A security researcher has found a way to retrieve the encryption keys used by the Wannacrypt ransomware without having to pay the $300 ransom.
His application, WCry, plucks the key right out of the memory of an affected system, but the solution is only available on Windows XP, and if the PC has not been rebooted yet or the memory not been overwritten ie. in very specific and somewhat unlikely circumstances.
WCry has been developed by Adrien Guinet, a researcher with France-based Quarkslab, and posted on GitHub for free.
“This software has only been tested and known to work under Windows XP,” he wrote in a readme note accompanying his app, which he calls Wannakey. “In order to work, your computer must not have been rebooted after being infected. Please also note that you need some luck for this to work (see below), and so it might not work in every case!”
WannaCry uses Microsoft’s built-in cryptographic tools to do its dirty work, and in Windows XP there is a flaw which prevents the erasure of the keys from memory which is not present on more recent versions of the OS.
“If you are lucky (that is the associated memory hasn’t been reallocated and erased), these prime numbers might still be in memory,” Guinet wrote.
Fortunately or unfortunately for users, Windows XP was not in fact widely affected by WannaCrypt, as the malware did not work properly on that operating system. The technique may, however, be applicable to other ransomware infections and would be a useful tool in the kitbag of the geeky family member who tends to provide tech support for their whole clan.
The code can be found on Github here.