The WannaCry’s encryption scheme works by generating a pair of keys on the victim’s computer that rely on prime numbers, a “public” key and a “private” key for encrypting and decrypting the system’s files respectively.
To prevent the victim from accessing the private key and decrypting locked files himself, WannaCry erases the key from the system, leaving no choice for the victims to retrieve the decryption key except paying the ransom to the attacker.
But here’s the kicker: WannaCry “does not erase the prime numbers from memory before freeing the associated memory,” says Guinet.
Based on this finding, Guinet released a WannaCry ransomware decryption tool, named WannaKey, that basically tries to retrieve the two prime numbers, used in the formula to generate encryption keys from memory, and works on Windows XP only.
Note: Below I have also mentioned another tool, dubbed WanaKiwi, that works for Windows XP to Windows 7.
“It does so by searching for them in the wcry.exe process. This is the process that generates the RSA private key. The main issue is that the CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory.” says Guinet
So, that means, this method will work only if:
- The affected computer has not been rebooted after being infected.
- The associated memory has not been allocated and erased by some other process.
“In order to work, your computer must not have been rebooted after being infected. Please also note that you need some luck for this to work (see below), and so it might not work in every case!,” Guinet says.
“This is not really a mistake from the ransomware authors, as they properly use the Windows Crypto API.”
Robert de Haan