![\"Open](\"\/huntsville-al\/wp-content\/uploads\/sites\/13\/2017\/05\/shutterstock_82383349-900x506.jpg\")
<\/p>\n<\/p>\n
Posted: May 19, 2017 by Adam Kujawa<\/p>\n
We just wanted to shoot out a quick blog post to let you know about a decryptor (Wanakiwi) that has been developed for WannaCry\/WannaCrypt\/wCrypt. There is a catch though, it only works for the following operating systems:<\/p>\n
Windows XP
\nWindows Server 2003
\nWindows Vista
\nWindows Server 2008
\nWindows Server 2008 R2
\nWindows 7
\nSo if you\u2019ve got a WannaCry infection on one of the above operating systems, there is hope!<\/p>\n
IMPORTANT:<\/p>\n
The decryptor is only going to work if you haven\u2019t restarted the infected system and you haven\u2019t killed the ransomware process (should be wnry.exe or wcry.exe) so please don\u2019t restart or kill the process if you want to get those files back!<\/p>\n
Usage<\/p>\n
In order to use this tool, you first need to download it from here.<\/p>\n
This tool essentially searches the system\u2019s memory for prime numbers and pieces together the encryption key used. However, it relies on current running memory so once you reboot it will be gone and if you\u2019ve done too much on the system since infection, it\u2019s possible the key won\u2019t be found (because it\u2019s been overwritten by data from other applications using the same memory space).<\/p>\n
![\"\"](\"\/huntsville-al\/wp-content\/uploads\/sites\/13\/2017\/05\/170513090706-ransomware-attack-china-780x439.jpg\")
![\"CMD\"](\"\/huntsville-al\/wp-content\/uploads\/sites\/13\/2017\/05\/CMDAdmin.png\")
![\"PID\"](\"\/huntsville-al\/wp-content\/uploads\/sites\/13\/2017\/05\/PID.png\")
<\/p>\n
To run it, download the linked file (above) and extract the .zip to a folder on your desktop, (if you can download the file from a clean system and then transfer it via USB, you run less risk of overwriting the key in memory).<\/p>\n
Next, you can either double click it (boring) or open the command prompt (Start + CMD) and run it through there (fun!).<\/p>\n
The tool will automatically identify the WannaCrypt applications running on the system if they are called wnry.exe or wcry.exe, but if for some reason they can\u2019t find them, maybe check out the running applications on your system (Task Manager\/Process Explorer) and find the offender (it\u2019s pretty obvious), then identify the Process Identification Number (PID) and you can just plug that into the command prompt after wanakiwi.exe.<\/p>\n
It might take a few minutes for the tool to find the key (or many minutes in some cases), but once it\u2019s found the tool is going to start searching your system for encrypted files and decrypt them automatically.<\/p>\n
![\"Decryption](\"\/huntsville-al\/wp-content\/uploads\/sites\/13\/2017\/05\/DecryptionInProgres.png\")
<\/p>\n
After the tool finishes decrypting your files, you are going to be left with a ransom note as a background and lots of encrypted files next to your unencrypted files.<\/p>\n
![\"Decrypted](\"\/huntsville-al\/wp-content\/uploads\/sites\/13\/2017\/05\/DecryptedPics.png\")
<\/p>\n
Here are some possible next steps:<\/p>\n
Download Malwarebytes 3.0 (or whatever scanning tool you prefer that can clean up WannaCry) and run a scan on the system to identify all artifacts related to WannaCry. This will help you get the malware off the system in case it tries to encrypt again.
\nRestart the computer to finish clean-up.
\nFind all the most important files you want to keep and move them to some form of backup.
\nWipe the system and reinstall Windows.
\nOR you can just go through your system looking for all files with the .WNCRY extension and getting rid of them.
\nBackground<\/p>\n
The original memory scrubbing, prime number searching WannaKey decryptor tool (for XP) was written by Adrien Guinet (@adriengnt) and then used as the base for Wanakiwi developed by Benjamin Delpy (@gentilkiwi). These guys are incredibly talented and deserve a round of applause!<\/p>\n
We found out about the tool thanks to the very extensive blog post by Matt Suiche (@msuiche), which you should check out to get more information about how these tools work. You might remember Matt from his assistance in stopping a variant of the WannaCry released last week by registering the killswitch domain.<\/p>\n
Effectiveness<\/p>\n
We didn\u2019t want to write about this tool until we tested it in some capacity. A lot of other security researchers have given it a go and it seems that the tool works well in lab environments (sometimes). I personally tested it on a Windows 7 system using the following sample (with mixed results):<\/p>\n
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa<\/p>\n
My first test worked like a charm.
\nMy second test with a new profile (for taking screenshots for this post) couldn\u2019t actually launch the malware.
\nMy third test launched the malware, but the decryptor took forever and eventually never found the key.
\nMy fourth test worked like a charm again (original profile).
\nSome of our other researchers tried it and were unable to get the tool to find the key.
\nConclusion<\/p>\n
This tool was put together very quickly and it\u2019s meant to help those that it can help and that is likely not everybody. I wouldn\u2019t recommend putting all your eggs in the basket that if you get hit, you couldn\u2019t decrypt using this tool because either:<\/p>\n
You are likely going to be unable to recover the key OR
\nThe malware will modify to clean up the running memory or force a reboot after install to make the tool ineffective
\nBut if you are currently dealing with a WannaCry infection, you have barely touched the infected system(s), and you are running one of the operating systems listed at the beginning of this post, running the tool is not going to break anything that isn\u2019t already broken so it\u2019s worth a shot just to see if you can get those files back.<\/p>\n
That being said, once again big thanks to @adriengnt, @gentilkiwi & @msuiche for their hard work, information spreading and ingenious development skills.<\/p>\n
Let us know in the comments if this tool worked for you (and your configuration too!)<\/p>\n","protected":false},"excerpt":{"rendered":"
Posted: May 19, 2017 by Adam Kujawa We just wanted to shoot out a quick blog post to let you know about a decryptor (Wanakiwi) that has been developed for WannaCry\/WannaCrypt\/wCrypt. There is a catch though, it only works for the following operating systems: Windows XP Windows Server 2003 Windows Vista Windows Server 2008 Windows […]<\/p>\n","protected":false},"author":15,"featured_media":1881,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1160","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"acf":[],"yoast_head":"\n