Decrypt Infected Files: Since last Friday, many PC’s of private as well as government is affected by the WannaCry ransomware attack. The hackers locked the PC and demanded a ransom of $300 which the user is bound to pay for getting the locked files.
A French security investigator from Quarkslab, Adrien Guinet has found a method for recovering the hidden encryption keys utilized by the WannaCry ransomware for free. It supports Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008 OS.
The WannaCry’s encryption system operates by producing a couple of keys on the user’s PC which depend on prime numbers. The public key is for encrypting and the private key is for decrypting the PC’s files. WannaCry deletes the private key from user’s PC to avoid the user from operating the decrypting locked files and the private key. The malware leaves no chance for the users to recover the decryption key except giving the payment to the hackers.
Guinet said WannaCry store the prime numbers in the memory unless it gets released to the user. According to the research, Guinet developed a WannaCry ransomware decryption tool which is called WannaKey. This tool attempts to recover the prime numbers from the System. It does this by finding the keys in a wcry.exe process which produces the RSA private key. The problem with this process is that the CryptDestroyKey and CryptReleaseContext store the numbers from concept unless releasing the related concept. This method will operate in only two conditions:
1) After the attack, the victim’s Pc shouldn’t be rebooted.
2) The memory is not allotted and deleted by any different method.
Guinet added, it is not necessary that your PC will support the Wannakey tool. The reason is that ransomware makers correctly utilize Windows Crypto API. WannaKey tool can obtain prime numbers from the attacked PC. You can use this tool only if you can handle the prime numbers to produce the decryption key manually to decrypt the ransomware attacked files.
There is also another method to decrypt infected files from the WannaCry Ransomware. WanaKiwi is a new Decryption Tool based on Guinet research. It is developed by Benjamin Delpy a security investigator. You just have to download the WanaKiwi tool and operate on the infected PC with the line (cmd) control. You can get this tool from Github. It supports Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008 approved by the member of security firm Comae Technologies, Matt Suiche. He also explained the method of using WanaKiwi for obtaining infected files.
These tools might not support some affected PC’s, but it’s a great relief for other ransomware sufferers.