Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Wana Decrypt0r 2.0 – Decrypt Encrypted Files

Update Late May 2017! This article aims to show you a new method to detect the RSA encrypted files on your computer after which factorize and try decrypting encrypted files for free.

Malware researcher has reported the testing of a new method by which the private RSA key belonging to Wana Decrypt0r can be obtained. This method can be combined with another method which factorizes the private keys and gives access to AES-128 encrypted files by Wana Decrypt0r, WannaCry also known as WCry ransomware. This may result in the successful decryption of the files. The bad news in this situation is that the testing is done on an infected Windows XP computer and the results may vary. Nonetheless, these instructions may result in the successful recovery of your files.

How to Try and Decrypt .WNCRY .WCRY Files for Free

Security researcher Adrien Guinet(@adriengnt) has reported on Twitter that a current ongoing decryption process is on track for the encrypted files. So far, the researcher has successfully managed to obtain the private RSA encryption key and post instructions for it on github, which we have posted in

IMPORTANT: Bear in mind that before beggining to follow the instructions, you must still have the Wana Decrypt0r infection on your computer, because these instructions manipulate the wcry.exe process which generates the RSA private key.

But before beginning to explain the instructions to you, it is crucial that you understand how the encryption of Wana Decrypt0r 2.0 is conducted. To best explain it, we will use the graphic below, provided by Sheila A. Berta (@UnaPibaGeek):

As visible from the graphic below, multiple different keys are generated. These keys include the generating of a unique AES-128 random key, used for the decryption and encryption of the files. But this key which is appended on the encrypted files is also encrypted by another RSA Public key (see bottom right balloon). The trick with Rivest Shamir Adleman or RSA algorithm is that its core construction is based on the fact that it also generates an RSA-2048 private key. If you know the public and the private RSA keys, you will easily get to the AES-128 random key.

But there is a challenge, as Adrien Guinet mentiones in his Github decryption instructions for Wana Decrypt0r 2.0. There are two functions, named CryptDestroyKey and CryptReleaseContext which are connected with the wcry.exe process that do not delete the main numbers from the memory of your computer, like they are designed to do. But this does not mean that the method is not worth trying since if you are in luck and these memory strings are not deleted, you can recover the private key using the primary numbers if they are not deleted by those functions. This is where the tool of Adrien comes into play. Here is how to use it:

Step 1: Download the tools from GitHub, by clicking on the “clone or download” button in the following web link.

Step 2: Locate the “bin” folder and then open the binary program within it.

Step 3: You will need the PID (Process ID) of the active wcry.exe malicious process. To do this, use Kaspresky’s guide on how to get PID from a Windows process.

Step 4:
After you have successfully obtained the process ID of the malicious program, open Windows Command Prompt as an administrator and type the following command lines:

→CD {the location of the search_primes.exe executable file}

And then locate the file named 00000000.pky on your computer. An easier method to look for it is to type the following in Windows Search (for newer Windows versions):

After you have located the .pky file go back to command prompt and type the following command after going to it’s location with the >CD command:

→search_primes.exe
PID {C:\location folders\00000000.pky}

…where “location folders” are the actual path to the file if you still have it on your system.

If you have been successful in finding the prime RSA key after using this command, a file, named “priv.key” will be created in the same directory.

Decryption Instructions After You Have Located the Unique RSA Private Key

For the full decryption of your files, we reccomend you to follow the instructions on this article and use the wanakiwi software to decode the encrypted data.

After decrypting your files, simply remove the threat using an advanced anti-malware program:


Download

Malware Removal Tool

It is highly recommended to run a scan before purchasing the full version of the software to make sure that the current version of the malware can be detected by SpyHunter.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.