French researchers find last-ditch cure to unlock WannaCry files

For those infected by the ransomware and without unaffected backups, there is hope: developer Adrien Guinet has released a tool which is capable of recovering the private key used to encrypt files on an infected system, allowing the contents of the files to be decrypted without paying the ransom demanded by WannaCry's creators.

The rapid recovery by many organisations with unpatched computers caught out by the attack may largely be attributed to back-up and retrieval procedures they had in place, enabling technicians to re-image infected machines, experts said.

Microsoft, despite knowing the vulnerabilities present in its PC software, chose to withhold the release of the security patch for a certain section of clients, which were running older (ex: Windows Vista & Windows XP) versions on their company systems, according to Financial Times.

This is even as security experts have warned of imminent comeback of another ransomware variant which would be more destructive than WannaCry and even more hard to curtail. The other, ill-advised method is to pay the WannaCry attackers $300 in bitcoin.

WannaCry's worm-like capacity to infect other computers on the same network with no human intervention appear tailored to Windows 7, said Paul Pratley, head of investigations & incident response at United Kingdom consulting firm MWR InfoSecurity.

WannaCry, which started to sweep round the globe last Friday and has infected more than 300,000 computers in 150 nations, threatens to lock out victims who have not paid a sum of US$300 to US$600 within one week of infection.

To try to free up your files, download wanakiwi.zip, the compressed version of Wanakiwi, here.

The researchers said, however, the tools are not flawless and only work if the infected computers have not been rebooted after being hit by the program. Once initiated, WanaKiwi searches through your computer's memory for the prime numbers used as a basis for the encryption.

However, a bug in WannaCry code means the attackers can not use unique bitcoin addresses to track payments, security researchers at Symantec found this week. "In short, his technique is totally bad ass and super smart". And if a computer is rebooted, the memory wipes and the keys are lost. However, the flaw that the decryption tools exploit was fixed in Windows 8 and later. Although 90 percent of NHS organizations still have Windows XP on some machines, only five percent of all NHS machines run Windows XP.

  • Carolyn Briggs