The WannaCrypt ransomware attack is still ongoing – sort of and since then some silent heroes have emerged including the 22 year old UK based MalwareTech person (identity undisclosed) who was able to slow down the spread of the malware but now it looks like we have another one from France. Adrien Guinet has developed what he called WannaKey and has since published how it works on GitHub.
WannaKey tries to recover the private RSA key used by WannaCry to encrypt system files and as he puts it. Guinet says WannaKey “does so by searching for them in the wcry.exe process. This is the process that generates the RSA private key. The main issue is that the CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory.”
But this only works for Windows XP machines we talked about earlier that were actually the worst hit in the attacks. Microsoft started issuing the patches to XP users for free during the attacks after it had previously asked businesses to pay $1,000 for support. The other caveat is that WannaCry might only be effective if the machine hasn’t been rebooted after the malware infection. So that’s it, Windows XP that’s has not been rebooted since it was attacked.
WannaKey searches for prime numbers of the private key in wcry.exe (the process for generating WannaCry’s private key which is needed to lock out a user) which remains in the memory unless you reboot of course because you see, Microsoft designed its APIs using the “CryptDestroyKey and CryptReleaseContext which does not erase the prime numbers from memory before freeing the associated memory.” This is the reason the patch doesn’t work for other Windows models because this memory is erased whether your reboot or not and this will definitely make someone who believes Windows XP is still the most secure in the Windows family happy even though Microsoft encourages business and individual users alike to switch to its newest/newer models to ensure security of their files.
Guinet adds that “If you are lucky, that is the associated memory hasn’t been reallocated and erased, these prime numbers might still be in memory. That’s what this software tries to achieve.”
There you for Windows XP users, try it out if you haven’t rebooted your machine since WannaCry started spreading but there’s another option of course and that’s to pay the $300 ransom which I advise against.
Guinet is now working on making WannaKey more user friendly.
Working on the next version of wannakey to make it user-friendly! You'd just have to launch it and use the "Decrypt" button of the malware!— Adrien Guinet (@adriengnt) May 20, 2017