Security News WannaCry Decryption Tools Released; Unlock Files Without Paying Ransom

[Parsh]

Since Friday, more than three lakh computers in over 150 countries have been in the grips of WannaCry attack, with their workstations locked for ransom.

While the famous variant is still attacking the unpatched PCs around the world, some hope can be seen now with the release of decryption tools.

WannaCry Ransomware Decryption Keys

The WannaCry's encryption scheme works by generating a pair of keys on the victim's computer that rely on prime numbers, a "public" key and a "private" key for encrypting and decrypting the system’s files respectively.

To prevent the victim from accessing the private key and decrypting locked files himself, WannaCry erases the key from the system, leaving no choice for the victims to retrieve the decryption key except paying the ransom to the attacker.

But here's the kicker: WannaCry "does not erase the prime numbers from memory before freeing the associated memory," says Guinet.

Based on this finding, Guinet released a WannaCry ransomware decryption tool WannaKey, that basically tries to retrieve the two prime numbers, used in the formula to generate encryption keys from memory.

"It does so by searching for them in the wcry.exe process. This is the process that generates the RSA private key. The main issue is that the CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory." says Guinet

So, that means, this method will work only if:

• The affected computer has not been rebooted after being infected.
• The associated memory has not been allocated and erased by some other process.

"In order to work, your computer must not have been rebooted after being infected. Please also note that you need some luck for this to work (see below), and so it might not work in every case!," Guinet says.

"This is not really a mistake from the ransomware authors, as they properly use the Windows Crypto API."

While WannaKey only pulls prime numbers from the memory of the affected computer, the tool can only be used by those who can use those prime numbers to generate the decryption key manually to decrypt their WannaCry-infected PC’s files.


WanaKiwi: WannaCry Ransomware Decryption Tool

Good news is that another security researcher, Benjamin Delpy, developed an easy-to-use tool called "WanaKiwi," based on Guinet's finding, which simplifies the whole process of the WannaCry-infected file decryption.

All victims have to do is download WanaKiwi tool from Github and run it on their affected Windows computer using the command line (cmd).

WanaKiwi works on Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008, confirmed Matt Suiche from security firm Comae Technologies, who has also provided some demonstrations showing how to use WanaKiwi to decrypt your files.

Although the tool won't work for every user due to its dependencies, still it gives some hope to WannaCry's victims of getting their locked files back for free even from Windows XP, the aging, largely unsupported version of Microsoft's operating system.

 

[Parsh]

Also, Qihoo 360 security has released a Wannacry decryption tool that was shared by @Captain Awesome here today.
Direct download link: https://360totalsecurity.com/s/ransomrecovery/
Note: In some cases this tool can not recover files completely because files may be severely damaged by Ransomware. It may depend on how long it has been after infected, and the amount of the encrypted files.

Hence, this tool by Qihoo can be useful if the above ones seem to be infeasible or fail to work, and vice versa.
Avoid paying ransom in the first place since there are no stats guaranteeing that people get their files back. Backup!

 

[Winter Soldier]

Smart method WannaKey uses, thanks @Parsh great sharing

 

[_CyberGhosT_]

Thank you both @Parsh & @Captain Awesome

 

[frogboy]

Never got attacked so I could not try any of these tools. I will try harder next time.

 

[Parsh]

Never got attacked so I could not try any of these tools. I will try harder next time.

Hope you don't! The world of humans is already a dangerous place. Keep safe

 

[Weebarra]

Wasn't afffected (but must admit to be a bit scared) but well done to Benjamin Delpy for working on that. It restores your faith in human nature that there are GOOD people out there.

 

[konkisko]

Wow!
And I was always thinking, why it was written not to reboot a computer after infection

 

[DJ Panda]

Never got infected. Using the latest Windows 10 build. Set Smartscreen to "block", Using Avast as my main AV and Zemana, Malwarebytes, + Defender as scanners.

 

[jamescv7]

Good thing that it released the decrypt tool as soon as possible.

The strand of ransomware are so identical to each other where the possible of decryptors were at high stake.

It needs a thorough analysis and investigation.

I'm not also infected, considering where the prevalence rate of ransomware in a country like Philippines is low.

 

[Ainger]

Hello! I'm wondering if anyone had the same problem or knows what could cause it.

After I had deleted the virus from my computer and closed the 445 port, I launched 360 RansomRecovery. It found all the encrypted files, and I chose the disk I wanted to recover, but soon noticed that the program was decrypting ALL of the files, including those I didn't really need. However, it worked — the files it's processed came back to life.

