A security researcher developed a tool called wanadecrypt to restore encrypted files from Windows XP PCs infected by the WannaCry ransomware.
The WannaCry ransomware made the headlines with the massive attack that hit systems worldwide during the weekend.
The malicious code infected more than 200,000 computers across 150 countries in a matter of hours, it leverages the Windows SMB exploit Eternal Blue to compromise unpatched OS or computers running unsupported versions of Windows OS.
Microsoft took the unprecedented decision to issue security patches for Windows 2003 server and XP in order to protect its customers.
Now there is a good news for the owners of some computers running Windows XP that was infected by the WannaCry ransomware, they may be able to decrypt their data without paying the ransom ($300 to $600).
The Quarkslab researcher, Adrien Guinet, has published a software, called Wanadecrypt, he used to recover the decryption key required to restore the files on an infected XP computer. The expert successfully tested the Wanadecrypt software on a small number of infected XP computers, but it is not clear if the technique works on every PC.
Experts downplayed the discovery because Windows XP computers weren’t affected by the massive WannaCry attack. Still, but the Guinet’s method could be helpful to XP users hit in other attacks.
“This software has only been tested and known to work under Windows XP,” he wrote in a readme note issued with the software. “In order to work, your computer must not have been rebooted after being infected. Please also note that you need some luck for this to work (see below), and so it might not work in every case!”
Another popular expert, Matt Suiche, reported he was not able to use the WannaKey tool.
The WannaCry ransomware uses the Microsoft Cryptographic Application Program Interface included with Windows to implements most of its encryption features.
Once created the key, the interface erases the key on most versions of Windows, but experts discovered that a limitation on Windows XP OS can prevent this operation.
This implies that the prime numbers used in the WannaCry Key generation may remain in the memory of the machine until it is powered down allowing Wanadecrypt to extract it from the infected XP.
“If you are lucky (that is the associated memory hasn’t been reallocated and erased), these prime numbers might still be in memory,” Guinet wrote.
Anyone who has been infected by WannaCry should avoid restarting their XP computers to try to decrypt the files, the researcher is now working to extend the results of his discovery to other OSs.