Researchers succeeded in decrypting Windows XP infected with Ransomware "WannaCry", released release tool "Wannakey"

ByAwesome SA

To Ransomware "Wanna Cry" that we know that it is found in early May 2017 and is raging around the worldMore than 200,000 people are infectedIt is said. When infected with Ransomware, the file in the PC is encrypted and I request "ransom" to return it, but in Windows XP, I can confirm that the decryption key was successfully decrypted without resorting to ransom in researcher It reports.

I got to finish the full decryption process, but I confirm that, in this case, the private key can recovered on an XP system# Wannacry!!Pic.twitter.com/QiB3Q1NYpS

- Adrien Guinet (@ adriengnt)May 18, 2017

The report cited a French security companyQuarkslabI'm Adrien Guinet. WannaCry encrypts the file with a certain "key" and decryptsRSA secret keyIs required. Guinet succeeded in decrypting the key by using wcry.exe (executable file of Wanna Cry), distributed it as a tool called "Wannakey" at GitHub.

GitHub - aguinet / wannakey: Wannacry in-memory key recovery for WinXP
https://github.com/aguinet/wannakey


According to Guinet, WindowsCryptographic API(Crypto API), the function "CryptDestroyKey" performs key discard, and the function "CryptReleaseContext" releases resources, but it was triggered by the fact that values ​​remained before release of the related memory It is said that it became. This is not that "the writer of the Ransomware made a mistake", he said, "I used the Crypto API".

As a result of trial, Windows 10 can not use Wannakey because it is done with "CryptReleaseContext" until memory is released, but in Windows XP, CryptReleaseContext does not release memory, so you can use it. However, if the PC is restarted after the infection, memory is released, so Wannakey can not be used again.

In addition, "Wanna Cry" is a Ransomware,We also have active worm activitiesI know that. According to experts, "Windows XP and Windows Server 2003 are not infected by worm activity", but because they work as Ransomware, it seems possible to manually copy and execute.

@ Peulpols@ Addrngnt@ GossiTheDogYes, you 'd have to manually copy and run it there.

- Vess (@ VessOnSecurity)May 18, 2017

Currently, as a way to stop "Wanna Cry", since the "unregistered domain name" included in the action code is a kill switch, it is possible to shut down by actually registering this domain We know that volunteers have registered this domain and stopped expanding the rantamware. It has been reported that even one of Japan 's ISP, Interlink, registered one unregistered domain and played a role in this movement.

Have Interlink saved the world from the Ransomware on the worldwide expansion? It is! | InterLink president blog

Since Guinet's finding this time is limited to Windows XP, as for the infected persons of other OSs, there is only a state that "we will pay ransom" for unlocking the encryption yet, If it advances it has become the light of hope that there may be another way to find the key.