The WannaCry ransomware has infected thousands of computer systems around the world, but Adrien Guinet a security researcher of Quarkslab, has found a way to recover the unknown encryption keys used by the ransomware.
Adrien said that in order to retrieve the keys, your computer must not have been rebooted after being infected. The tool allows recovering the prime numbers of the RSA private key that are used by Wannacry.
It does that by searching for them in the “wcry.exe process. This is the process that generates the RSA private key. The main problem is that the CryptDestroyKey and CryptReleaseContext don’t erase the prime numbers from memory before freeing the associated memory.
“I got to finish the full decryption process, but I confirm that, in this case, the private key can be recovered on an XP system” Adrien created a WannaCry ransomware decryption tool called WannaKey. The decryption process will work successfully if the affected computer has not been rebooted after being infected and the associated memory hasn’t been allocated and erased.
Another security researcher (Benjamin Delpy) released a tool named “WanaKiwi,” based on Adrien’s discovery, which simplifies the whole process. Infected users should download the WannaKey tool or WannaKiwi tool from Github and try it on the affected Windows.