Guido Vrola - Fotolia

WannaCry ransomware decryptor brings hope to victims

Security researchers uncovered more info on how WannaCry spread, and a ransomware decryptor emerged to save files for those affected.

News has finally turned at least slightly positive when it comes to WannaCry as security researchers have figured out more about how the infection spread, as well as a new ransomware decryptor that could save files for those affected.

French security researchers Benjamin Delpy, Adrien Guinet and Matt Suiche first began working separately and later together to develop a ransomware decryptor that should be able to recover data from systems hit with the WannaCry worm. They confirmed that the ransomware decryptor works on Windows XP, Windows 7 and Windows 2003.

Guinet first published a tool called wannakey that was able recover the RSA encryption key used by WannaCry because the Windows Crypto API "does not erase the prime numbers from memory before freeing the associated memory." The encryption key can be derived from prime numbers left in memory.

"This is not really a mistake from the ransomware authors, as they properly use the Windows Crypto API. Indeed, for what I've tested, under Windows 10, CryptReleaseContext does cleanup the memory (and so this recovery technique won't work)," Guinet wrote in the release notes for the tool. "It can work under Windows XP because, in this version, CryptReleaseContext does not do the cleanup. Moreover, MSDN states this, for this function: 'After this function is called, the released [Cryptographic Service Provider] handle is no longer valid. This function does not destroy key containers or key pairs.' So, it seems that there are no clean and cross-platform ways under Windows to clean this memory. If you are lucky (that is [if] the associated memory hasn't been reallocated and erased), these prime numbers might still be in memory."

Guinet told SearchSecurity that since Microsoft explicitly states the key pairs will not be destroyed, what he did "wasn't rocket science, I just checked that something that should have been done had indeed been done!"

Jonathan Sander, CTO at STEALTHbits Technologies, agreed.

"WannaCry does what it's supposed to, to dump the key it uses, but it can't change the way Windows works," Sander told SearchSecurity. "Windows holds on to a lot of junk in memory until you reboot. This time that bad habit may be a saving grace because it holds the numbers used to make the keys, which means it's 'math to the rescue' to make identical keys with the same math that made the originals."

WannaCry ransomware decryptor efficacy

Suiche detailed how Delpy used Guinet's key retrieval tool to build the WanaKiwi ransomware decryptor.

However, because the WannaCry ransomware decryptor can only be successful if the memory hasn't been overwritten or the target system has not been rebooted, Nick Bilogorskiy, senior director of threat operations at Cyphort, said it might be a race against time.

"Since the infection began on Friday May 12, by now it is not likely that prime numbers used in calculating the key would still be in memory for most victims," Bilogorskiy told SearchSecurity. "I expect we will see new variants of malware soon, that break this decryptor, for example by forcing a reboot after install -- that will make this tool ineffective."

Guinet and Suiche did not want to speculate on the efficacy of their ransomware decryptor, but Owen Connolly, vice president of services at IOActive, said it might be reasonable to assume the memory on affected systems would be intact.

"It would require 1) the computer not having been rebooted and 2) that no other process has overwritten the memory space where the prime numbers are located. It would really be down to the maturity of the incident response process of the organizations affected," Connolly wrote in an email. "If 1 is true then 2 is most likely true because the machine is encrypted and useless to anyone." 

Brian Vecci, technical evangelist at Varonis, said it would depend on the target system.

"For workstations or other frequently rebooted machines, it's unlikely that the key still resides in memory. For other systems like file and application servers which are designed for higher uptime, this still may be a viable tool," Vecci told SearchSecurity. "It is more valuable for new infections, and it also means that preventing the spread of the malware should be the priority."

Sander said there may be hope because the ransomware decryptor could help those with bad habits.

"Every click of the mouse means memory may dump the data needed for the WanaKiwi cure to WannaCry to work," Sander said. "However the same people who have the bad habit of clicking on things they shouldn't or not patching to avoid malware like this have a high likelihood of being people who never give their machines a reboot to speed things up. So their bad habits may work for them in this case."

WannaCry ransomware infection process
WannaCry ransomware infection process

WannaCry spread

Researchers have also been uncovering more about how the WannaCry ransomware worm spread. Initial reports claimed Windows XP was a major victim of the ransomware, and this information even led Microsoft to release an emergency patch for the unsupported system. But, the latest information shows Windows 7 was by far the most vulnerable, so experts said victims should attempt to recover data with the WanaKiwi ransomware decryptor.

Some early reports claimed the WannaCry worm initially entered devices via phishing emails with malicious attachments. However, researchers at Malwarebytes Labs said the malicious actors behind WannaCry actually scanned for devices with an open port 445 in order to access vulnerable Windows Server Message Block (SMB) v1 installations.

"Indeed, the 'ransomworm' that took the world by storm was not distributed via an email malspam campaign," Malwarebytes researchers wrote in a blog post. "Rather, our research shows this nasty worm was spread via an operation that hunts down vulnerable public facing SMB ports and then uses the alleged NSA-leaked EternalBlue exploit to get on the network and then the (also NSA alleged) DoublePulsar exploit to establish persistence and allow for the installation of the WannaCry ransomware."

Connolly said the main issue was enterprises not listening to vendors, because Microsoft warned users to disable SMBv1 in September 2016 and US-CERT gave the same warning in January 2017.

"To be honest, I can't think of why anyone would want to have SMB exposed to the internet. It just is never a good idea," Connolly told SearchSecurity. "But internally, it's a different story and quite often in large enterprises getting a change window to implement a sweeping change like disabling a protocol version is a massive uphill battle ... until something like WannaCry happens."

Itsik Mantin, director of security research at Imperva, said enterprises may have heard, but the problem is that it can take "months or even years to upgrade version patches even when they know the version is vulnerable."

"We hope that by now everyone has patched their Windows systems. In addition, it is more important than ever that businesses maintain and evolve their security practices to make sure their data is protected," Mantin told SearchSecurity. "An enterprise with a good security strategy will make cybercriminals lives harder and make them look somewhere else to achieve their agenda."

Next Steps

Learn why WannaCry proves the need to get back to basics in security.

Find out why Microsoft slammed the NSA over cyberweapons hoarding.

Get info on why data backups are most valuable in a ransomware attack.

Dig Deeper on Threats and vulnerabilities