Recovering Data Encrypted by WannaCry Ransomware

Is data still recoverable after being hit by WannaCry Ransomware? The answer is yes and no. If your computer has been rebooted, sorry, your data is gone forever. But if haven’t, lucky for you.

A French security researcher, Adrien Guinet, has found a way to decrypt the data encrypted by WannaCry by retrieving the encryption key used by the ransomware.

But there is the catch, it only works on Windows XP that haven’t been rebooted after being infected. “You need some luck for this to work,” Adrien Guinet warns.

The tool is called WannaKey. Instead of looking for the actual key, it takes a different route and recovers the prime numbers of the RSA private key used by WannaCry, which can be used to restore the files encrypted by the ransomware on infected computers.

The reason why it works on a Windows XP computer is because the prime numbers don’t get cleaned up in the memory in XP but were erased on Windows 7, 8, and 10 computers when freeing the associated memory as “CryptReleaseContext” is triggered.

Based on this awesome finding, Benjamin Deply (@gentikiwi) took a step further and released another tool called wannakiwi that retrieves the key from not only XP machines but Windows 7 as well. That actually includes any Windows version in between, such as Vista, Windows Server 2003, 2008, and 2008 R2. It also recreates the .dky files expect from the ransomware by the attackers, which makes it compatible with the ransomware itself too, which also prevents the WannaCry to encrypt further files.

Kent Chen

Microsoft MVP, IT Professional, Developer, Geek, and the co-founder of Next of Windows.

Last updated: 05/19/2017

Posted in: Security
Discover more: , , ,