Wanadecrypt allows to recover files from Windows XP PCs infected by WannaCry without paying ransom

A security researcher developed a tool called wanadecrypt to restore encrypted files from Windows XP PCs infected by the WannaCry ransomware.

The WannaCry ransomware made the headlines with the massive attack that hit systems worldwide during the weekend.

The malicious code infected more than 200,000 computers across 150 countries in a matter of hours, it leverages the Windows SMB exploit Eternal Blue to compromise unpatched OS or computers running unsupported versions of Windows OS.

Microsoft took the unprecedented decision to issue security patches for Windows 2003 server and XP in order to protect its customers.

Now there is a good news for the owners of some computers running Windows XP that was infected by the WannaCry ransomware, they may be able to decrypt their data without paying the ransom ($300 to $600).

The Quarkslab researcher, Adrien Guinet, has published a software, called Wanadecrypt, he used to recover the decryption key required to restore the files on an infected XP computer. The expert successfully tested the Wanadecrypt software on a small number of infected XP computers, but it is not clear if the technique works on every PC.

Experts downplayed the discovery because Windows XP computers weren’t affected by the massive WannaCry attack. Still, but the Guinet’s method could be helpful to XP users hit in other attacks.

“This software has only been tested and known to work under Windows XP,” he wrote in a readme note issued with the software. “In order to work, your computer must not have been rebooted after being infected. Please also note that you need some luck for this to work (see below), and so it might not work in every case!”

Another popular expert, Matt Suiche, reported he was not able to use the WannaKey tool.

The WannaCry ransomware uses the Microsoft Cryptographic Application Program Interface included with Windows to implements most of its encryption features.

Once created the key, the interface erases the key on most versions of Windows, but experts discovered that a limitation on Windows XP OS can prevent this operation.

This implies that the prime numbers used in the WannaCry Key generation may remain in the memory of the machine until it is powered down allowing Wanadecrypt to extract it from the infected XP.

“If you are lucky (that is the associated memory hasn’t been reallocated and erased), these prime numbers might still be in memory,” Guinet wrote.

Anyone who has been infected by WannaCry should avoid restarting their XP computers to try to decrypt the files, the researcher is now working to extend the results of his discovery to other OSs.

UPDATE

The technique devised by Adrien Guinet allows retrieving the secret encryption keys used by the WannaCry ransomware for free, it works on Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008 operating systems.

Security researcher Benjamin Delpy developed another tool called WanaKiwi that not only retrieve the prime numbers from the memory but automate the whole decryption process of the WannaCry-infected files.

WanaKiwi works on Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008 as explained by Matt Suiche from security firm Comae Technologies.

Below a video that shows the tool in action:

adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – WannaCry attack, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]