But recovering all the files would take forever, so I decided to delete everything I didn't need first — movies, games, etc. After I did this and launched RansomRecovery again, it failed to find any encrypted files. It just says "Scanning the entire disk to find files that need recovery, please wait..." and never finds anything. I tried to leave it at that for a whole night — nothing.

What could cause this problem? I didn't touch any system files, only deleted some regular files I didn't need and folders with games.

 

[Parsh]

Hello! I'm wondering if anyone had the same problem or knows what could cause it.

After I had deleted the virus from my computer and closed the 445 port, I launched 360 RansomRecovery. It found all the encrypted files, and I chose the disk I wanted to recover, but soon noticed that the program was decrypting ALL of the files, including those I didn't really need. However, it worked — the files it's processed came back to life.

But recovering all the files would take forever, so I decided to delete everything I didn't need first — movies, games, etc. After I did this and launched RansomRecovery again, it failed to find any encrypted files. It just says "Scanning the entire disk to find files that need recovery, please wait..." and never finds anything. I tried to leave it at that for a whole night — nothing.

What could cause this problem? I didn't touch any system files, only deleted some regular files I didn't need and folders with games.

It's disappointing to know that Ainger!
I tried running the tool twice on my (clean) computer just to check if it has problems when scanning repeatedly. It is working fine.
For our idea, did you reboot your machine before or after using the tool (especially after)? If you haven't, please do NOT reboot.

Since things are not technically indicative of something comprehensible, I suggest you try out the following 3 ways

1. Download the Recovery Tool again and run (and make sure nothing is blocking its access)
2. Create a new Doc file in any affected location and append the extension created by the Ransomware, say 'WNCRY'. So, rename that new Doc file from 'abc.doc' to 'abc.doc.WNCRY'. Now, run the scan with the re-downloaded tool again. (All this, just to clear the possibility of a technical fault, in case that the tool is having problems dealing with the same set of files ie. if all the same encrypted files are scanned and detected again, from previous scan list, for some buggy reason)
3. If the tool extracts the Decryption Keys from the memory of your PC, unfortunately, copying your important encrypted files to another machine and running the recovery tool won't help. But if this tool works like some other tools that help to decrypt files irrespective of the keys and other data, this method can help. First just make sure that the malware isn't running.

If the above 3 steps didn't help, I am afraid that the OTHER TWO TOOLS namely 'WanaKiwi' or 'WannaKeys' are your only options, try preferably in the same order, whichever works. Good luck!

 

[WinXPert]

Testing 360 RansomRecovery: No files found on an infected system

 

[Ainger]

Answer from 360 Total Security :

"According to your description, you might not be able to open the recovery tool again due to unexpected termination while it was running the recovery process.
Closing the process before the whole recovery completes will lead to the damage of some critical data that are required by the tool to run the recovery process.
Unfortunately the recovery process can not be conducted twice once the failure happens.
We are sorry for the inconvenience"

 

[Parsh]

Answer from 360 Total Security :

"According to your description, you might not be able to open the recovery tool again due to unexpected termination while it was running the recovery process.
Closing the process before the whole recovery completes will lead to the damage of some critical data that are required by the tool to run the recovery process.
Unfortunately the recovery process can not be conducted twice once the failure happens.
We are sorry for the inconvenience"

I do not understand why the tool can't re-function if the PC hasn't been rebooted..
Maybe some critical data is temporarily (for the first recovery) stored and used during the first recovery, and that got damaged and unfortunately that data cannot be regenerated or reextracted.
@Ainger giving the other two tools especially WanaKiwi a try?

 

[Winter Soldier]

Answer from 360 Total Security :

"According to your description, you might not be able to open the recovery tool again due to unexpected termination while it was running the recovery process.
Closing the process before the whole recovery completes will lead to the damage of some critical data that are required by the tool to run the recovery process.
Unfortunately the recovery process can not be conducted twice once the failure happens.
We are sorry for the inconvenience"

Already heard these words "you do not understand how our software works"
This could be the ace in the sleeve for some vendors.
If the software works then the merit is for them, otherwise it is your fault...

 

[Parsh]

Already heard these words "you do not understand how our software works"
This could be the ace in the sleeve for some vendors.
If the software works then the merit is for them, otherwise it is your fault...

That you will be able to run the tool successfully only once for recovery like this, is a crucial thing to be mentioned, if not as an issue, then as a shortcoming of the method the tool uses. A lot of folks using this tool may think just like Ainger - restart the scan and recovery for only critical data... And you lose again!
The case with Ainger was that the tool apparently was recovering files, but a rerun led to the wheel spinning backwards and then fail.

 

[tryfon]

School computers that were infected were just wiped. None had any important information on them and were just dedicated to student use