Decryptors from French Researchers May Save Many Victims
Good news for many victims of WannaCry: Free tools can be used to decrypt some PCs that were forcibly encrypted by the ransomware, providing the prime numbers used to build the crypto keys remain in Windows memory and have not yet been overwritten.
See Also: 2017 Predictions on Data Security: Insights on Important Trends in Security for the Banking Industry
The decryption tools carry several caveats: Affected systems must not have been powered down or rebooted. Users must also have admin-level access to the infected system. And even then, security researchers caution, the tools still might not work with every type of infected system.
But the tools give WannaCry victims a potential way to restore their systems without having to consider whether they will pay their attackers. And security experts and law enforcement agencies recommend not paying ransoms, whenever possible, because they directly funds future cybercrime (see Please Don’t Pay Ransoms, FBI Urges).
WannaCry infections began sweeping worldwide May 12, infecting more than 200,000 Windows computers with a speed and severity not witnessed since the days of the Love Bug and SQL Slammer worms in the early 2000s (see Teardown: WannaCry Ransomware).
Whoever designed WannaCry added the ability for it to spread like a worm by targeting two leaked “Equation Group” exploits, including a Windows server message block protocol flaw, addressed by Microsoft for its newer Windows systems in March via the MS17-010 security update. The flaw, believed to have been built by the National Security Agency, and was leaked in April by the Shadow Brokers hacking group.
French Security Researchers to the Rescue
After WannaCry first appeared, three French security researchers, working around the clock, reverse-engineered the ransomware and began developing, testing and releasing decryption tools. On Thursday, Adrien Guinet, a security researcher at Paris-based cybersecurity firm Quarkslab, released WannaKey, which can decrypt Windows XP systems. On Friday, Benjamin Delpy released WanaKiwi, which he built in his spare time, away from his day job at Banque de France. Throughout, their efforts have been supported and tested by Dubai-based security expert Matt Suiche.
Encryption keys – including the one used by WannaCry to forcibly encrypt a victim’s PC – are created by multiplying together two incredibly large prime numbers.
But there’s evidently a weakness in the Windows functionality that the developer of WannaCry tapped, called the Microsoft CryptoAPI, the researchers found. For at least a short time, Windows keeps a copy of the two prime numbers that it provided to WannaCry in memory. Accordingly, those primes can be recovered, independently used to compute the encryption key and then used to decrypt all forcibly encrypted data.
#wanakiwi to decrypt #WANACRY files from pieces of key in memory(thanks @adriengnt for idea)https://t.co/7LTTZXXEsB
XP sometimes,7 if lucky pic.twitter.com/3V8gFaIkCF
— Benjamin Delpy (@gentilkiwi) May 19, 2017
Try WanaKiwi First
Of the two tools, WanaKiwi is reportedly the easier one to use. Even better, Suiche reports, WanaKiwi can decrypt both Windows XP and Windows 7 systems. “This would imply it works for every version of Windows from XP to 7, including Windows 2003 (x86 confirmed), Vista and 2008 and 2008 R2,” Suiche says in a blog post.
The takeaway: Try the tools, and do so immediately. “Do not reboot your infected machines and try wanakiwi ASAP*!” Suiche says, noting that victims should do this as soon as possible “because prime numbers may be overwritten in memory after a while.”
Suiche’s findings have been confirmed by the European Cybercrime Center – part of Europol, the EU’s law enforcement intelligence agency – which says via Twitter that the tools can “recover data in some circumstances.”
#Wannacry decrypting files tested by @EC3Europol & found to recover data in some circumstances: https://t.co/E9j59j4p0c https://t.co/3n8hd4hrQi
— Europol (@Europol) May 19, 2017
“This is not a perfect solution,” Suiche tells Reuters. “But this is so far the only workable solution to help enterprises to recover their files if they have been infected and have no back-ups” which allow users to restore data without paying black-mailers.”
Threat intelligence firm Kryptos Logic tells Reuters that as of Wednesday, half of all IP addresses infected with WannaCry appeared to be in China and Russia – representing 30 percent and 20 percent of all infections globally, respectively – followed by the United States, with 7 percent of infections, and Britain, France and Germany, each with 2 percent of infections seen worldwide.
According to Costin Raiu, a researcher at Moscow-based security firm Kaspersky Lab, 98 percent of all WannaCry-infected systems appear to be running the Windows 7 operating system.
#WannaCry infection distribution by the Windows version. Worst hit – Windows 7 x64. The Windows XP count is insignificant. pic.twitter.com/5GhORWPQij
— Costin Raiu (@craiu) May 19, 2017
As of 7 a.m. Eastern U.S. Time on Monday, 315 victims had paid 49 bitcoins – worth about $108,000 – to one of the three bitcoin wallets tied to the ransomware.
Hoping for Arrests
The WannaCry decryption tools may have arrived too late for some victims. Upon infection, WannaCry warns victims they have three days to pay $300 in bitcoin before the ransom rises to $600. If that isn’t paid after a week, the ransomware says that the data will be locked forever.
Even so – and if the free decryption tools haven’t worked – Delpy says that victims may have another option: Back up all files and wait for police to find and arrest the criminals involved. At that point, they should be able to recover the main key that was used to encrypt all systems, he says.
#wannacry: backup all your files; 00000000.eky and your encrypted ones
When criminal will be arrested, main key will be used to decrypt all.
— Benjamin Delpy (@gentilkiwi) May 20, 2017
Of course, this strategy depends on WannaCry’s developer or developers being identified, caught and brought to justice. It’s not clear when – or if – that might ever happen.