French security researcher Adrien Guinet has figured out a way to decrypt files locked by the infamous WannaCry ransomware.
Guinet has published a free tool, dubbed Wanna key,,that retrieves the private RSA key used by WannaCry, aka WCry or WannaCrypt, to encrypt files. The other, ill-advised method is to pay the WannaCry attackers $300 in bitcoin.
There are several caveats, though. It only works for Windows XP and only if the machine has not been rebooted after the infection. The tool searches for the prime numbers of the private key in wcry.exe, the process responsible for generating WannaCry’s private key, which will remain in memory until a reboot occurs.
As Guinet explains on the Wannakey’s GitHub page, WannaCry’s authors used the Windows Crypto application protocol interface (API) properly. However, Microsoft designed the API’s functions CryptDestroyKeyand CryptReleaseContext so as “not to erase the prime numbers from memory before freeing the associated memory”.
The recovery technique doesn’t work in Windows 10 because it does erase that memory, while Windows XP does not.
If you are lucky, that is the associated memory hasn’t been reallocated and erased, these prime numbers might still be in memory. That’s what this software tries to achieve.
The tool may be helpful for XP users infected with WannaCry, but a similar tool for Windows 7 is likely to have a bigger impact at sites such as the UK NHS hospitals that were hit hard by the recent ransomware attack.
As security researcher WannaCry attackers used to spread the ransomware once inside a network cannot be used to infect Windows XP machines on that network.
So WannaCrypt can lock up Windows XP files, but XP PCs were not vulnerable to the NSA’s worm-like spreading mechanism, which exploited a flaw in Microsoft’s network file-sharing protocol.