French researchers find cure to unlock files encrypted in global ransomware attack

Remigio Civitarese
Mag 19, 2017

Guinet, a security researcher at Paris-based Quarks Lab, published the basic technique for decrypting WannaCry files on Thursday, which Delpy then figured out how to turn into a practical tool to salvage files. He links to a tool called Wannakey built by Guinet, the creator of the original concept. The other, ill-advised method is to pay the WannaCry attackers $300 in bitcoin.

"This software allows to recover the prime numbers of the RSA private key that are used by Wanacry".

WannaCry - also known as WannaCrypt and Wanna Decryptor - made headaches for system administrators the world over this past weekend when it exploited a vulnerability in all Windows operating systems bar a fully up-to-date Windows 10 to infect hundreds of thousands of machines and encrypt their files. In Windows XP these numbers are not deleted from the computer's memory at the end of the process, although they can be overwritten. The numbers are erased from memory when the machine is rebooted, however. Wannakey, Wanafork and Wanadecrypt are all available to download from GitHub.

"If you are lucky, that is the associated memory hasn't been reallocated and erased, these prime numbers might still be in memory. That's what this software tries to achieve", wrote Guinet.

A developer has released a tool to fight the WannaCry ransomware, which started affecting PCs worldwide last Friday and has helped hackers gain control over 300,000 systems.

So WannaCrypt can lock up Windows XP files, but XP PCs were not vulnerable to the NSA's worm-like spreading mechanism, which exploited a flaw in Microsoft's network file-sharing protocol, SMB.

As security researcher Kevin Beaumont pointed out, the NSA's Eternal Blue exploit that WannaCry attackers used to spread the ransomware once inside a network can not be used to infect Windows XP machines on that network.

However, the worm component did work fine against Windows 7 and Windows Server 2008 R2.

According to Beaumont, infections on these versions of Windows caused the greatest problems at the NHS.

Altre relazioniGrafFiotech

Discuti questo articolo

Segui i nostri GIORNALE