As the criminals behind the WannaCry ransomware are trying to make it work again, security researchers have created tools for decrypting files encrypted by it.
DDoS attacks against the killswitch domains
Since researcher Marcus Hutchins (aka MalwareTech) registered a (previously non-existent) killswitch domain for the malware and stopped its onslaught, the domain has been under attack by Mirai-powered botnets.
Today’s Sinkhole DDoS Attack http://pic.twitter.com/wxT2YUrdOF
— MalwareTech (@MalwareTechBlog) May 18, 2017
That particular domain has been hit with repeated and increasingly bigger attacks, but the attackers haven’t yet managed to knock it offline. The domain registered by researcher Matt Suiche has also been hit with a DDoS attack, and it also failed.
Both domains are now protected by unnamed DDoS mitigation firms.
Hutchins believes that these attackers and the WannaCry attackers are not the same group. In fact, he believes the the former are just in it “to cause mayhem for their own entertainment.”
WannaCry decryptor tools
First, researcher Adrien Guinet came up with a tool that recovers prime numbers of the RSA private key used by the ransomware. These numbers had to be recomputed into the decryption key through other means.
Wannakey, as the tool was named, was initially thought to work only on Windows XP computers, and only if certain conditions are met (the compromised machine hasn’t been rebooted, and its memory hasn’t been rewritten).
But subsequent testing revealed that the same Microsoft Cryptographic Application Programming Interface flaw that allowed this approach also exists in Windows XP and Windows 7, and likely all Windows versions in between (Windows 2003, Vista, 2008 and 2008 R2).
So Matt Suiche and Benjamin Delpy created wanakiwi, a complete tool that uses Adrien’s methodology to retrieve the key from the memory and their own findings about the malware to recompile the decryption key from memory.
More technical details about how wanakiwi works can be found in Suiche’s blog post. The tool has been confirmed to work on all Windows versions from Windows XP to Windows 7.
As Wannakey before it, wanakiwi will only work if the victim hasn’t restarted the infected system and you hasn’t killed the ransomware process (wnry.exe or wcry.exe).
Malwarebytes’ Adam Kujawa has provided instructions on how to use it.