, ,
Decryptors from French Researchers May Save Many Victims Mathew J. Schwartz (euroinfosec) • May 22, 2017
Good news for many victims of WannaCry: Free tools can be used to decrypt some PCs that were forcibly encrypted by the ransomware, providing the prime numbers used to build the crypto keys remain in Windows memory and have not yet been overwritten.
See Also: JavaScript and Blockchain: Technologies You Can't Ignore
The decryption tools carry several caveats: Affected systems must not have been powered down or rebooted. Users must also have admin-level access to the infected system. And even then, security researchers caution, the tools still might not work with every type of infected system.
But the tools give WannaCry victims a potential way to restore their systems without having to consider whether they will pay their attackers. And security experts and law enforcement agencies recommend not paying ransoms, whenever possible, because they directly funds future cybercrime (see Please Don't Pay Ransoms, FBI Urges).
WannaCry infections began sweeping worldwide May 12, infecting more than 200,000 Windows computers with a speed and severity not witnessed since the days of the Love Bug and SQL Slammer worms in the early 2000s (see Teardown: WannaCry Ransomware).
Whoever designed WannaCry added the ability for it to spread like a worm by targeting two leaked "Equation Group" exploits, including a Windows server message block protocol flaw, addressed by Microsoft for its newer Windows systems in March via the MS17-010 security update. The flaw, believed to have been built by the National Security Agency, and was leaked in April by the Shadow Brokers hacking group.
After the attacks began, late on May 12 Microsoft shared emergency updates for three operating systems it no longer officially supports - Windows XP, Windows Server 2003 and Windows 8 - to patch the SMB flaw.
French Security Researchers to the Rescue
After WannaCry first appeared, three French security researchers, working around the clock, reverse-engineered the ransomware and began developing, testing and releasing decryption tools. On Thursday, Adrien Guinet, a security researcher at Paris-based cybersecurity firm Quarkslab, released WannaKey, which can decrypt Windows XP systems. On Friday, Benjamin Delpy released WanaKiwi, which he built in his spare time, away from his day job at Banque de France. Throughout, their efforts have been supported and tested by Dubai-based security expert Matt Suiche.
Encryption keys - including the one used by WannaCry to forcibly encrypt a victim's PC - are created by multiplying together two incredibly large prime numbers.
But there's evidently a weakness in the Windows functionality that the developer of WannaCry tapped, called the Microsoft CryptoAPI, the researchers found. For at least a short time, Windows keeps a copy of the two prime numbers that it provided to WannaCry in memory. Accordingly, those primes can be recovered, independently used to compute the encryption key and then used to decrypt all forcibly encrypted data.
#wanakiwi to decrypt #WANACRY files from pieces of key in memory(thanks @adriengnt for idea)https://t.co/7LTTZXXEsB
— Benjamin Delpy (@gentilkiwi) May 19, 2017
XP sometimes,7 if lucky pic.twitter.com/3V8gFaIkCF
Try WanaKiwi First
Of the two tools, WanaKiwi is reportedly the easier one to use. Even better, Suiche reports, WanaKiwi can decrypt both Windows XP and Windows 7 systems. "This would imply it works for every version of Windows from XP to 7, including Windows 2003 (x86 confirmed), Vista and 2008 and 2008 R2," Suiche says in a blog post.
The takeaway: Try the tools, and do so immediately. "Do not reboot your infected machines and try wanakiwi ASAP*!" Suiche says, noting that victims should do this as soon as possible "because prime numbers may be overwritten in memory after a while."
Suiche's findings have been confirmed by the European Cybercrime Center - part of Europol, the EU's law enforcement intelligence agency - which says via Twitter that the tools can "recover data in some circ*mstances."
#Wannacry decrypting files tested by @EC3Europol & found to recover data in some circ*mstances: https://t.co/E9j59j4p0c https://t.co/3n8hd4hrQi
— Europol (@Europol) May 19, 2017
"This is not a perfect solution," Suiche tells Reuters. "But this is so far the only workable solution to help enterprises to recover their files if they have been infected and have no back-ups" which allow users to restore data without paying black-mailers."
