In an unusual turn of events, a Windows bug has been found to work in favor of victims instead of attackers, allowing WannaCry[1] victims that run Windows XP to decrypt the files encrypted by the ransomware.
The fact was discovered by Adrien Guinet, a researcher with security firm QuarksLab, who also created software[2] that should help victims to recover the prime numbers of the RSA private key used by WannaCry.
But the software works only on Windows XP machines, only on computers that haven’t been rebooted after infection, and only if the computer’s memory hasn’t been reallocated and erased.
The tool searchers for the prive numbers in the wcry.exe process (the process that generates the RSA private key).
“The main issue is that the CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory,” Guinet explained.
“This is not really a mistake from the ransomware authors, as they properly use the Windows Crypto API. Indeed, for what I’ve tested, under Windows 10, CryptReleaseContext does cleanup the memory (and so this recovery technique won’t work). It can work under Windows XP because, in this version, CryptReleaseContext does not do the cleanup. Moreover, MSDN [Microsoft Developer Network] states this, for this function: ‘After this function is called, the released CSP handle is no longer valid. This function does not destroy key containers or key pairs.” So, it seems that there are no clean and cross-platform ways under Windows to clean this memory.”
Other researchers tested the tool, and it worked for some but not for others. As Guinet noted, “you need some luck for this to work.”
It’s good to note that the massive WannaCry onslaught started late last week[3] was aided by the use of the EternalBlue exploit, which worked only on Windows 7 and 2008 R2.
But while the exploit doesn’t work on Windows XP, the ransomware works on it just fine – if it’s delivered by other means (e.g. phishing email). And a new WannaCry delivery campaign can easily be started in the future.
If it is, Windows XP users will be able to try this tool out – they just need to remember not to reboot their infected machine.