Recovery Tool for WannaCrypt (for XP Only)

[tao]

There's a ransom-free fix for WannaCry‬pt.

Oh snap, you've rebooted your XP box
Sooo... that's not gonna work for you mate

 

Windows XP PCs infected by WannaCrypt can be decrypted without paying ransom by using a new utility dubbed Wannakey.

 

Wannakey offers in-memory key recovery for Win XP machines infected by the infamous ransomware strain. The fix can be used to dump encryption keys from memory. This RSA private key, once recovered, can be used to restore encrypted files on infected computers.

 

Caveats and limitations apply. Compromised machines must not have been rebooted after being infected, otherwise the crucial keys will already have been discarded from volatile memory. That's quite a big ask a week after the devastating WannaCrypt outbreak, especially since initial advice centred on turning off machines to stop the further spread of infection across corporate networks.

 

The Wannakey tool, put together by security researcher Adrien Guinet and released on Thursday, appears promising but is yet to be independently tested. Windows XP is, of course, the antithesis of a strong and stable operating system even when it doesn't have a malware infection. So whether it'll work for victims of WannaCrypt before their system crashes has to be doubtful.

 

The developer readily acknowledges these limitations. "This software has only been tested and known to work under Windows XP. In order to work, your computer must not have been rebooted after being infected," Guinet writes. "Please also note that you need some luck for this to work, and so it might not work in every cases." ®

 

[Batu69]

Moved from Guides & Tutorials forum.

[Karamjit]

Windows XP was one of the Windows versions hit by the WannaCry ransomware, and despite the patch released by Microsoft, there were still thousands of computers that ended up infected.

And thanks to new software developed by French researcher Adrien Guinet, Windows XP users whose computers were compromised by WannaCry can remove the infection without having to pay the $300 ransom.

A tool that he posted on Github can search for the decryption key in the memory if the computer wasn’t rebooted after being infected, so if you already restarted the system and it then got locked down by WannaCrypt, this isn’t going to work.

If the aforementioned condition is met, the app can recover the prime numbers of the RSA private key that are being used by WannaCry to encrypt your files.

“It does so by searching for them in the wcry.exe process. This is the process that generates the RSA private key. The main issue is that the CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory,” the researcher explains.

Only working on Windows XP

What’s important to note is that this application works exclusively on Windows XP, and the researcher says it hasn’t been tested on a different Windows version.

On the other hand, Windows XP systems that haven’t been infected just yet must deploy Microsoft’s patch that’s available even for unsupported versions of Windows.

The WannaCry ransomware is based on a vulnerability in all Windows versions that was stolen from the NSA and posted only by hacking group Shadow Brokers earlier this year. Microsoft patched all supported versions of Windows, including Vista, 7, 8.1, and 10 as part of the March Patch Tuesday, while Windows XP remained vulnerable to attacks as it’s no longer getting support.

After thousands of computers got infected, Microsoft decided to release the patch for Windows XP systems as well, thus publishing the first update in 3 years for the operating system launched in 2001.

From: http://news.softpedia.com/news/windows-xp-users-can-remove-wannacry-infection-without-paying-300-ransom-515852.shtml

[Batu69]

Topic merged.