Adrien Guinet, a researcher at Quarkslab in France, said that if a Windows XP system is infected with the WCry ransomware virus, users can decrypt their data without paying a ransom of $300 to $600.
Gunnet released a piece of software. He said the software helped him discover the data decryption keys needed on infected Windows XP computers in the lab. The software has not been extensively tested on Windows XP systems, and even if the software works, there are still limitations. During the WCry outbreak, Windows XP was not the hardest hit, so this recovery technique was of limited value.
He named the software Wannakey. He said: " This software has only been tested under Windows XP and is known to work only on Windows XP. If you want to use this software, the computer cannot be restarted after being infected. In addition, you need certain With luck, the software may not work in all situations. ”
Matt Suiche, founder and researcher at Comae Technologies, reported that Gunnet's decryption tool was ineffective.
The WCry ransomware virus, also known as WannaCry, encrypts all data on a computer after infecting it, and hackers demand a ransom of $300 to $600 from victims in order to obtain a key to recover the data. The ransomware uses the Microsoft Cryptography API (application programming interface) integrated in Windows to handle several functions, including generating encryption and decryption keys for files. After the key is created and obtained, in most versions of Windows, the API clears the key.
However, Windows XP has limitations that prevent the API from clearing the key. Therefore, the main sequence used to generate the WCry key may remain resident in memory until the computer is shut down and restarted. WannaKey can scan Windows XP system memory to extract relevant information.
"If you're lucky (that is, the associated memory block hasn't been reallocated or cleared), these main sequences may still be resident in memory," Gunnett said.
"I went through the decryption process completely. I can confirm that on this computer, the key can be recovered from XP," he also tweeted, providing a screenshot of the computer in his Twitter message.
The original text comes from: https://www.oschina.net/news/84991/wannacry-decryption-tool
Address of this article: https://www.linuxprobe.com/open-sources-wannakey.html Editor: Guo Jianpeng, Auditor: Pang Zengbao