WannaCry Development Errors Enable File Recovery

Researchers at Kaspersky Lab have found a number of programming errors in the WannaCry ransomware code that put file recovery within reach of sysadmins.

WannaCry may have caused worldwide havoc on May 12 when it rode the coattails of the NSA’s weaponized EternalBlue exploit to infect computers in 150 countries, but that doesn’t mean it was a quality piece of ransomware.

A number of programming errors in the code are floating to the surface and researchers are saying that file recovery without decryption keys is within reach of sysadmins.

Kaspersky Lab today disclosed a number of issues within WannaCry that can be leveraged to recover files that were encrypted by the malware. To date, 200,000 computers have been hit by WannaCry, whose spread was shut down after the discovery of a killswitch in the code, the first hint that the authors of this code may not have been topnotch.

“Experienced ransomware authors do not make such errors,” said Anton Ivanov, senior malware analyst at Kaspersky Lab. “From our side we think that developers of WannaCry were not experienced at developing at all.”

Ivanov, along with colleagues Fedor Sinistyn and Orkhan Mamedov, today published a report on Securelist.com that describes two critical errors made by WannaCry’s developers that could allow admins to use available recovery software to restore potentially lost files.

“Our internal tests show that there is a good probability to return a lot of files,” Ivanov said. “Sysadmins just can download freeware software and run it on affected computers. There is no need to have special experience for file recovery.”

One weakness in the malware involves errors in the programming logic responsible for removing files from the victim’s hard drive. As WannaCry encrypts files on the local hard drive, it tacks on the .WNCRYT extension to the original file. Those files are then encrypted and the .WNCRY extension is appended, and the original is deleted. If files are originally located in the victim’s Desktop or Documents folder, the original file is overwritten with data before removed, and it’s impossible to recover, the researchers said.

However, they said, if files are stored elsewhere on the local drive, they are not overwritten, but are simply deleted and there is a chance the could be restored with recovery software, the researchers wrote.

The researchers also said that the ransomware creates a $RECYCLE folder that is configured to be invisible in Windows File Explorer; original files are meant to be moved here after encryption.

“However, because of synchronization errors in the ransomware code in many cases the original files stay in the same directory and are not moved into $RECYCLE,” they wrote. “The original files are deleted in an unsecure way. This fact makes it possible to restore the deleted files using data recovery software.”

WannaCry’s read-only file processing also has a bug in it that also facilitates file recovery.

“If there are such files on the infected machine, then the ransomware won’t encrypt them at all,” the researchers wrote. “It will only create an encrypted copy of each original file, while the original files themselves only get the ‘hidden’ attribute. When this happens, it is simple to find them and restore their normal attributes.”

Researchers have been struggling to build decryptors for files encrypted by WannaCry. Adrien Guinet of QuarksLab built and released a tool called WannaKey that can recover a prime number from memory used to factor the RSA public key locally stored by the malware. That public key can be used to rebuild the private key used to encrypt files, Guinet said, adding that he’d had success in doing so using a tool called WanaDecrypt built by Benjamin Delpy. Delpy also built another decryptor called Wanakiwi that works on Windows XP and Windows 7 machines, he said.

Ivanov, however, said that Kaspersky Lab could not successfully decrypt files in its tests using these tools.

“The only thing that they have done well in WannaCry is the cryptography part of the malware,” Ivanov said. “But it is not a rocket science; this encryption scheme is used in another popular ransomware families.”

Suggested articles