A new WannaCry decryptor tool for most Windows versions

Matt Suiche and Benjamin Delpy created wanakiwi, a complete tool to retrieve the key from the memory and their own findings about the malware to recompile the decryption key from memory.

First, Adrien Guinet, a researcher with security firm QuarksLab, who also created Wannakey that should help victims to recover the prime numbers of the RSA private key used by WannaCry. It was initially thought to work only on Windows XP computers, and only if certain conditions are met (the compromised machine hasn’t been rebooted, and its memory hasn’t been rewritten).

But subsequent testing revealed that the same Microsoft Cryptographic Application Programming Interface flaw that allowed this approach also exists in Windows XP and Windows 7, and likely all Windows versions in between (Windows 2003, Vista, 2008 and 2008 R2).

So Matt Suiche and Benjamin Delpy created wanakiwi, a complete tool that uses Adrien’s methodology to retrieve the key from the memory and their own findings about the malware to recompile the decryption key from memory.

More technical details about how wanakiwi works can be found in Suiche’s blog post. The tool has been confirmed to work on all Windows versions from Windows XP to Windows 7.

As Wannakey before it, wanakiwi will only work if the victim hasn’t restarted the infected system and you hasn’t killed the ransomware process (wnry.exe or wcry.exe).

 

%d bloggers like this: