Categories: Security

Researchers Release WannaCry Decryption Tool

A group of researchers have released a tool that may be able to recover files locked by WannaCry, the malware that has infected more than 300,000 computers in 150 countries, without the need to pay a ransom.

The tool was released on Friday, a week after the initial WannaCry outbreak on 12 May.

Permanent lock

That date is significant since WannaCry threatens to begin permanently locking users’ files if they haven’t paid a ransom of about $300 (£230) in Bitcoin a week after the initial infection.

“Today (19 May) marks the 7th infection day (started on the 12th)— which means that many users would potentially lose their files forever from today as stated in the initial infection window,” wrote Dubai-based researcher Matthieu Suiche in a blog post.

Suiche worked to develop the tool with security researcher Adrien Guinet and Benjamin Delpy, who put in hours outside of his day job at the Banque de France.

It uses a technique developed by Guinet that involves searching for prime numbers stored by the malware in the computer’s memory in order to deduce the decryption key.

‘Luck’ needed

But since those numbers are erased when the system is switched off, the tool, called Wanakiwi, only works if a system hasn’t been rebooted since it was infected.

The prime numbers may also be overwritten in the system’s memory over time, causing the tool to fail, Suiche acknowledged. It also won’t work if WannaCry permanently locks the files after the one-week deadline has passed, he said.

“You need some luck for this to work and so it might not work in every case,” wrote Guinet in describing the WannaKey key-recovery tool upon which WannaKiwi is based.

That said, Wanakiwi has been successfully tested on every affected system, from Windows XP to Windows 7, including Windows 2003, Vista and 2008, according to Suiche.

Europol confirmed on Twitter its European Cybercrime Centre had tested the tool and found it “to recover data in some circumstances”.

Delpy told Reuters he had been contacted by banking, energy and government intelligence agencies from European countries and India for the fix.

While WannaCry made its initial impact more than a week ago, Suiche said his firm is continuing to see new systems hit.

“The infection wave is far from being over,” he wrote.

Windows 7 infections

More than 97 percent of WannaCry infections affected Windows 7, according to Kaspersky Lab, contrary to initial fears that organisations such as the NHS had made themselves vulnerable by relying on outdated Windows XP systems.

The findings varied according to different methods employed by various security firms, but security ratings firm BitSight also found 67 percent of infections had hit Windows 7, according to Reuters.

Researchers also disclosed that unlike most ransomware variants, WannaCry doesn’t seem to have spread via malicious email attachments, with a number of security firms saying they were unable to find a single infected email message.

Instead, researchers said it appears to have spread by searching for publicly accessible SMB ports and then using an exploit known as EternalBlue to gain access to the network.

SMB exploit

It then used a second NSA exploit called DoublePulsar to install malware on the affected network, according to Malwarebytes.

“The exploit technique is known as HeapSpraying and is used to inject shellcode into vulnerable systems allowing for the exploitation of the system,” the firm said in an advisory. “The code is capable of targeting vulnerable machine by IP address and attempting exploitation via SMB port 445.”

Both EternalBlue and DoublePulsar were allegedly developed by the NSA before being leaked to the public by a hacking group called Shadow Brokers.

Malwarebytes advised users to install patches regularly and to turn off protocols such as SMB if they’re not needed.

Do you know all about security in 2017? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

7 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

10 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

11 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

12 hours ago