Security researchers figured out how the WannaCry ransomware infection spread across the world and developed a decryptor that could save affected files. How does this ransomware decryptor work? Could something like the WannaCry decryptor work on other ransomware strains?
The WannaCry ransomware caused a panic in the security industry, and researchers Benjamin Deply, Adrien Guinet and Matt Suiche created a decryptor that might be able to retrieve encrypted files being held ransom by WannaCry.
The WannaCry decryptor tools work on the majority of Windows systems affected by the ransomware; this includes Windows XP, Windows 7, Windows 2003 and Windows 2008 systems. The caveat is that the WannaCry decryptor tool requires the infected system to still have, in memory, the associated prime numbers that were used by the malware to create the RSA key pairs to encrypt the data.
The two tools that can be used to decrypt WannaCry files are WannaKey and WanaKiwi. The WanaKiwi tool took the ideas of the WannaKey decryptor and added documentation and an easier method of deployment.
When WannaCry -- or any ransomware -- infects a system, it removes the private key from the system and leaves the users with encrypted files that only the malware authors can decrypt with the private key.
These WannaCry decryptor tools work by taking advantage of how the Windows Crypto API function CryptReleaseContext works. This function, as stated by Microsoft, does not destroy or clean up memory where the key containers or key pairs were created. This essentially means that the prime numbers used to create the keys could potentially still reside in memory.
Prime numbers are used to create the public and private keys, and since the Windows API doesn't clean memory, the decryptor tools have a chance to recreate the keys if they can find them. The WanaKiwi tool does so by searching for the prime numbers in memory within the process wcry.exe and attempting to recreate it.
The researchers who created the WannaCry decryptor tools mentioned that these tools work not because of the code in the malware, but because of how Microsoft clears memory after the Crypto functions are finished. These tools won't work in every case, and they will only be successful if they're able to determine the prime numbers within memory.
If the systems were rebooted prior to running the tool, the memory will have been cleared, and the prime numbers removed, so the tools won't be able to recover the key. It is also possible that the machine hasn't been rebooted, but that memory has been overwritten where the prime numbers were stored and they won't be retrievable.
This technique of pulling prime numbers out of memory to recreate keys to decrypt the data on the drive is a practice researchers could use in the future to create decryptors for other ransomware. This assumes the ransomware uses the same Windows Crypto function, and that the machine memory hasn't been altered. Most likely, what will happen is that all ransomware will start forcing a reboot of a system to clear the memory and to stop these decryptor tools from using the Windows Crypto function to access the left over prime numbers.
It's a constant cat-and-mouse game when it comes to ransomware, and this method might be something useful for future, next-generation malware detection.
Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)
Find out what steps healthcare organizations should take post WannaCry
Discover how managed security service providers can help in the fight against ransomware
Learn how WannaCry affects enterprises' industrial control system networks