Wana Decrypt0r 2.0 - Decrypt Encrypted Files - How to, Technology and PC Security Forum | SensorsTechForum.com

Wana Decrypt0r 2.0 – Decrypt Encrypted Files

Update Late May 2017! This article aims to show you a new method to detect the RSA encrypted files on your computer after which factorize and try decrypting encrypted files for free.

Malware researcher has reported the testing of a new method by which the private RSA key belonging to Wana Decrypt0r can be obtained. This method can be combined with another method which factorizes the private keys and gives access to AES-128 encrypted files by Wana Decrypt0r, WannaCry also known as WCry ransomware. This may result in the successful decryption of the files. The bad news in this situation is that the testing is done on an infected Windows XP computer and the results may vary. Nonetheless, these instructions may result in the successful recovery of your files.

How to Try and Decrypt .WNCRY .WCRY Files for Free

Security researcher Adrien Guinet(@adriengnt) has reported on Twitter that a current ongoing decryption process is on track for the encrypted files. So far, the researcher has successfully managed to obtain the private RSA encryption key and post instructions for it on github, which we have posted in

IMPORTANT: Bear in mind that before beggining to follow the instructions, you must still have the Wana Decrypt0r infection on your computer, because these instructions manipulate the wcry.exe process which generates the RSA private key.

But before beginning to explain the instructions to you, it is crucial that you understand how the encryption of Wana Decrypt0r 2.0 is conducted. To best explain it, we will use the graphic below, provided by Sheila A. Berta (@UnaPibaGeek):

As visible from the graphic below, multiple different keys are generated. These keys include the generating of a unique AES-128 random key, used for the decryption and encryption of the files. But this key which is appended on the encrypted files is also encrypted by another RSA Public key (see bottom right balloon). The trick with Rivest Shamir Adleman or RSA algorithm is that its core construction is based on the fact that it also generates an RSA-2048 private key. If you know the public and the private RSA keys, you will easily get to the AES-128 random key.

But there is a challenge, as Adrien Guinet mentiones in his Github decryption instructions for Wana Decrypt0r 2.0. There are two functions, named CryptDestroyKey and CryptReleaseContext which are connected with the wcry.exe process that do not delete the main numbers from the memory of your computer, like they are designed to do. But this does not mean that the method is not worth trying since if you are in luck and these memory strings are not deleted, you can recover the private key using the primary numbers if they are not deleted by those functions. This is where the tool of Adrien comes into play. Here is how to use it:

Step 1: Download the tools from GitHub, by clicking on the “clone or download” button in the following web link.

Step 2: Locate the “bin” folder and then open the binary program within it.

Step 3: You will need the PID (Process ID) of the active wcry.exe malicious process. To do this, use Kaspresky’s guide on how to get PID from a Windows process.

Step 4:
After you have successfully obtained the process ID of the malicious program, open Windows Command Prompt as an administrator and type the following command lines:

→CD {the location of the search_primes.exe executable file}

And then locate the file named 00000000.pky on your computer. An easier method to look for it is to type the following in Windows Search (for newer Windows versions):

After you have located the .pky file go back to command prompt and type the following command after going to it’s location with the >CD command:

PID {C:\location folders\00000000.pky}

…where “location folders” are the actual path to the file if you still have it on your system.

If you have been successful in finding the prime RSA key after using this command, a file, named “priv.key” will be created in the same directory.

Decryption Instructions After You Have Located the Unique RSA Private Key

For the full decryption of your files, we reccomend you to follow the instructions on this article and use the wanakiwi software to decode the encrypted data.

After decrypting your files, simply remove the threat using an advanced anti-malware program:


Malware Removal Tool

It is highly recommended to run a scan before purchasing the full version of the software to make sure that the current version of the malware can be detected by SpyHunter.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share