French researchers find last-ditch cure to unlock WannaCry files


PARIS — A French researcher has released a software tool that he claims can restore some of the computers infected by the WannaCry ransomware.

A loose-knit team of security researchers scattered across the globe said they had collaborated to develop a workaround to unlock the encryption key for files hit in the global attack, which several independent security researchers have confirmed.

Developed by a security expert Adrien Guinet, an internationally-known hacker Matthieu Suiche and a part-time coder and full-time bank employee Benjamin Delpy, the free tool named “wannakiwi” has been tested by European Cybercrime Centre and has been “found to recover data in some circumstances”.

A new publicly available tool is able to decrypt infected PCs running Windows XP and 7, and 2003, and one of the researchers behind the decryptor said it likely works for other Windows versions, including Vista, Server 2008, and 2008 R2.

As was the case with Wannakey, the recovery won’t work if an infected computer has been restarted. He said the software helps recover the prime numbers of the RSA private key that are used by WannaCry. This also prevents the WannaCry to encrypt further files. Dubbed Wannakey, the previous tool provided the means to extract key material from infected Windows XP PCs but required a separate app to transform those bits into the secret key required to decrypt files.

The researcher has uploaded the tool which he calls WannaKey on his GitHub repo.

As of Wednesday, half of all internet addresses corrupted globally by WannaCry were located in China and Russian Federation, with 30 and 20 per cent of infections, respectively, according to data supplied by threat intelligence firm Kryptos Logic.

Kryptos also added that only 309 transactions worth around 94,000 dollars appear to have been paid into WannaCry blackmail accounts by Friday (1345 GMT/9.45 a.m. ET), sevens days after the attack began.

Leave a Reply

Your email address will not be published. Required fields are marked *