In the unending tussle with the infamous WannaCrypt ransomware attack, unsung heroes are popping up across the globe. Among them is a UK-based, 22-year-old who goes by the pseudonym MalwareTech. This individual managed to decelerate the spread of this pernicious digital menace. Following in his trailblazing footsteps is a French researcher, Adrien Guinet, who has developed an antidote of sorts, named WannaKey, aimed at helping affected Windows XP users. Guinet also took the liberty to provide detailed insight on how WannaKey operates, using open-source platform, GitHub.
Constructed to procure the private RSA key—utilized by WannaCry to encrypt system files—WannaKey attains this by probing the wcry.exe process. This is the very process instrumental in generating the RSA private key. However, Guinet explains that a significant problem lies in the fact that CryptDestroyKey and CryptReleaseContext—two important components of the process—do not obliterate the prime numbers from memory prior to freeing the associated memory space.
The silver lining to the dark WannaCry cloud lies in Guinet’s aptly named WannaKey solution for Windows XP systems. These machines were the prime victims of the initial malware onslaught. Microsoft had begun releasing patches for XP users free of charge mid-way through the attack. However, a subtle sticking point is that WannaKey’s efficacy might only extend to systems that haven’t been restarted post-infection.
By identifying the prime numbers linked to the private key residing in wcry.exe (the prime mover in generating WannaCry’s private key), WannaKey is able to function effectively in infected systems. Since Microsoft’s design of the APIs included “CryptDestroyKey and CryptReleaseContext,” they fail to wipe out the prime numbers from memory prior to liberating the associated memory. This is precisely why the patch does not work on other Windows versions—these systems overwrite this memory regardless of a system reboot.
Despite Microsoft’s push for enterprise and consumer customers to transition to its latest variations, some steadfastly believe Windows XP still reigns supreme in the realm of security. This may just bring a fleeting smile to their impassive faces, albeit a vindicating one.
Guinet further explains WannaKey’s magic: “If fortune is on your side and the associated memory hasn’t been reallocated and cleared, these prime numbers may indeed linger in the system memory. This is essentially what my software endeavors to exploit.”
To all Windows XP enthusiasts: If your machine hasn’t been rebooted since the onset of WannaCry, fear not. Fire up WannaKey and hopefully retrieve your precious data. Alternatively, you have the option of parting ways with a hefty $300 ransom—a course of action we strongly advise against.
The fog of war is clearing. Guinet is in the lab, donning his digital armor, dedicating his time and resources to make WannaKey more palatable for the average user.
[Please add related images or videos, internal links to other articles on the WannaCry ransomware attack, and external links for tools like WannaKey or mentions of Guinet’s work.]
Paul Balo is the founder of TechBooky and a highly skilled wireless communications professional with a strong background in cloud computing, offering extensive experience in designing, implementing, and managing wireless communication systems.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
