Quarkslab security researcher, Adrien Guinet, discovered a new tool named 'Wannakey', which would retrieve the secret encryption keys of WannaCry ransomware and allow the infected user to decrypt without paying a ransom. At present, the tool works on Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008 operating systems.
HOW IT WORKS
As soon as the ransomware infects the victim's computer, it encrypts the files in the system and generates a private and public key, which rely on prime numbers. These keys are used to encrypt and decrypt the system files. After generating keys, the ransomware erases the key from the system to leave no chance for self-decryption. So, the user will have the only option of paying ransom to the actor to retrive encrypted files.
But here is the loop to find the keys. Found by the researcher based on his result, ''WannaCry does not erase the prime numbers from memory before freeing the associated memory. And here, WannaKey tool generates the decryption key by retrieving the two prime numbers used in the formula, which was used to generate the encryption key. At present, the tool works on Windows XP alone.
"It does so by searching for them in the wcry.exe process. This is the process that generates RSA private key. The main issue is that the CryptDestroyKey and CryptReleaseContext do not erase the prime numbers from memory before freeing the associated memory," says the researcher.
"In order to work, your computer must not be rebooted after it was infected. Also note that you need some luck for this to work and so it might not work in every case!," he adds.
Another researcher, Benjamin Delpy, developed another ransomware decryption tool named, 'WannaKiwi' based on Quarkslab researcher discovery.
In this tool, the researcher simplified the entire process of the WannaCry-infected file decryption. After downloading the tool from Github, the user has to run it on the infected system using command line. This WannaKiwi works on Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008.