Decryptor wannacry, wanakiwi, telah ditemukan!

In Short

DO NOT REBOOT your infected machines và TRY wanakiwi ASAP*!*ASAPhường because prime numbers may be over written in memory after a while.

Bạn đang xem: Decryptor wannacry, wanakiwi, telah ditemukan!

Frequently Asked Questions

Here.

Usage

You just need khổng lồ tải về the tool và run it on the infected machine. Default settings should work.

Usage: wanakiwi.exe pháo - PID (Process Id) is an optional parameter. By mặc định, wanakiwi automatically looks for wnry.exe or wcry.exe processes so this parameter should not be required. But in case, the main process has a different name this parameter can be used as an đầu vào parameter.

Don’t cry yet.

UPDATE: Actually, wanakiwi from Benjamin Delpy (
gentilkiwi) works for both Windows XPhường (x86 confirmed) and Windows 7 (x86 confirmed). This would imply it works for every version of Windows from XPhường khổng lồ 7, including Windows 2003 (x86 confirmed), Vista và 2008 & 2008 R2. See demos in the below GIFs.

Wannakey

Yesterday, Adrien Guinet published a tool called wannakey to perform RSA key recovery on Windows XP.. His tool is very ingenious as it does not look for the actual key but the prime numbers in memory khổng lồ recompute the key itself. In short, his technique is totally bad ass & super smart.

Unfortunately, this only works on Windows XP. as those values are cleaned during the CryptReleaseContext in later version of Windows.

UPDATE: Forget the above sầu statement, this has been successfully tested with wanakiwi up to lớn Windows 7.

As Adrien stated in his README, this is not a mistake from the author but an issue with Windows XPhường — the author themselves make sure to release the user key as soon as they are done with it. And that key never touches the disks unless encrypted with the attacker public key.


*

*

gentilkiwi) on Windows XP, as the Windows Crypt APIs on Windows XP.. are expecting a very strict đầu vào to lớn work unlike Windows 10. Which is the reason why my initial tests failed with the output key using Wannakey.

Moreover, the output file format was not compatible with the ransomware WannaCry either. Unlike Wanakiwi from gentilkiwi as we can see in the demo below.

Xem thêm: Fall Back Là Gì ? Nghĩa Của Từ Fallback

Wanakiwiwanakiwi.exe cộ will automatically look for the 00000000.pky file.Cross fingers that your prime numbers haven’t been overwritten from the process address space.

After, doing some tests và discussing with Benjamin —we acknowledged the need for a complete over to lớn end utility.

Then, Benjamin started khổng lồ write his own version using OpenSSL và based on Adrien’s methodology to retrieve sầu the key from the memory and our comtháng retìm kiếm material on the decryption that we accumulated over the week on the internals of the malware when we both reversed WannaCry & our notes that enable a fix for the file format issues và build a version 100% compatible with Windows O.S. from Windows XP to lớn Windows 7.

After troubleshooting the tool together we got a working version across multiple Windows versions.

Amazing job from Benjamin, it was lot of fun lớn collaborate on this with hlặng.

(see below for full working demos!)

Wanakiwi also recreates the .dky files expect from the ransomware by the attackers, which makes it compatible with the ransomware itself too. This also prevents the WannaCry lớn encrypt further files.


What’s next ?

As explained above this method relies on finding prime numbers in memory if the memory hasn’t be reused — this means that after a certain period of time memory may get reused & those prime numbers may be erased. Also, this means the infected machine should not have been rebooted.

Also, this tool so far only works on Windows XPhường due to lớn a flaw present with the CryptReleaseContext implementation. This is a great step forward.

UPDATE: Forget the above sầu statement ! This works from Windows XP. to Windows 7, và as you can see on the above sầu screenshots, it had been tested!

Today (19 May) marks the 7th infection day (started on the 12th)— which means that many users would potentially thua thảm their files forever from today as stated in the initial infection window.

The clochồng is currently ticking for many users around the World.

The infection wave is far from being over, we noticed an important & abnormal spike of activity on our kill-switch from Malaysia during the night (3 AM khổng lồ 5 AM GST) that resulted in almost half of the total 10K machines we prevented from infection over the past 24 hours.