Wannacry Ransomware Decryption Tool Released; Unlock Files Without Paying Ransom

If your PC has been infected yesteryear WannaCry – the ransomware that wreaked havoc across the earth concluding Fri – you lot powerfulness survive lucky to become your locked files dorsum without paying the ransom of $300 to the cyber criminals.

Adrien Guinet, a French safety researcher from Quarkslab, has discovered a way to call back the clandestine encryption keys used yesteryear the WannaCry ransomware for free, which industrial plant on Windows XP, Windows 7, Windows Vista, Windows Server 2003 as well as 2008 operating systems.

WannaCry Ransomware Decryption Keys

The WannaCry's encryption scheme industrial plant yesteryear generating a twosome of keys on the victim's figurer that rely on prime numbers, a "public" substitution as well as a "private" substitution for encrypting as well as decrypting the system’s files respectively.

To preclude the victim from accessing the mortal substitution as well as decrypting locked files himself, WannaCry erases the substitution from the system, leaving no selection for the victims to call back the decryption substitution except paying the ransom to the attacker.

But here's the kicker: WannaCry "does non erase the prime numbers from retention earlier freeing the associated memory," says Guinet.

Based on this finding, Guinet released a WannaCry ransomware decryption tool, named WannaKey, that basically tries to call back the ii prime numbers, used inward the formula to generate encryption keys from memory, as well as industrial plant on Windows XP only.

Note: Below I cause got also mentioned approximately other tool, dubbed WanaKiwi, that industrial plant for Windows XP to Windows 7.

"It does as well as hence yesteryear searching for them inward the wcry.exe process. This is the procedure that generates the RSA mortal key. The primary number is that the CryptDestroyKey as well as CryptReleaseContext does non erase the prime numbers from retention earlier freeing the associated memory." says Guinet

So, that means, this method volition piece of job alone if:

• The affected figurer has non been rebooted afterward existence infected.
• The associated retention has non been allocated as well as erased yesteryear approximately other process.

"In lodge to work, your figurer must non cause got been rebooted afterward existence infected. Please also banker's complaint that you lot ask approximately luck for this to piece of job (see below), as well as and hence it powerfulness non piece of job inward every case!," Guinet says.

"This is non actually a error from the ransomware authors, every bit they properly locomote the Windows Crypto API."

While WannaKey alone pulls prime numbers from the retention of the affected computer, the tool tin alone survive used yesteryear those who tin locomote those prime numbers to generate the decryption substitution manually to decrypt their WannaCry-infected PC’s files.

WanaKiwi: WannaCry Ransomware Decryption Tool

Good tidings is that approximately other safety researcher, Benjamin Delpy, developed an easy-to-use tool called "WanaKiwi," based on Guinet's finding, which simplifies the whole procedure of the WannaCry-infected file decryption.

All victims cause got to create is download WanaKiwi tool from Github as well as run it on their affected Windows figurer using the ascendancy draw (cmd).

WanaKiwi industrial plant on Windows XP, Windows 7, Windows Vista, Windows Server 2003 as well as 2008, confirmed Matt Suiche from safety trouble solid Comae Technologies, who has also provided approximately demonstrations showing how to locomote WanaKiwi to decrypt your files.

Although the tool won't piece of job for every user due to its dependencies, nevertheless it gives approximately promise to WannaCry's victims of getting their locked files dorsum for gratis fifty-fifty from Windows XP, the aging, largely unsupported version of Microsoft's operating system.

Share This :