WannaCry: New tool can restore some ransomware-infected computers without paying up

Sign up to our free weekly IndyTech newsletter delivered straight to your inbox

Sign up to our free IndyTech newsletter

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy policy

A security researcher claims to have created a new tool capable of restoring computers infected by WannaCry ransomware.

Adrien Guinet has released WannaKey, which is designed to take advantage of a shortcoming in Windows XP to decrypt an infected machine’s files.

He says he’s used it successfully on several infected Windows XP computers, but the method won’t work for all victims.

“In order to work, your computer must not have been rebooted after being infected,” says Mr Guinet, who adds that there’s also an element of luck involved.

“This software allows to recover the prime numbers of the RSA private key that are used by Wanacry,” he explains in a post on GitHub.

“The main issue is that the CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory. This is not really a mistake from the ransomware authors, as they properly use the Windows Crypto API. It can work under Windows XP because, in this version, CryptReleaseContext does not do the cleanup. ”

WannaKey won’t work on infected computers running Windows 10, Mr Guinet says, because CryptReleaseContext does clean up the memory on the platform.

“If you are lucky (that is the associated memory hasn't been reallocated and erased), these prime numbers might still be in memory.”

In an exchange on Twitter, Matthieu Suiche, another security researcher, said he also used the tool but it didn’t work for him. Still, Mr Guinet’s work provides some hope.

WannaCry is demanding a payment of $300-$600 from victims, but security researchers have warned users not to pay the ransom.