WannaCrypt, WannaCry and WannaCryptor are all the names given to the deadly ransomware that made the news last week when it ended up infecting millions of computers all over the world. It is reported that unpatched Windows computers in nearly 130 countries became victim of WannaCry. This ransomware was the first to use the vulnerabilities that were made public early this year. Specifically, WannaCry used the EternalBlue vulnerability but there are more vulnerabilities waiting to be used by the cyber-criminals.
If you want to protect and defend your Windows PC against such ransomware, then you can install the patches made available by Microsoft as explained in our earlier article – Five Steps to Prevent WannaCry Ransomware Attack. But if you have already become a victim of WannaCry and this ransomware has already encrypted your files, then you still have a chance to decrypt them without having to pay the ransom.
An open-source tool called WannaKiwi can read the prime number used by the RSA private key from the memory of an infected computer and then use this to decrypt your files. However this tool works only if – you are running Windows XP, Windows 2003 or Windows 7, and if you have not shutdown your computer after WannaCry has encrypted your files. If your shutdown your computer, then the data stored in the RAM is lost and so the any information about the private RSA key is also lost. Additionally, if your computer runs some other programs they may overwrite the contents of the RAM and again information we seek is lost. This means that this tool will not work for many of the people affected by WannaCry ransomware attack.
Using this tool is very easy. You can just download the tool from Github and launch it. It will search for the 00000000.pky file in the current folder or the C: drive. After this it will try to read data from your RAM. If you are fortunate, it will locate the data and begin decrypting your files. The developer of this tool has tested it on the 32-bit versions of Windows XP and Windows 7.
Conclusion: WannaKiwi can decrypt the files encrypted by WannaCry ransomware by reading the private RSA key from the memory provided that you have not rebooted your PC, some program has not overwritten the contents in RAM and you are running Windows XP, Windows 2003 or Windows 7.
You can download WannaKiwi from https://github.com/gentilkiwi/wanakiwi/releases.