WannaCry — Decrypting files with WanaKiwi + Demos

Working Windows XP & 7 demos. #FRENCHMAFIA

Read More: Part 1 — Part 2 — Part 3 — Part 4 — @msuiche (Twitter)

In Short

DO NOT REBOOT your infected machines and TRY wanakiwi ASAP*!

*ASAP because prime numbers may be over written in memory after a while.

Frequently Asked Questions

Here.

Usage

You just need to download the tool and run it on the infected machine. Default settings should work.

Usage: wanakiwi.exe <PID>

- PID (Process Id) is an optional parameter. By default, wanakiwi automatically looks for wnry.exe or wcry.exe processes so this parameter should not be required. But in case, the main process has a different name this parameter can be used as an input parameter.

Don’t cry yet.

UPDATE: Actually, wanakiwi from Benjamin Delpy (@gentilkiwi) works for both Windows XP (x86 confirmed) and Windows 7 (x86 confirmed). This would imply it works for every version of Windows from XP to 7, including Windows 2003 (x86 confirmed), Vista and 2008 and 2008 R2. See demos in the below GIFs.

Wannakey

Yesterday, Adrien Guinet published a tool called wannakey to perform RSA key recovery on Windows XP. His tool is very ingenious as it does not look for the actual key but the prime numbers in memory to recompute the key itself. In short, his technique is totally bad ass and super smart.

Unfortunately, this only works on Windows XP as those values are cleaned during the CryptReleaseContext in later version of Windows.

UPDATE: Forget the above statement, this has been successfully tested with wanakiwi up to Windows 7.

As Adrien stated in his README, this is not a mistake from the author but an issue with Windows XP — the author themselves make sure to release the user key as soon as they are done with it. And that key never touches the disks unless encrypted with the attacker public key.

Key generation in memory (1), immediately followed by the actual routine destroying the keys (2)

Although, some file format issue happened with the exported key that didn’t make it compatible with other tools such as wanadecrypt from Benjamin Delpy (@gentilkiwi) on Windows XP, as the Windows Crypt APIs on Windows XP are expecting a very strict input to work unlike Windows 10. Which is the reason why my initial tests failed with the output key using Wannakey.

Moreover, the output file format was not compatible with the ransomware WannaCry either. Unlike Wanakiwi from gentilkiwi as we can see in the demo below.

Wanakiwi

Download wanakiwi here wanakiwi.exe will automatically look for the 00000000.pky file. Cross fingers that your prime numbers haven’t been overwritten from the process address space.

After, doing some tests and discussing with Benjamin —we acknowledged the need for a complete end to end utility.

Then, Benjamin started to write his own version using OpenSSL and based on Adrien’s methodology to retrieve the key from the memory and our common research material on the decryption that we accumulated over the week on the internals of the malware when we both reversed WannaCry and our notes that enable a fix for the file format issues and build a version 100% compatible with Windows O.S. from Windows XP to Windows 7.

After troubleshooting the tool together we got a working version across multiple Windows versions.

Amazing job from Benjamin, it was lot of fun to collaborate on this with him.

(see below for full working demos!)

Wanakiwi also recreates the .dky files expect from the ransomware by the attackers, which makes it compatible with the ransomware itself too. This also prevents the WannaCry to encrypt further files.

WanaKiwi from Benjamin Delpy (@gentilkiwi) in action (Windows XP)

After further testing with Benjamin, we noticed the info leak on the prime numbers in the Microsoft Crypt API was still present on Windows 7. \o/

WanaKiwi from Benjamin Delpy (@gentilkiwi) in action (Windows 7)

What’s next ?

As explained above this method relies on finding prime numbers in memory if the memory hasn’t be reused — this means that after a certain period of time memory may get reused and those prime numbers may be erased. Also, this means the infected machine should not have been rebooted.

Also, this tool so far only works on Windows XP due to a flaw present with the CryptReleaseContext implementation. This is a great step forward.

UPDATE: Forget the above statement ! This works from Windows XP to Windows 7, and as you can see on the above screenshots, it had been tested!

Today (19 May) marks the 7th infection day (started on the 12th)— which means that many users would potentially lose their files forever from today as stated in the initial infection window.

The clock is currently ticking for many users around the World.

The infection wave is far from being over, we noticed an important and abnormal spike of activity on our kill-switch from Malaysia during the night (3 AM to 5 AM GST) that resulted in almost half of the total 10K machines we prevented from infection over the past 24 hours.