Is data still recoverable after being hit by WannaCry Ransomware? The answer is yes and no. If your computer has been rebooted, sorry, your data is gone forever. But if haven’t, lucky for you.
A French security researcher, Adrien Guinet, has found a way to decrypt the data encrypted by WannaCry by retrieving the encryption key used by the ransomware.
— Adrien Guinet (@adriengnt) May 18, 2017
But there is the catch, it only works on Windows XP that haven’t been rebooted after being infected. “You need some luck for this to work,” Adrien Guinet warns.
The tool is called WannaKey. Instead of looking for the actual key, it takes a different route and recovers the prime numbers of the RSA private key used by WannaCry, which can be used to restore the files encrypted by the ransomware on infected computers.
The reason why it works on a Windows XP computer is because the prime numbers don’t get cleaned up in the memory in XP but were erased on Windows 7, 8, and 10 computers when freeing the associated memory as “CryptReleaseContext” is triggered.
Based on this awesome finding, Benjamin Deply (@gentikiwi) took a step further and released another tool called wannakiwi that retrieves the key from not only XP machines but Windows 7 as well. That actually includes any Windows version in between, such as Vista, Windows Server 2003, 2008, and 2008 R2. It also recreates the .dky files expect from the ransomware by the attackers, which makes it compatible with the ransomware itself too, which also prevents the WannaCry to encrypt further files.
— Matthieu Suiche (@msuiche) May 19, 2017