Free Tool To Decrypt WannaCry Ransomware
Adrien Guinet, a security researcher from Quarkslab, has created a tool to decrypt files locked by WannaCry ransomware.
Guinet is offering the tool free of cost and it works on Windows XP, Windows 7, Windows Vista, Windows Server 2003, and Windows Server 2008.
The tool has been published on GitHub, and according to the project description, this software allows you to recover the prime numbers of the RSA private key that are used by WannaCry.
“It does so by searching for them in the wcry.exe process. This is the process that generates the RSA private key. The main issue is that the CryptDestroyKey and CryptReleaseContext do not erase the prime numbers from memory before freeing the associated memory,” said the GitHub page.
As promising as it may sound, please bear in mind that it’s not a complete solution, you do need a stroke of luck for it to work in your case. “If you are lucky (that is, the associated memory hasn't been reallocated and erased), these prime numbers might still be in memory,” said Guinet on the project page.
The WannaCry ransomware attack has been the worst attack of its kind. The attack started on Friday May 12, 2017, and infected more than 230,000 computers across the globe. It brought down major services, including Britain's National Health Service (NHS), Spain's Telefónica, FedEx, and Deutsche Bahn. It also shows Europe’s reliance on Microsoft technologies.
The WannaCry vulnerability was known to NSA, but instead of informing Microsoft to patch it, the agency used it to compromise target computers.