More people infected by recent WCry worm can unlock PCs without paying ransom

A computer has summarized this article for you. Click here to see it.

In Business, Science & Nature, Security by Ars Technica

Tech News Keywords: , , , / Page Views: 108

Goto Source Article

wanakiwi, builds off a key discovery implemented in a different tool released Thursday. Dubbed Wannakey, the previous tool provided the means to extract key material from infected Windows XP PCs but required a separate app to transform those bits into the secret key required to decrypt files.

Matt Suiche, cofounder of security firm Comae Technologies, has tested wanakiwi and reports that it works. He provided the following screenshot of the tool in action:

Like Wannakey, wanakiwi takes advantage of shortcomings in the Microsoft Cryptographic Application Programming Interface that WCry and other Windows application use to generate keys for encrypting and decrypting files. While the interface includes functions for erasing a key from computer memory once it has been secured, previously overlooked limitations sometimes allow the prime numbers used to create a key to remain intact in computer memory until the PC is powered down or the memory location is overwritten with new data. Wanakiwi is able to successfully scour the memory of an infected XP and 7 machines, extract the p and q variables that the secret key was based on, and reassemble the finished key. The tool then uses the key to decrypt all files locked by the WCry ransomware.

Benjamin Delpy, one of the developers of wanakiwi, told Ars he cloned PC hard drives infected by last week’s WCry worm that attacked more than 200,000 machines in 150 countries. He said his tool has successfully decrypted several such PCs, some that run Windows 2003 and 7. He said he presumes other infected versions can be similarly recovered. Wanakiwi provides additional improvements over Wannakey, including a point-and-click interface and the ability to generate the full decryption key without the need of other tools.

Infected PC owners “just download wanakiwi, and if the key can be constructed again, it extracts it, reconstructs it (a good one), and starts decryption of all files on the disk,” he said in an interview. “In bonus, the key I obtain can be used with the malware decryptor to make it decrypt files like if you paid :)”

As was the case with Wannakey, the recovery won’t work if an infected computer has been restarted. And even when an infected PC has remained powered on, the decryptor may not work if the memory location that stored the key material has been overwritten. Wanakiwi has not yet been extensively tested on computers with x64 CPUs, so it’s possibly the tool doesn’t work as reliably on that platform. Despite the limitations, wanakiwi represents a major breakthrough that could provide invaluable relief for tens of thousands of people around the world.

“In a lots of cases, the key cannot be recovered,” Delpy said. Victims “need a good amount of luck!”

Share this News Post!
Geographic Location References for this Article Could Not Be Determined.
LI Tech News Patreon Page