If your computer is infected with the WannaCry ransomware that wreaked havoc around the world last Friday, you may be lucky enough to get your locked files back without paying the $ 300 ransom to cybercriminals.
Adrien Guinet, a French security researcher from Quarkslab, discovered a way to recover the secret encryption keys used by ransomware for free, which works in operating systems Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008.
WannaCry Ransomware decryption keys
Το πρόγραμμα κρυπτογράφησης του WannaCry λειτουργεί δημιουργώντας ένα ζευγάρι κλειδιών στον υπολογιστή του θύματος που βασίζονται σε πρωτεύοντες αριθμούς, ένα δημόσιο κλειδί και ένα «ιδιωτικό» κλειδί για την κρυπτογράφηση και την αποκρυπτογράφηση των αρχείων του συστήματος αντίστοιχα.
To prevent the victim from accessing the private key and decrypting locked files himself, WannaCry deletes the key from the system, leaving no option for victims to retrieve the decryption key, other than paying ransom to the attacker.
But here's the kicker: WannaCry "Does not erase the first numbers from the memory before releasing the relevant memory", says Guinet.
Based on this finding, Guinet released a decryption tool, which is called WannaKey , which essentially tries to recover the first two numbers used in the formula to create encryption keys from the memory.
However, this method comes with some limitations and will work only if:
- The infected computer has not been restarted after the infection.
- The associated memory has not been allocated and deleted by some other process.
"In order to be able to work, your computer must not have restarted after the infection. Also note that you need a little luck to work (see below) and so it may not work in any case! ”Says Guinet.
Although it WannaKey only pulls the primary numbers from the memory of the affected computer, the tool can only be used by those who can use these primary numbers to manually create the decryption key to decrypt files infected by the malicious software.