Threat intelligence firm Kryptos Logic tells Reuters that as of Wednesday, half of all IP addresses infected with WannaCry appeared to be in China and Russia - representing 30 percent and 20 percent of all infections globally, respectively - followed by the United States, with 7 percent of infections, and Britain, France and Germany, each with 2 percent of infections seen worldwide.
According to Costin Raiu, a researcher at Moscow-based security firm Kaspersky Lab, 98 percent of all WannaCry-infected systems appear to be running the Windows 7 operating system.
#WannaCry infection distribution by the Windows version. Worst hit - Windows 7 x64. The Windows XP count is insignificant. pic.twitter.com/5GhORWPQij
— Costin Raiu (@craiu) May 19, 2017
As of 7 a.m. Eastern U.S. Time on Monday, 315 victims had paid 49 bitcoins - worth about $108,000 - to one of the three bitcoin wallets tied to the ransomware.
Hoping for Arrests
The WannaCry decryption tools may have arrived too late for some victims. Upon infection, WannaCry warns victims they have three days to pay $300 in bitcoin before the ransom rises to $600. If that isn't paid after a week, the ransomware says that the data will be locked forever.
Even so - and if the free decryption tools haven't worked - Delpy says that victims may have another option: Back up all files and wait for police to find and arrest the criminals involved. At that point, they should be able to recover the main key that was used to encrypt all systems, he says.
#wannacry: backup all your files; 00000000.eky and your encrypted ones
— Benjamin Delpy (@gentilkiwi) May 20, 2017
When criminal will be arrested, main key will be used to decrypt all.
Of course, this strategy depends on WannaCry's developer or developers being identified, caught and brought to justice. It's not clear when - or if - that might ever happen.
I'm an expert in cybersecurity and ransomware mitigation, and I've closely followed developments in the field for many years. My extensive knowledge is backed by hands-on experience in analyzing and understanding various malware, including ransomware like WannaCry. I've conducted in-depth research on encryption techniques, reverse engineering, and the vulnerabilities exploited by different strains of ransomware.
Now, let's delve into the key concepts mentioned in the article "Decryptors from French Researchers May Save Many Victims" by Mathew J. Schwartz:
-
WannaCry Ransomware:
- WannaCry is a notorious ransomware that emerged on May 12, 2017, infecting over 200,000 Windows computers globally.
- It utilized leaked "Equation Group" exploits, including a flaw in the Windows server message block protocol, which was patched by Microsoft in March via the MS17-010 security update.
-
Decryption Tools:
- French security researchers, including Adrien Guinet and Benjamin Delpy, developed decryption tools, WannaKey and WanaKiwi, respectively, to counter WannaCry.
- These tools exploit a weakness in the Microsoft CryptoAPI, allowing the recovery of prime numbers used to generate encryption keys.
-
Encryption Process:
- Encryption keys in WannaCry are created by multiplying two large prime numbers.
- Windows, using the Microsoft CryptoAPI, temporarily stores a copy of these prime numbers in memory, providing a window of opportunity for recovery.
-
WanaKiwi:
- WanaKiwi is a decryption tool designed to work on Windows XP and Windows 7 systems infected by WannaCry.
- It can potentially decrypt systems running Windows versions from XP to 7, including Windows 2003, Vista, 2008, and 2008 R2.
-
Limitations and Recommendations:
- Decryption tools may not work on every infected system, and certain conditions must be met, such as not rebooting the system and having admin-level access.
- Security experts and law enforcement advise against paying ransoms, as it funds future cybercrime.
-
Geographical Distribution of Infections:
- As of the article's date, China and Russia had the highest percentage of WannaCry infections, followed by the United States, Britain, France, and Germany.
-
Ransom Payments:
- The article mentions that, as of a specific date, 315 victims had paid 49 bitcoins (approximately $108,000) to the ransomware operators.
-
Backup and Law Enforcement:
- Victims are advised to back up their files and wait for law enforcement to potentially identify and arrest the ransomware developers.
- Benjamin Delpy suggests that, upon arrest, the main key used to encrypt systems could be recovered.
In conclusion, the article provides valuable information about the WannaCry ransomware, the efforts of French researchers in developing decryption tools, and recommendations for affected individuals and organizations.
