Since the WannaCry ransomware ripped through the internet late last week, infecting hundreds of thousands of machines and locking up critical systems from health care to transportation, cryptographers have searched for a cure. Finding a flaw in WannaCry’s encryption scheme, after all, could decrypt all those systems without any ransom.
Now one French researcher says he’s found at least a hint of a limited remedy. The fix still seems far from the panacea WannaCry victims have hoped for. But if Adrien Guinet’s claims hold up, his tool could unlock some infected computers running older versions of Windows which analysts believe account for some portion of the WannaCry plague.
On Friday, Guinet released “WannaKey” to the open source code repository Github. Guinet, who works for the Paris-based security firm QuarksLab, says the software can pull traces of a private key from the memory of a Windows XP computer, which can then be used to decrypt a WannaCry-infected PC’s files. Within 24 hours, another pair of French researchers, Benjamin Delpy and Matt Suiche, say they’ve now adapted the tool to work on Windows 7, too.
Guinet says he initially tried the decryption tool with success on several XP test machines he’d infected with WannaCry. But he cautioned that, because those traces are stored in volatile memory, the trick fails if the malware or any other process happened to overwrite the lingering decryption key, or if the computer rebooted any time after infection.
“If you get some luck, you can access parts of the memory and regenerate a key,” says Guinet. “Maybe it’ll still be there, and you can retrieve a key used to decrypt the files. It won’t work every time.”
In particular, Guinet warns any XP WannaCry victims who might still be able to recover their files to leave the computer untouched until they can run his program. “Do not reboot your computer, and try this!” he wrote in a followup email.
On Friday morning, Comae Technologies founder Matt Suiche wrote that he’d tested out WannaKey’s decryption method too, and with fellow researcher Benjamin Delpy even adapted it into a tool called WannaKiwi that works on Windows 7. Other researchers who looked at WannaKey’s code and Guinet’s notes on Github and Twitter say it seems to leverage a genuine flaw in WannaCry’s otherwise airtight encryption—at least in older versions of Windows. “It looks legit,” says cryptography-focused Johns Hopkins computer science professor Matthew Green. But he warns that whether it works for any specific victim will be partly a matter of chance. “It’s kind of a lottery ticket right now,” Green says.
WannaKey’s decryption scheme takes advantage of a strange quirk in a Microsoft cryptography function for deleting keys from memory—one that WannaCry’s authors themselves seem to have missed. WannaCry works by generating a pair of keys on the victim’s machine: a “public” key for encrypting their files, and a “private” key for decrypting them if, in theory, the victim pays the ransom. (Whether WannaCry’s sloppy operators reliably decrypt the files of paying victims is far from clear.) To prevent the victim from accessing that private key and decrypting their files themselves, WannaCry encrypts that key also, only making it accessible when the ransomware operators decrypt it.
But Guinet found that after WannaCry encrypts the private key, a Microsoft-designed deletion function also wipes the unencrypted version from the computer’s memory. Apparently unbeknownst to the ransomware writers, that function doesn’t actually delete the key in memory, only a “handle” that refers to the key. “Why would you have a key destruction function that doesn’t destroy the keys?” asks Mikko Hypponen, a researcher for the Finnish security firm F-Secure who also reviewed Guinet’s work. “It’s really weird. And that’s probably why no one else found it before.”
‘It’s kind of like a lottery ticket right now.’ Matthew Green, Johns Hopkins University
It’s not clear how many computers running Windows XP and Windows 7 ran into WannaCry. Early in the outbreak, Microsoft rushed out a patch to protect XP devices, and Cisco researchers say that at least Windows XP machines with 64-bit processors were vulnerable to the worm that spread WannaCry starting Friday. The ransomware plague created new fears that XP machines would be caught up in the wave of infections, since Microsoft hasn’t supported that 16-year-old operating system since 2014. The software is still disturbingly prevalent, and even used in some critical systems like Britain’s National Health Service, one of WannaCry’s most high-profile victims.
Regardless of how many infected XP or Windows 7 computers there are, WannaKey can likely help only a fraction, due to its rebooting and overwriting caveats. “It’s unlikely a lot of victims have left their machines untouched since Friday,” says F-Secure’s Hypponen.
Still, any hope for WannaCry’s victims and their scrambled data is better than none. And ironically, Hypponen points out, the savior for a fortunate few users could be the idiosyncrasies of encryption software written by Microsoft—the same company that’s widely being blamed for leaving users of unsupported older versions of their operating system vulnerable in the first place. “We’re not often happy about bugs in Windows,” says Hypponen. “But this bug might help some WannaCry victims recover their files.”
Updated 5/19/2017 10:40am to note Matt Suiche’s and Benjamin Delpy’s testing the decryption method and adapting it to Windows 7.
What is Ransomware and How Do You Deal With It?
PlexCoin Founder Gets Jail Time, Fine on Contempt Charge
U.S. and Canadian authorities appear determined to make an example of a recent initial coin offering.
On Friday, a Canadian court ordered a two-month jail sentence against PlexCoin creator Dominic
'Bitcoin Jesus' is 'really, really concerned' about the future of the digital currency
An early bitcoin investor said Monday the digital currency can run higher, but the hype has far outpaced its usability. "I think in the short run it can run up a lot more," Roger Ver, CEO of
Bitcoin has aspects of a bubble, but it's OK to 'play' with it: Economist Robert Shiller
Bitcoin has "aspects of a bubble" but it's almost impossible to know whether it's gone too far, Nobel-winning economist Robert Shiller told CNBC on Monday. Bitcoin has been on a wild ride
Futures Launch Puts Record Bitcoin Highs Back in Play – Yahoo Finance
Digital currency bitcoin begins trading on major exchange for first time in Chicago WLS-TVBitcoin Futures Started So Hot That Trading Had to Be Halted Twice FortuneBusiness Insider Â âCNNMoney Â â
Understanding Futures: A Primer for Bitcoiners
Lanre Sarumi is the CEO of Level Trading Field, an interactive online platform for professionals in the finance industry.
"Study the past if you would define the future." – Confucius
Bitcoin Price Back Above $17k to Set New All-Time High
The price of bitcoin has pushed back above $17,000, hitting a new all-time high on CoinDesk's Bitcoin Price Index (BPI).
As of press time, the BPI had climbed as high as $17,382.64, beating the $17
People are taking out mortgages to buy bitcoin, says securities regulator
Bitcoin is in the "mania" phase, with some people even borrowing money to get in on the action, securities regulator Joseph Borg told CNBC on Monday. "We've seen mortgages being taken out to buy
Two Firms File Bitcoin ETF Applications in Wake of CBOE Futures Launch
Two exchange-traded fund (ETF) providers have filed with the U.S. Securities and Exchange Commission (SEC) to create Bitcoin ETF products that trade in cryptocurrency derivatives.
According to the