Security Researcher Releases Free WannaCry Decryption Tool

The WannaCry ransomware – born out of an NSA hacking tool for Windows systems – caused havoc earlier this month. Business computer systems – the highest profile victims being the UK NHS – fell prey to the malicious software. Microsoft was even forced to release emergency fixes for the outdated Windows XP (though maybe later than it should have). Now, to the relief of those infected, a security researcher has released a free WannaCry decryption tool.

WannaCry Decryption Tool

The tool, developed by Adrien Guinet of Finnish cybersecurity firm Quarkslab, is designed to unlock Windows XP PCs infected by WannaCry. The program, dubbed WannaKey, can recover the prime numbers WannaCry uses to generate a private key.

How WannaKey Works

Guinet says:

“This software allows you to recover the prime numbers of the RSA private key that are used by WannaCry.

It does so by searching for them in the wcry.exe process. This is the process that generates the RSA private key. The main issue is that the CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory.

This is not really a mistake from the ransomware authors, as they properly use the Windows Crypto API. Indeed, for what I’ve tested, under Windows 10, CryptReleaseContext does cleanup the memory (and so this recovery technique won’t work). It can work under Windows XP because, in this version, CryptReleaseContext does not do the cleanup. Moreover, MSDN states this, for this function: “After this function is called, the released CSP handle is no longer valid. This function does not destroy key containers or key pairs.” So, it seems that there are no clean and cross-platform ways under Windows to clean this memory.“

The above method, though, does rely on the associated memory remaining unallocated for other tasks. A rebooted system is, unfortunately, unrecoverable using WannaKey.

WannaKey is available for free from Guinet’s GitHub page.