Developer releases WannaCry key-recovery tool for Windows XP

May 19, 2017 | 10:29

Tags: #decryption #encryption #insecurity #malware #ransomware #security #wannacry #wannacrypt #wanna-decryptor #wannakey #windows #windows-xp

Companies: #adrien-guinet #microsoft

Developer Adrien Guinet has published a program which can decrypt files locked by the WannaCry ransomware, with a couple of major catches to its use: It's only compatible with Windows XP, and if the system has been rebooted since infection it won't work.

WannaCry - also known as WannaCrypt and Wanna Decryptor - made headaches for system administrators the world over this past weekend when it exploited a vulnerability in all Windows operating systems bar a fully up-to-date Windows 10 to infect hundreds of thousands of machines and encrypt their files. To decrypt the files, users were told, a payment of $300 - upped to $600 in a subsequent release of the malware - must be made to its creators' Bitcoin wallet.

Microsoft was quick to respond to the attack, releasing an emergency patch which closed the exploited vulnerability on all operating systems - including the long-out-of-support Windows XP - while simultaneously blaming the US National Security Agency for having discovered the vulnerability but not informing Microsoft in order for it to be fixed only to have the vulnerability made public when the NSA itself was attacked and a cache of its exploit software and related documents stolen.

For those infected by the ransomware and without unaffected backups, there is hope: Developer Adrien Guinet has released a tool which is capable of recovering the private key used to encrypt files on an infected system, allowing the contents of the files to be decrypted without paying the ransom demanded by WannaCry's creators.

Dubbed WannaKey, the tool exploits an unpatched security hole in Windows XP - one of the operating systems most badly affected by WannaCry thanks to its relatively widespread use and long-expired support contracts - which fails to clear the private key from memory when the platform's built-in encryption tool is used. Providing that the malware process is still running and the system hasn't been rebooted since encryption began, Guinet explains, the tool has a chance of discovering the private key. This key can then be fed to a separate tool, Wanafork, to decrypt the files.

Guinet's open-source tool is available from GitHub now, though users on other operating systems or for whom the tool does not work are advised to wipe their systems and take the resulting loss of data as a reminder to implement a proper backup procedure.
Discuss this in the forums
YouTube logo
MSI MPG Velox 100R Chassis Review

October 14 2021 | 15:04