Biz & IT —

Windows XP PCs infected by WCry can be decrypted without paying ransom

Decryption tool is of limited value, because XP was unaffected by last week's worm.

Windows XP PCs infected by WCry can be decrypted without paying ransom

Owners of some Windows XP computers infected by the WCry ransomware may be able to decrypt their data without making the $300 to $600 payment demand, a researcher said Thursday.

Adrien Guinet, a researcher with France-based Quarkslab, has released software that he said allowed him to recover the secret decryption key required to restore an infected XP computer in his lab. The software has not yet been tested to see if it works reliably on a large variety of XP computers, and even when it does work, there are limitations. The recovery technique is also of limited value because Windows XP computers weren't affected by last week's major outbreak of WCry. Still, it may be helpful to XP users hit in other campaigns.

"This software has only been tested and known to work under Windows XP," he wrote in a readme note accompanying his app, which he calls Wannakey. "In order to work, your computer must not have been rebooted after being infected. Please also note that you need some luck for this to work (see below), and so it might not work in every case!"

Matt Suiche, a researcher and founder of Comae Technologies, reported he was unable to make Guinet's decryptor tool work.

WCry, which also goes by the name WannaCry, covertly encrypts computer files after infecting a computer and then demands owners pay a $300 to $600 ransom to obtain the decryption key required to restore a computer to normal working condition. The ransomware uses the Microsoft Cryptographic Application Program Interface included with Windows to handle many of the functions, including generating the key for encrypting and decrypting the files. After creating and securing the key, the interface erases the key on most versions of Windows.

A previously overlooked limitation in XP, however, can prevent the erasure from occurring in that Windows version. As a result, the prime numbers used to generate a WCry secret key may remain intact in computer memory until the PC is powered down. Wannakey was able to successfully scour the memory of an infected XP machine and extract the p and q variables that the secret key was based on.

"If you are lucky (that is the associated memory hasn't been reallocated and erased), these prime numbers might still be in memory," Guinet wrote.

The researcher also wrote on Twitter: "I got to finish the full decryption process, but I confirm that, in this case, the private key can [be] recovered on an XP system #wannacry!!" He provided the screenshot at the top of this post.

Last Friday, WCry attacked more than 200,000 computers in 150 countries after someone used an advanced hacking tool developed by the National Security Agency to deliver the ransomware. EternalBlue, as the leaked NSA exploit was codenamed, had been modified in a way that made the attacks self-replicating, setting off a chain of attacks that spread from vulnerable computer to vulnerable computer without requiring any interaction from users. A bug in the modification prevented the worm from infecting XP. EternalBlue first came into the public domain in April when a mysterious group calling itself the Shadow Brokers released it and dozens of other cyberweapons used for years by the NSA.

So far, there are no indications that the limitation that allowed Guinet to recover the WCry key is present when the ransomware infects later versions of Windows. That means WCry victims on other versions still have no known means for decrypting their data other than paying the ransom. Still, Guinet's finding offers hope. Anyone who has been infected by WCry should avoid restarting their computers and await further research. This post will be updated if new newsworthy details become available.

Channel Ars Technica