Blog has moved, searching new blog...

Friday, 19 May 2017

Windows XP hit by WannaCry ransomware? New tool discover to decrypt your infected files



French security researcher Adrien Guinet has figured out a way to decrypt files locked by the infamous WannaCry ransomware.

Windows XP wasn't vulnerable to the WannaCry worm but still could be infected with the ransomware. Now there's a tool to decrypt Windows XP machines attacked.

 
Guinet has published a free tool, dubbed Wanna key,,that retrieves the private RSA key used by WannaCry, aka WCry or WannaCrypt, to encrypt files. The other, ill-advised method is to pay the WannaCry attackers $300 in bitcoin. 

There are several caveats, though. It only works for Windows XP and only if the machine has not been rebooted after the infection. The tool searches for the prime numbers of the private key in wcry.exe, the process responsible for generating WannaCry's private key, which will remain in memory until a reboot occurs. 

As Guinet explains on the Wannakey's GitHub page, WannaCry's authors used the Windows Crypto application protocol interface (API) properly. However, Microsoft designed the API's functions CryptDestroyKey and CryptReleaseContext so as "not to erase the prime numbers from memory before freeing the associated memory". 

The recovery technique doesn't work in Windows 10 because it does erase that memory, while Windows XP does not.

If you are lucky, that is the associated memory hasn't been reallocated and erased, these prime numbers might still be in memory. That's what this software tries to achieve.
 
The tool may be helpful for XP users infected with WannaCry, but a similar tool for Windows 7 is likely to have a bigger impact at sites such as the UK NHS hospitals that were hit hard by the recent ransomware attack. 

As security researcher  WannaCry attackers used to spread the ransomware once inside a network cannot be used to infect Windows XP machines on that network. 

So WannaCrypt can lock up Windows XP files, but XP PCs were not vulnerable to the NSA's worm-like spreading mechanism, which exploited a flaw in Microsoft's network file-sharing protocol.


No comments:

Post a Comment