The WannaCrypt ransomware attack is still ongoing – sort of and since then some silent heroes have emerged including the 22 year old UK based MalwareTech person (identity undisclosed) who was able to slow down the spread of the malware but now it looks like we have another one from France. Adrien Guinet has developed what he called WannaKey and has since published how it works on GitHub.
WannaKey tries to recover the private RSA key used by WannaCry to encrypt system files and as he puts it. Guinet says WannaKey “does so by searching for them in the wcry.exe process. This is the process that generates the RSA private key. The main issue is that the CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory.”
But this only works for Windows XP machines we talked about earlier that were actually the worst hit in the attacks. Microsoft started issuing the patches to XP users for free during the attacks after it had previously asked businesses to pay $1,000 for support. The other caveat is that WannaCry might only be effective if the machine hasn’t been rebooted after the malware infection. So that’s it, Windows XP that’s has not been rebooted since it was attacked.
WannaKey searches for prime numbers of the private key in wcry.exe (the process for generating WannaCry’s private key which is needed to lock out a user) which remains in the memory unless you reboot of course because you see, Microsoft designed its APIs using the “CryptDestroyKey and CryptReleaseContext which does not erase the prime numbers from memory before freeing the associated memory.” This is the reason the patch doesn’t work for other Windows models because this memory is erased whether your reboot or not and this will definitely make someone who believes Windows XP is still the most secure in the Windows family happy even though Microsoft encourages business and individual users alike to switch to its newest/newer models to ensure security of their files.
Guinet adds that “If you are lucky, that is the associated memory hasn’t been reallocated and erased, these prime numbers might still be in memory. That’s what this software tries to achieve.”
There you for Windows XP users, try it out if you haven’t rebooted your machine since WannaCry started spreading but there’s another option of course and that’s to pay the $300 ransom which I advise against.
Guinet is now working on making WannaKey more user friendly.
Paul Balo is the founder of TechBooky and a highly skilled wireless communications professional with a strong background in cloud computing, offering extensive experience in designing, implementing, and managing wireless communication systems.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behaviour or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
