail, Suiche acknowledged. It also won’t work if WannaCry permanently locks the files after the one-week deadline has passed, he said.

“You need some luck for this to work and so it might not work in every case,” wrote Guinet in describing the WannaKey key-recovery tool upon which WannaKiwi is based.

That said, Wanakiwi has been successfully tested on every affected system, from Windows XP to Windows 7, including Windows 2003, Vista and 2008, according to Suiche.

Europol confirmed on Twitter its European Cybercrime Centre had tested the tool and found it “to recover data in some circumstances”.

Delpy told Reuters he had been contacted by banking, energy and government intelligence agencies from European countries and India for the fix.

While WannaCry made its initial impact more than a week ago, Suiche said his firm is continuing to see new systems hit.

“The infection wave is far from being over,” he wrote.

Windows 7 infections

More than 97 percent of WannaCry infections affected Windows 7, according to Kaspersky Lab, contrary to initial fears that organisations such as the NHS had made themselves vulnerable by relying on outdated Windows XP systems.

The findings varied according to different methods employed by various security firms, but security ratings firm BitSight also found 67 percent of infections had hit Windows 7, according to Reuters.

Researchers also disclosed that unlike most ransomware variants, WannaCry doesn’t seem to have spread via malicious email attachments, with a number of security firms saying they were unable to find a single infected email message.

Instead, researchers said it appears to have spread by searching for publicly accessible SMB ports and then using an exploit known as EternalBlue to gain access to the network.

SMB exploit

It then used a second NSA exploit called DoublePulsar to install malware on the affected network, according to Malwarebytes.

“The exploit technique is known as HeapSpraying and is used to inject shellcode into vulnerable systems allowing for the exploitation of the system,” the firm said in an advisory. “The code is capable of targeting vulnerable machine by IP address and attempting exploitation via SMB port 445.”

Both EternalBlue and DoublePulsar were allegedly developed by the NSA before being leaked to the public by a hacking group called Shadow Brokers.

Malwarebytes advised users to install patches regularly and to turn off protocols such as SMB if they’re not needed.

Do you know all about security in 2017? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

AWS re:Invent Conference Welcomes Back Crowds

Over 27,000 attendees and members of the press (including Silicon) attend Amazon Web Services worldwide…

4 hours ago

Head Of Car Giant Stellantis Issues Electric Vehicle Cost Warning

The car manufacturing industry cannot sustain the costs from government demands to shift to electric…

5 hours ago

SpaceX’s Elon Musk Warns Of Bankruptcy Risk Over Engine Issue

SpaceX CEO Elon Musk warns of “disaster” concerning production of Starship Raptor engine that puts…

6 hours ago

Twitter To Remove Photos Tweeted Without Permission

Privacy overstep? Personal photos and videos of private individuals tweeted without the consent of the…

7 hours ago

Facebook Cryptocurrency Executive David Marcus To Leave

Executive in charge of Meta's cryptocurrency efforts, confirms he is leaving after seven years at…

10 hours ago

NY AG Seeks Overseer For Amazon Worker Safety

New York's attorney general asks US judge to appoint someone who will oversee worker safety…

10 hours ago