Tools are beginning to emerge that can be used to start the process of recovering files encrypted by WannaCry on some Windows systems.

This takes on extra urgency because today marks one week from the initial outbreak, and files encrypted during that first wave are on the clock and close to being lost forever.

Adrien Guinet, of Quarkslab, yesterday released a tool to the public called Wannakey that tries to recover one prime number from memory used to factor the RSA public key stored by the malware on the local drive. Once the public key is retrieved, it can be used to rebuild the private key and eventually, with a decryptor, recover encrypted files.

Guinet said he had some luck once he’d recovered the private key to decrypt files from an infected XP machine using Benjamin Delpy’s WanaDecrypt tool.

“I actually tried the Wanadecrypt tool. It works pretty well once you’ve got the private RSA key,” Guinet told Threatpost. It should be noted as well that these tools put victims on the road to recovering only from the WannaCry ransomware, and that the exploit used last week to spread the malware requires the MS17-010 patch from Microsoft. WannaCry may be spread by a number of different means aside from the EternalBlue NSA exploit, including phishing emails and exploit kits.

Wannakey has some limitations to it given that it was only able work on Windows XP machines since the prime numbers are overwritten in memory on later versions of the Microsoft OS.

Delpy overcame those limitations with his Wanakiwi tool that works on Windows XP and Windows 7 machines, with the implication being that it would work on all Windows versions including Windows Server 2003, Windows Vista, Windows 8 and Windows Server 8 R2, researcher Matt Suiche said.

The available tools try to recover the prime numbers of WannaCry’s RSA private key, by searching for them in the wcry executable dropped by the ransomware. Guinet said this is the process that generates the RSA private key. The prime numbers are available, he said, because the CryptReleaseContext function available through the Windows Crypto API in later versions of Windows overwrites memory wiping out the prime numbers. In XP, Guinet said, the function does not clean up memory.

Guinet admitted there is a bit of good fortune involved in recovering the prime numbers, first and foremost that the associated memory has been erased and that they’re still in memory.

“His tool is very ingenious as it does not look for the actual key but the prime numbers in memory to recompute the key itself,” Suiche said of Wannakey. “In short, his technique is totally bad ass and super smart.”

Suiche stresses that victims should not reboot their infected machines if they haven’t already. Suiche, who did a breakdown of the crypto implementation of WannaCry during a webinar with Kaspersky Lab this week, said today that the killswitch domain he registered is still recording infection attempts, including a spike of almost 5,000 last night from Malaysia.

In the meantime, Guinet said that WannaCry authors properly use the Windows Crypto API, and the fact the prime numbers are recoverable are more on Microsoft than an implementation error.

“I think the overall cryptographic scheme is good. It could have been done differently, but it works in theory,” Guinet said. “When you look at the part of the codes that handle cryptography, care has been taken so that what we are trying to do does not actually work. The ‘issue’ is that the MS Crypto API does not cleanup memory, and there’s not much the authors could have done against that, apart from using another cryptographic library that takes care of these issues. So, IMHO, on the cryptographic part, they made a decent job.”

Categories: Malware

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>