Saturday 20 May 2017
0 comments
20:59:00

WannaCry Ransomware Decryption Tools Now Available

WannaCry Ransomware Decryption Tools Now Available


WannaCry Ransomware Decryption Tools Now Available..

There are two WannaCry Ransomware decryption Tools launched. Now no need to Pay in Bitcoin, get all yours files back without paying Ransom.


1. WanaKiwi:

This utility allows machines infected by the WannaCry ransomware to recover their files.

wanakiwi is based on wanadecrypt which makes possible for lucky users to :
  • Recover the private user key in memory to save it as 00000000.dky
  • Decrypt all of their files
  • The primes extraction method is based on Adrien Guinet's [wannakey] (https://github.com/aguinet/wannakey) which consist of scanning the WannaCry process memory to recover the prime numbers that were not cleaned during CryptReleaseContext().

Adrien's method was originally described as only valid for Windows XP but @msuiche and I proved this can be extended to Windows 7.

Usage

wanakiwi.exe [PID]

PID is an optional parameter, by default the utility will look for any of this process:

wnry.exe
wcry.exe
data_1.exe
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Limitations

Given the fact this method relies on scanning the address space of the process that generated those keys, this means that if this process had been killed by, for instance, a reboot - the original process memory will be lost. It is very important for users to NOT reboot their system before trying this tool.

Secondly, because of the same reason we do not know how long the prime numbers will be kept in the address space before being reused by the process. This is why it is important to try this utility ASAP.

This is not a perfect tool, but this has been so far the best solution for victims who had no backup.

Download WanaKiwi

Video:

2. WannaKey 

Wannacry in-memory key recovery for WinXP

This software allows to recover the prime numbers of the RSA private key that are used by Wanacry.

It does so by searching for them in the wcry.exe process. This is the process that generates the RSA private key. The main issue is that the CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory.

This is not really a mistake from the ransomware authors, as they properly use the Windows Crypto API. Indeed, for what I've tested, under Windows 10, CryptReleaseContext does cleanup the memory (and so this recovery technique won't work). It can work under Windows XP because, in this version, CryptReleaseContext does not do the cleanup. Moreover, MSDN states this, for this function : "After this function is called, the released CSP handle is no longer valid. This function does not destroy key containers or key pairs.". So, it seems that there are no clean and cross-platform ways under Windows to clean this memory.

If you are lucky (that is the associated memory hasn't been reallocated and erased), these prime numbers might still be in memory.

That's what this software tries to achieve.

Usage

You can use the binary in the bin/ folder. You first need to find the PID of the wcry.exe process using the Task Manager, and locate the 00000000.pky file.

Once you've got this, launch using cmd.exe:

> search_primes.exe PID path\to\00000000.pky
If a valid prime is found in memory, the priv.key file will be generated in the current directory.

You can then use https://github.com/odzhan/wanafork/ or https://github.com/gentilkiwi/wanadecrypt to decrypt your files! (working on XP!)


Compile from source


You can use Visual Studio 2015 express to compile the associated project. Be sure to select the compatible Windows XP toolchain in the project properties!

WARNING

This software has only been tested and known to work under Windows XP. In order to work, your computer must not have been rebooted after being infected.

Please also note that you need some luck for this to work (see below), and so it might not work in every cases!

Updates


v0.2
  • The generated private RSA key had invalid computed fields, which made the key not importable with CryptImportKey under Windows XP (fixed). wanafork and/or wanadecrypt can now be used directly from XP.
  • Updated the binary with this fix and a static build (no need for the MSVC runtime anymore)

v0.1
  • Original version

Download WannaKey

0 comments:

Post a Comment

Note: only a member of this blog may post a comment.

 
Toggle Footer
Top