French security researchers have released a pair of decryption tools for WanaCrypt0r ransomware that can salvage infected victims' files under specific circumstances.
One decryptor, called Wannakey, has been confirmed to work on Windows XP, 7, 2003, Vista and Windows Server 2008, while the other tool, called, Wanakiwi, has been confirmed to work on these same platforms, plus 2008 R2. (Early reports that Wannakey is only effective on Windows XP apparently were mistaken.)
Researcher Adrien Guinet at Quarkslab created Wannakey, after which security expert Benjamin Delpy authored Wanakiwi – an OpenSSL-based end-to-end utility tool that incorporates Wannakey's methodology. Delpy, who earlier had released another decryption tool called Wanadecrypt, received assistance from Comae Technologies founder Matthieu Suiche, who verified the efficacy of Wannakey and Wanakiwi, both of which are available for download via GitHub.
According to Guinet on his GitHub page and Suiche in a Friday blog post, Wannakey and Wanakiwi work not by searching for the user key itself, but rather by probing an infected computer's memory for prime numbers that are left over as artifacts from the ransomware's private key creation process, wcry.exe.
"It seems that there are no clean and cross-platform ways under Windows to clean this memory," wrote Guinet, specifically referring to the versions of Windows that are compatible with his tool. "If you are lucky (that is the associated memory hasn't been reallocated and erased), these prime numbers might still be in memory. That's what this software tries to achieve."
Unfortunately, any attempt to reboot the machine will render the decryption tools useless, as they rely on current running memory to work. Likewise, too much post-infection activity on the infected computer will overwrite the memory and essentially sabotage the tools.
In its own blog post addressing the decryptors, Malwarebytes anticipates that a black hat will likely modify WannaCry at some point so that it its keys can be fully scrubbed from memory or so it forces a reboot that fully erases active memory. Until that time, however, the cybersecurity firm recommends that users infected with WannaCry try using Wanakiwi to resolve the issue "if you are currently dealing with a WannaCry infection, you have barely touched the infected system(s), and you are running one of the [applicable] operating systems..."
"...Running the tool is not going to break anything that isn't already broken so it's worth a shot just to see if you can get those files back," the Malwarebytes blog post continues.
In another positive development on Monday, ESET reported in a blog post that it has developed its own free decryptor tool for the latest variants of Crysis ransomware, after an unknown actor leaked 200 master keys for the variants, which add the extensions .wallet or .onion to affected files.
According to ESET, the keys were published by a new member of a BleepingComputer forum. "This has become a habit of the Crysis operators lately – with this being the third time keys were released in this manner," the blog post reads. ESET previously released a Crysis decryptor in November 2016.