Adrien Guinet has released WannaKey, which is designed to take advantage of a shortcoming in Windows XP to decrypt an infected machine’s files.
He says he’s used it successfully on several infected Windows XP computers, but the method won’t work for all victims.
“In order to work, your computer must not have been rebooted after being infected,” says Mr Guinet, who adds that there’s also an element of luck involved.
“This software allows to recover the prime numbers of the RSA private key that are used by Wanacry,” he explains in a post on GitHub.
“The main issue is that the CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory. This is not really a mistake from the ransomware authors, as they properly use the Windows Crypto API. It can work under Windows XP because, in this version, CryptReleaseContext does not do the cleanup. ”
WannaKey won’t work on infected computers running Windows 10, Mr Guinet says, because CryptReleaseContext does clean up the memory on the platform.
Thanks for stopping by. I welcome your thoughts, comments and tips. Please use the contact form to get in touch.