Wanakiwi tool decrypts WannaCry files across all Windows versions

May 22, 2017 | 11:40

Tags: #encryption #insecurity #malware #ransomware #security #vulnerability #wannacry #wannacrypt #wanna-decryptor #wannakey #windows

Companies: #adrien-guinet #benjamin-delpy

Those currently suffering from the still-spreading WannaCry ransomware and who have yet to reboot their systems have a program to try in order to recover their files: wanakiwi, which has been tested as effective across all vulnerable Windows releases.

Released into the wild earlier this month to devastating effect, the WannaCry ransomware - also known under names including WannaCrypt, Wanna Decryptor, and WCry - exploits a vulnerability leaked from the US National Security Agency's trove of zero-days and at the time affecting all Windows releases from Windows XP upwards bar a fully-patched Windows 10 installation. Like previous ransomware packages, WannaCry works silently in the background to use Windows' built-in file encryption tools to scramble personal documents and other data before popping up a demand for payment - $300 in its original release, upgraded to $600 as its authors got greedier - in order to release the decryption key.

Last week, developer Adrien Guinet discovered that a handy vulnerability in Windows' file encryption subsystem was not properly removing the private key used for the encryption from memory, and worked to turn that vulnerability into a tool capable of pulling the private key and transforming it into a format suitable for decrypting affected files without paying the ransom. Sadly, the program had two main caveats: It can only operate if the system has been recently infected and not rebooted since, and it was only effective on Windows XP. With the majority of systems affected being Windows 7, rather than Windows XP, that left a lot of users out of luck.

Developers Benjamin Delpy and Matt Suiche have now expanded on Guinet's work with wanakiwi, a revised version of the tool which is capable of recovering the keys from memory on all currently tested versions of Windows. The program now also includes a built-in version of wanadecrypt, meaning it can both recover the key and use it to decrypt the files automatically - making it easier for less technically adept victims to operate as a means of recovering their files. Sadly, the tool still has one major flaw: If the system has been rebooted since infection, the private key has already been removed from memory and cannot be recovered.

Compiled binaries of the open-source decryption tool are available via GitHub now.
Discuss this in the forums
YouTube logo
MSI MPG Velox 100R Chassis Review

October 14 2021 | 15:04