Windows XP wasn’t vulnerable to the WannaCry worm but still could be infected with the ransomware. Now there’s a tool to decrypt Windows XP machines attacked by WannaCry.
French security researcher Adrien Guinet has figured out a way to decrypt files locked by the infamous WannaCry ransomware.
Guinet has published a free tool, dubbed Wannakey, that retrieves the private RSA key used by WannaCry, aka WCry or WannaCrypt, to encrypt files. The other, ill-advised method is to pay the WannaCry attackers $300 in bitcoin.
There are several caveats, though. It only works for Windows XP and only if the machine has not been rebooted after the infection. The tool searches for the prime numbers of the private key in wcry.exe, the process responsible for generating WannaCry’s private key, which will remain in memory until a reboot occurs.
As Guinet explains on the Wannakey’s GitHub page, WannaCry’s authors used the Windows Crypto application protocol interface (API) properly. However, Microsoft designed the API’s functions CryptDestroyKey and CryptReleaseContext so as “not to erase the prime numbers from memory before freeing the associated memory”.
The recovery technique doesn’t work in Windows 10 because it does erase that memory, while Windows XP does not.
“If you are lucky, that is the associated memory hasn’t been reallocated and erased, these prime numbers might still be in memory. That’s what this software tries to achieve,” wrote Guinet.
The tool may be helpful for XP users infected with WannaCry, but a similar tool for Windows 7 is likely to have a bigger impact at sites such as the UK NHS hospitals that were hit hard by the recent ransomware attack.
As security researcher Kevin Beaumont pointed out, the NSA’s Eternal Blue exploit that WannaCry attackers used to spread the ransomware once inside a network cannot be used to infect Windows XP machines on that network.
So WannaCrypt can lock up Windows XP files, but XP PCs were not vulnerable to the NSA’s worm-like spreading mechanism, which exploited a flaw in Microsoft’s network file-sharing protocol, SMB.
However, the worm component did work fine against Windows 7 and Windows Server 2008 R2.
According to Beaumont, infections on these versions of Windows caused the greatest problems at the NHS. Although 90 percent of NHS organizations still have Windows XP on some machines, only five percent of all NHS machines run Windows XP.