Adrien Guinet, a French security researcher from Quarkslab, has discovered a method for finding the ransomware’s decryption key making use of a flaw in which WannaCry functions, according to The Hacker News. Basically, WannaCry encryption creates a pair of keys – “public” and “private”. While the ransomware uses prime numbers to generate a “public” key, the “private” key is for encryption and decryption of the system files. WannaCry erases the keys from the system, thus compelling the victim to pay $300 to the cybercriminals. However, Guinet found out that WannaCry “does not erase the prime numbers from memory before freeing the associated memory.” As a result, it allows a chance to retrieve the prime numbers and hence, generate the private key for decryption. Using this information, Guinet released a tool called “WannaKey” that recovers the private key used to encrypt files on an infected system, allowing the contents of the files to be decrypted without paying the ransom demanded by WannaCry’s creators. The WannaKey decryption tool is available for free and works on Windows XP operating system. However, the tool will only work on those affected computer that haven’t been rebooted after the attack or for computers with associated memory that have not been erased or allocated by some other processes, added Guinet. Based on Guinet’s findings, another security researcher named Benjamin Delpy has created ‘WanaKiwi’, a tool that can unlock WannaCry infected systems. While it is similar to WannaKey in the way it functions, it is however compatible with Windows XP, Vista, 7, Server 2003, and Server 2008, and can run using the command prompt.
Users who are infected by the virus can download WannaKey tool or WannaKiwi tool from GitHub and try it on their affected Windows.
