#WannaCry — Decrypting files with #WanaKiwi + Demos (Video) Free

DO NOT REBOOT your infected machines and TRY wanakiwi ASAP*!

*ASAP because prime numbers may be over written in memory after a while.

Related WannaCry Post on removal steps here.

Don’t cry yet.

UPDATE: Actually, wanakiwi from Benjamin Delpy (@gentilkiwi) works for both Windows XP (confirmed) and Windows 7 (confirmed). This would imply it works for every version of Windows from XP to 7, including Windows 2003 (confirmed), Vista and 2008 and 2008 R2. See demos in the below GIFs.

WanaKiwi: WannaCry Ransomware Decryption Tool

All victims have to do is download WanaKiwi tool from Github and run it on their affected Windows computer using the command line (cmd).

WanaKiwi works on Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008, confirmed Matt Suiche from security firm Comae Technologies, who has also provided some demonstrations showing how to use WanaKiwi to decrypt your files.

Although the tool won’t work for every user due to its dependencies, still it gives some hope to WannaCry’s victims of getting their locked files back for free even from Windows XP, the aging, largely unsupported version of Microsoft’s operating system.

Wannakey

Yesterday, Adrien Guinet published a tool called wannakey to perform RSA key recovery on Windows XP. His tool is very ingenious as it does not look for the actual key but the prime numbers in memory to recompute the key itself. In short, his technique is totally bad ass and super smart.

Unfortunately, this only works on Windows XP as those values are cleaned during the

in later version of Windows.

UPDATE: Forget the above statement, this has been successfully tested with wanakiwi up to Windows 7.

As Adrien stated in his README, this is not a mistake from the author but an issue with Windows XP — the author themselves make sure to release the user key as soon as they are done with it. And that key never touches the disks unless encrypted with the attacker public key.

Key generation in memory (1), immediately followed by the actual routine destroying the keys (2)

Although, some file format issue happened with the exported key that didn’t make it compatible with other tools such as wanadecrypt from Benjamin Delpy (@gentilkiwi) on Windows XP, as the Windows Crypt APIs on Windows XP are expecting a very strict input to work unlike Windows 10. Which is the reason why my initial tests failed with the output key using Wannakey.

Moreover, the output file format was not compatible with the ransomware WannaCry either. Unlike Wanakiwi from gentilkiwi as we can see in the demo below.

Wanakiwi

  1. Download wanakiwi here
  2. wanakiwi.exe needs to be in the same folder as your .pky file when you launch it
  3. Cross fingers that your prime numbers haven’t been overwritten from the process address space.

After, doing some tests and discussing with Benjamin — he decided to rewrite his own version using OpenSSL and based on Adrien’s methodology to retrieve the key to directly fix the file format issues and build a version 100% compatible with Windows O.S. from Windows XP to Windows 7. Amazing job! (see below for full working demos!)

Wanakiwi also recreates the .dky files expect from the ransomware by the attackers, which makes it compatible with the ransomware itself too. This also prevents the WannaCry to encrypt further files.

WanaKiwi from Benjamin Delpy (@gentilkiwi) in action (Windows XP)

After further testing with Benjamin, we noticed the info leak on the prime numbers in the Microsoft Crypt API was still present on Windows 7. \o/

WanaKiwi from Benjamin Delpy (@gentilkiwi) in action (Windows 7)

What’s next ?

As explained above this method relies on finding prime numbers in memory if the memory hasn’t be reused — this means that after a certain period of time memory may get reused and those prime numbers may be erased. Also, this means the infected machine should not have been rebooted.

Also, this tool so far only works on Windows XP due to a flaw present with the

implementation. This is a great step forward.

UPDATE: Forget the above statement ! This works from Windows XP to Windows 7, and as you can see on the above screenshots, it had been tested!

Today (19 May) marks the 7th infection day (started on the 12th)— which means that many users would potentially lose their files forever from today as stated in the initial infection window.

The clock is currently ticking for many users around the World.

The infection wave is far from being over, we noticed an important and abnormal spike of activity on our kill-switch from Malaysia during the night (3 AM to 5 AM GST) that resulted in almost half of the total 10K machines we prevented from infection over the past 24 hours.



Comments

comments

Leave a Reply