x
0

French researchers find way to unlock WannaCry without ransom

TechnologyMay 19, 2017 05:13PM ET
Saved. See Saved Items.
This article has already been saved in your Saved Items
 
2/2 © Reuters. Hooded man holds laptop computer as blue screen with an exclamation mark is projected on him in this illustration picture 2/2

By Eric Auchard

FRANKFURT (Reuters) - French researchers said on Friday they had found a last-chance way for technicians to save Windows files encrypted by WannaCry, racing against a deadline as the ransomware threatens to start locking up victims' computers first infected a week ago.

WannaCry, which started to sweep round the globe last Friday and has infected more than 300,000 computers in 150 nations, threatens to lock out victims who have not paid a sum of $300 to $600 within one week of infection.

A loose-knit team of security researchers scattered across the globe said they had collaborated to develop a workaround to unlock the encryption key for files hit in the global attack, which several independent security researchers have confirmed.

The researchers cautioned that their solution only works in certain conditions, namely if computers had not been rebooted since becoming infected and if victims applied the fix before WannaCry carried out its threat to lock their files permanently.

Europol said on Twitter that its European Cybercrime Centre had tested the team's new tool and said it was "found to recover data in some circumstances".

The group includes Adrien Guinet, who works as a security expert, Matthieu Suiche, who is an internationally known hacker, and Benjamin Delpy, who helped out by night, in his spare time, outside his day job at the Banque de France.

"We knew we must go fast because, as time passes, there is less chance to recover," Delpy said after a second sleepless night of work this week allowed him to release a workable way to decrypt WannaCry at 6 am Paris time (0400 GMT) on Friday.

Delpy calls his free tool for decrypting infected computers without paying ransom "wanakiwi".

Suiche published a blog with technical details summarizing what the group of passing online acquaintances (https://goo.gl/iIFDZs) has built and is racing to share with technical staff at organizations infected by WannaCry.

Wanakiwi was quickly tested and shown to work on Windows 7 and older Windows versions XP and 2003, Suiche said, adding that he believed the hastily developed fix also works with Windows 2008 and Vista, meaning the entire universe of affected PCs.

"(The method) should work with any operating system from XP to Win7," Suiche told Reuters, via direct message on Twitter.

Delpy added that so far, banking, energy and some government intelligence agencies from several European countries and India had contacted him regarding the fix.

"THE ONLY WORKABLE SOLUTION"

Guinet, a security researcher at Paris-based Quarks Lab, published the theoretical technique for decrypting WannaCry files late Wednesday and Thursday, which Delpy, also in Paris, figured out how to turn into a practical tool to salvage files.

Suiche, based in Dubai and one of the world's top independent security researchers, provided advice and testing to ensure the fix worked across all various versions of Windows.

His blog post links to a Delpy's "wanakiwi" decryption tool which is based on Guinet's original concept. His idea involves extracting the keys to WannaCry encryption codes using prime numbers rather than attempting to break the endless string of digits behind the malicious software's full encryption key.

"This is not a perfect solution," Suiche said. "But this is so far the only workable solution to help enterprises to recover their files if they have been infected and have no back-ups" which allow users to restore data without paying black-mailers.

As of Wednesday, half of all internet addresses corrupted globally by WannaCry were located in China and Russia, with 30 and 20 percent of infections, respectively, according to data supplied by threat intelligence firm Kryptos Logic.

By contrast, the United States accounts for 7 percent of WannaCry infections while Britain, France and Germany each represent just 2 percent of worldwide attacks, Kryptos said.

Only 309 transactions worth around $94,000 appear to have been paid into WannaCry blackmail accounts by Friday (1345 GMT), sevens days after the attack began.

(Reuters graphic: [tmsnrt.rs/2rqaLyz).

That's just under one in 1,000 of the estimated victims.

This may reflect a variety of factors, security experts say, including scepticism that attackers will honor their promises or the possibility that organizations have back-up storage plans allowing them to recover their data without paying ransom.

French researchers find way to unlock WannaCry without ransom
 

Add a Comment

Comment Guidelines

We encourage you to use comments to engage with users, share your perspective and ask questions of authors and each other. However, in order to maintain the high level of discourse we’ve all come to value and expect, please keep the following criteria in mind: 

  • Enrich the conversation
  • Stay focused and on track. Only post material that’s relevant to the topic being discussed.
  • Be respectful. Even negative opinions can be framed positively and diplomatically.
  •  Use standard writing style. Include punctuation and upper and lower cases.
  • NOTE: Spam and/or promotional messages and links within a comment will be removed
  • Avoid profanity, slander or personal attacks directed at an author or another user.
  • Don’t Monopolize the Conversation. We appreciate passion and conviction, but we also believe strongly in giving everyone a chance to air their thoughts. Therefore, in addition to civil interaction, we expect commenters to offer their opinions succinctly and thoughtfully, but not so repeatedly that others are annoyed or offended. If we receive complaints about individuals who take over a thread or forum, we reserve the right to ban them from the site, without recourse.
  • Only English comments will be allowed.

Perpetrators of spam or abuse will be deleted from the site and prohibited from future registration at Investing.com’s discretion.

 
Are you sure you want to delete this chart?
 
 
Replace the attached chart with a new chart ?
Post
Post also to:
1000
Please wait a minute before you try to comment again.
Thanks for your comment. Please note that all comments are pending until approved by our moderators. It may therefore take some time before it appears on our website.
 
Are you sure you want to delete this chart?
 
 
Replace the attached chart with a new chart ?
Post 1000
Please wait a minute before you try to comment again.
 
 
 
Report this comment

I feel that this comment is:

Comment flagged

Thank You!

Your report has been sent to our moderators for review
Add Chart to Comment
Disclaimer: Fusion Media would like to remind you that the data contained in this website is not necessarily real-time nor accurate. All CFDs (stocks, indexes, futures) and Forex prices are not provided by exchanges but rather by market makers, and so prices may not be accurate and may differ from the actual market price, meaning prices are indicative and not appropriate for trading purposes. Therefore Fusion Media doesn`t bear any responsibility for any trading losses you might incur as a result of using this data.

Fusion Media or anyone involved with Fusion Media will not accept any liability for loss or damage as a result of reliance on the information including data, quotes, charts and buy/sell signals contained within this website. Please be fully informed regarding the risks and costs associated with trading the financial markets, it is one of the riskiest investment forms possible.