A Windows XP bug makes it possible to recover files encrypted by WannaCry

A Windows bug has been found to work in favor of victims instead of attackers, allowing WannaCry victims that run Windows XP to decrypt the files encrypted by the ransomware.

Adrien Guinet, a researcher with security firm QuarksLab, who also created software that should help victims to recover the prime numbers of the RSA private key used by WannaCry.

But the software works only on Windows XP machines, only on computers that haven’t been rebooted after infection, and only if the computer’s memory hasn’t been reallocated and erased.

“The main issue is that the CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory,” Guinet explained.

“This is not really a mistake from the ransomware authors, as they properly use the Windows Crypto API. Indeed, for what I’ve tested, under Windows 10, CryptReleaseContext does cleanup the memory (and so this recovery technique won’t work). It can work under Windows XP because, in this version, CryptReleaseContext does not do the cleanup. Moreover, MSDN [Microsoft Developer Network] states this, for this function: ‘After this function is called, the released CSP handle is no longer valid. This function does not destroy key containers or key pairs.” So, it seems that there are no clean and cross-platform ways under Windows to clean this memory.”

Other researchers tested the tool, and it worked for some but not for others. As Guinet noted, “you need some luck for this to work.”

Windows XP users will be able to try this tool out – they just need to remember not to reboot their infected machine.

%d bloggers like this: