WannaCry developers are trying to create another assault, but the good news is security mavens created tools to decrypt files encrypted by the ransomware.
Since researcher Marcus Hutchins (aka MalwareTech) registered a (previously non-existent) killswitch domain for the malware and stopped its assault, the domain has been under attack by Mirai-powered botnets.
That domain has been hit with repeated and increasingly bigger attacks, but the attackers haven’t yet managed to knock it offline.
Hutchins said these attackers and the WannaCry attackers are not the same group. In fact, he said the former are just in it “to cause mayhem for their own entertainment.”
Now, however, researcher Adrien Guinet created a tool that recovers prime numbers of the RSA private key used by the ransomware. These numbers had to be recomputed into the decryption key through other means.
Wannakey, as he called the tool, was initially thought to work only on Windows XP computers, and only if certain conditions are met (the compromised machine hasn’t been rebooted, and its memory hasn’t been rewritten).
But subsequent testing revealed the same Microsoft Cryptographic Application Programming Interface flaw that allowed this approach also exists in Windows XP and Windows 7, and possibly all Windows versions in between (Windows 2003, Vista, 2008 and 2008 R2).
So, researchers Matt Suiche and Benjamin Delpy created wanakiwi, a complete tool that uses Guinet’s methodology to retrieve the key from the memory and their own findings about the malware to recompile the decryption key from memory.
More technical details about how wanakiwi works are in in Suiche’s blog post. The tool works on all Windows versions from Windows XP to Windows 7.
As Wannakey before it, wanakiwi will only work if the victim hasn’t restarted the infected system and hasn’t killed the ransomware process (wnry.exe or wcry.exe).
Malwarebytes’ Adam Kujawa provided instructions on how to use it.