A security researcher claims to have created a new tool capable of restoring computers infected by WannaCry ransomware.

Adrien Guinet has released WannaKey, which is designed to take advantage of a shortcoming in Windows XP to decrypt an infected machine’s files. 

He says he’s used it successfully on several infected Windows XP computers, but the method won’t work for all victims.

Gadgets and tech news in pictures Gadgets and tech news in pictures

“In order to work, your computer must not have been rebooted after being infected,” says Mr Guinet, who adds that there’s also an element of luck involved. 

“This software allows to recover the prime numbers of the RSA private key that are used by Wanacry,” he explains in a post on .

“The main issue is that the CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory. This is not really a mistake from the ransomware authors, as they properly use the Windows Crypto API. It can work under Windows XP because, in this version, CryptReleaseContext does not do the cleanup. ”

WannaKey won’t work on infected computers running Windows 10, Mr Guinet says, because CryptReleaseContext does clean up the memory on the platform. 

“If you are lucky (that is the associated memory hasn’t been reallocated and erased), these prime numbers might still be in memory.”

In an exchange on Twitter, Matthieu Suiche, another security researcher, he also used the tool but it didn’t work for him. Still, Mr Guinet’s work provides some hope.

WannaCry is demanding a payment of $300-$600 from victims, but security researchers have warned users not to pay the ransom.


Please enter your comment!
Please enter your name here