Kaspersky Labs Identifies Mistakes In WannaCry That Can Be Exploited To Retrieve Data

WannaCry ransomware contains mistakes in its code that allow savvy IT workers and programmers to restore filed after a computer has been infected.

Cyber security firm Kaspersky Labs dug into the code of the ransomware that has wreaked havoc on a global scale, notably with NHS hospitals in the UK, and found that in some cases encrypted filed are deleted but can be recovered with data recovery software.

“If you were infected with WannaCry ransomware there is a good possibility that you will be able to restore a lot of the files on the affected computer. To restore files, you can use the free utilities available for file recovery,” Kaspersky Lab researchers explained.

WannaCry mistakes

“If the file is in an ‘important’ folder (from the malware developers’ point of view – e.g. Desktop and Documents), then the original file will be overwritten with random data before removal. In this case, unfortunately, there is no way to restore the original file content,” the researchers noted for files located on a computer’s system drives.

“If the file is stored outside of ‘important’ folders, then the original file will be moved to %TEMP%\%d.WNCRYT (where %d denotes a numeric value). These files contain the original data and are not overwritten, they are simply deleted from the disk, which means there is a high chance it will be possible to restore them using data recovery software.”

For files located on other non-system drives, it would appear that getting around WannaCry is a matter of finding a hidden folder.

“Ransomware creates the “$RECYCLE” folder and sets hidden+system attributes to this folder. This makes this folder invisible in Windows File Explorer if it has a default configuration. The malware intends to move the original files into this directory after encryption,” the researchers wrote.

“However, because of synchronization errors in the ransomware code in many cases the original files stay in the same directory and are not moved into $RECYCLE. The original files are deleted in an unsecure way. This fact makes it possible to restore the deleted files using data recovery software.”

And the mistakes continue with ‘read-only’ files: “While analysing WannaCry, we also discovered that this ransomware has a bug in its read-only file processing.

“If there are such files on the infected machine, then the ransomware won’t encrypt them at all. It will only create an encrypted copy of each original file, while the original files themselves only get the ‘hidden’ attribute. When this happens, it is simple to find them and restore their normal attributes.”

So it would appear that people with the requisite skills and armed with this knowledge could overcome a WannaCry infection.

However, there is an argument to be had that they should have avoided being infected in the first place by having up-to-date systems and computers; though in a world where budgets are often thin, this is easier said than done.

Do you know all about security in 2017? Try our quiz!