Anti-Malware , Encryption , Ransomware

WannaCry Ransomware: Tools Decrypt for Free

Decryptors from French Researchers May Save Many Victims
WannaCry Ransomware: Tools Decrypt for Free
WanaKiwi decrypts a Windows PC infected by WannaCry. (Source: Benjamin Delpy)

Good news for many victims of WannaCry: Free tools can be used to decrypt some PCs that were forcibly encrypted by the ransomware, providing the prime numbers used to build the crypto keys remain in Windows memory and have not yet been overwritten.

The decryption tools carry several caveats: Affected systems must not have been powered down or rebooted. Users must also have admin-level access to the infected system. And even then, security researchers caution, the tools still might not work with every type of infected system.

But the tools give WannaCry victims a potential way to restore their systems without having to consider whether they will pay their attackers. And security experts and law enforcement agencies recommend not paying ransoms, whenever possible, because they directly funds future cybercrime (see Please Don't Pay Ransoms, FBI Urges).

WannaCry infections began sweeping worldwide May 12, infecting more than 200,000 Windows computers with a speed and severity not witnessed since the days of the Love Bug and SQL Slammer worms in the early 2000s (see Teardown: WannaCry Ransomware).

Whoever designed WannaCry added the ability for it to spread like a worm by targeting two leaked "Equation Group" exploits, including a Windows server message block protocol flaw, addressed by Microsoft for its newer Windows systems in March via the MS17-010 security update. The flaw, believed to have been built by the National Security Agency, and was leaked in April by the Shadow Brokers hacking group.

After the attacks began, late on May 12 Microsoft shared emergency updates for three operating systems it no longer officially supports - Windows XP, Windows Server 2003 and Windows 8 - to patch the SMB flaw.

French Security Researchers to the Rescue

After WannaCry first appeared, three French security researchers, working around the clock, reverse-engineered the ransomware and began developing, testing and releasing decryption tools. On Thursday, Adrien Guinet, a security researcher at Paris-based cybersecurity firm Quarkslab, released WannaKey, which can decrypt Windows XP systems. On Friday, Benjamin Delpy released WanaKiwi, which he built in his spare time, away from his day job at Banque de France. Throughout, their efforts have been supported and tested by Dubai-based security expert Matt Suiche.

Encryption keys - including the one used by WannaCry to forcibly encrypt a victim's PC - are created by multiplying together two incredibly large prime numbers.

But there's evidently a weakness in the Windows functionality that the developer of WannaCry tapped, called the Microsoft CryptoAPI, the researchers found. For at least a short time, Windows keeps a copy of the two prime numbers that it provided to WannaCry in memory. Accordingly, those primes can be recovered, independently used to compute the encryption key and then used to decrypt all forcibly encrypted data.

Try WanaKiwi First

Of the two tools, WanaKiwi is reportedly the easier one to use. Even better, Suiche reports, WanaKiwi can decrypt both Windows XP and Windows 7 systems. "This would imply it works for every version of Windows from XP to 7, including Windows 2003 (x86 confirmed), Vista and 2008 and 2008 R2," Suiche says in a blog post.

The takeaway: Try the tools, and do so immediately. "Do not reboot your infected machines and try wanakiwi ASAP*!" Suiche says, noting that victims should do this as soon as possible "because prime numbers may be overwritten in memory after a while."

WanaKiwi in action on an infected Windows XP system. (Source: Matt Suiche.)

Suiche's findings have been confirmed by the European Cybercrime Center - part of Europol, the EU's law enforcement intelligence agency - which says via Twitter that the tools can "recover data in some circumstances."

"This is not a perfect solution," Suiche tells Reuters. "But this is so far the only workable solution to help enterprises to recover their files if they have been infected and have no back-ups" which allow users to restore data without paying black-mailers."

Threat intelligence firm Kryptos Logic tells Reuters that as of Wednesday, half of all IP addresses infected with WannaCry appeared to be in China and Russia - representing 30 percent and 20 percent of all infections globally, respectively - followed by the United States, with 7 percent of infections, and Britain, France and Germany, each with 2 percent of infections seen worldwide.

According to Costin Raiu, a researcher at Moscow-based security firm Kaspersky Lab, 98 percent of all WannaCry-infected systems appear to be running the Windows 7 operating system.

As of 7 a.m. Eastern U.S. Time on Monday, 315 victims had paid 49 bitcoins - worth about $108,000 - to one of the three bitcoin wallets tied to the ransomware.

Hoping for Arrests

The WannaCry decryption tools may have arrived too late for some victims. Upon infection, WannaCry warns victims they have three days to pay $300 in bitcoin before the ransom rises to $600. If that isn't paid after a week, the ransomware says that the data will be locked forever.

Even so - and if the free decryption tools haven't worked - Delpy says that victims may have another option: Back up all files and wait for police to find and arrest the criminals involved. At that point, they should be able to recover the main key that was used to encrypt all systems, he says.

Of course, this strategy depends on WannaCry's developer or developers being identified, caught and brought to justice. It's not clear when - or if - that might ever happen.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network