Wannacry: first WCry-Decryptor for Windows XP

[German]Good news with a grain of salt for users with systems affected by #WannaCry ransomware. A first decryptor has been developed, but it works only under Windows XP and only if some conditions are true.


Advertising

WCry, it works for Windows XP, if …

The tool, called WCry, has been developed by fresh security researcher Adrien Guinet from Quarkslab and it’s available at GitHub. The tool tries to find the prime number used to calculate the private RSA key used by Wanacry to encrypt all files.

The software has only been tested and known to work under Windows XP. In order to work, the Windows XP computer must not have been rebooted after being infected – more details below. Please also note that you need some luck for this to work (see below), and so it might not work in every cases!

How it works?

This software allows to recover the prime numbers of the RSA private key that are used by Wanacry, searching the system’s memory associated to the wcry.exe process. This is the process that generates the RSA private key. This is possible, because the api calls CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory.

This is not really a mistake from the ransomware authors, as as Adrien Guinet wrote. He assume, that the ransomware authors are using the Windows Crypto API properly. Guinet tested under Windows 10, CryptReleaseContext does cleanup the memory (and so this recovery technique won’t work).

It can work under Windows XP because, in this version, CryptReleaseContext does not do the cleanup. Moreover, MSDN states this, for this function : “After this function is called, the released CSP handle is no longer valid. This function does not destroy key containers or key pairs.”. So, Guinet assumes, that there are no clean and cross-platform ways under Windows to clean this memory.


Advertising

So his approach to search the associated memory for prime numbers works in Windows XP, if the memory hasn’t been reallocated and erased or erased during a reboot.

How it’s used?

Go to the GitHub binary folder bin and download the file. Then you need to find the PID of the wcry.exe process using the Task Manager. Afterward locate the 00000000.pky file on your Windows drive (it’s the WannaCry private key folder).

Once you’ve got this, launch using cmd.exe and execute the following command:

search_primes.exe PID path\to\00000000.pky

If a valid prime is found in memory, the priv.key file will be generated in the current directory. You can then use https://github.com/odzhan/wanafork/ to decrypt your files!

WARNING: wanafork does not work directly for now directly under Windows XP. This should be fixed soon (hopefully)!(via)


Advertising


This entry was posted in Security, Windows and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *