A researcher with the France-based Quakslab, Adrien Guinet, has found a way to retrieve the encryption key off the WannaCrypt ransomware. Yes, this dude can get that WannaCry menace off your computer without having to pay the $300 ransom the damn ransomware demands.
Guinet, a security researcher, has developed an application, WCry, that steals the decryption key right out of the ransomware memory in the affected system. Before you get too excited, the WCry decryption tool only works on Windows XP, and only if the PC has not been rebooted since being infected or the memory not been overwritten.
Guinet posted the WCry key on GitHub and is available for free. On the readme note accompanying the app, Guinet writes, “This software has only been tested and known to work under Windows XP. In order to work, your computer must not have been rebooted after being infected. Please also note that you need some luck for this to work (see below), and so it might not work in every case!”
WannaCry doesn’t work best in Windows XP due to a flaw in the OS
Looks like what Microsoft got wrong on Windows XP and right on later OS, is exactly what makes WannaCry a bit easier to defeat. The ransomware uses Microsoft’s built-in cryptographic tools to accomplish its dirty work. However, in Windows XP, Microsoft got the job done wrong, and there exist a flaw that prevents the erasure of keys from memory. A flaw Microsoft corrected in the more recent versions of Windows after XP.
Guinet writes, “If you are lucky (that is the associated memory hasn’t been reallocated and erased), these prime numbers might still be in memory.”
Problem is, Windows XP is not that popular no more
Well, finding a free workaround this WannaCrypt menace is a blessing but is suffers a major setback. Windows XP, unfortunately, is not widely used, meaning users that can actually find this decryption key useful are very few and far in between.
However, the technique used in retrieving the key could be a step in the right direction towards containing and eradicating the threat posed by this ransomware and future kinds. That said, you can still find the code on Github here.