WannaCry Ransomware Decryption Tools Now Available!

WannaCry Ransomware Decryption Tools Now Available.. There are two WannaCry Ransomware decryption Tools launched. Now no need to...

WannaCry Ransomware Decryption Tools Now Available..

There are two WannaCry Ransomware decryption Tools launched. Now no need to Pay in Bitcoin, get all yours files back without paying Ransom.

1. WanaKiwi:

This utility allows machines infected by the WannaCry ransomware to recover their files.

wanakiwi is based on wanadecrypt which makes possible for lucky users to :

• Recover the private user key in memory to save it as 00000000.dky
• Decrypt all of their files
• The primes extraction method is based on Adrien Guinet's [wannakey] (https://github.com/aguinet/wannakey) which consist of scanning the WannaCry process memory to recover the prime numbers that were not cleaned during CryptReleaseContext().

Adrien's method was originally described as only valid for Windows XP but @msuiche and I proved this can be extended to Windows 7.

Usage

wanakiwi.exe [PID]

PID is an optional parameter, by default the utility will look for any of this process:

wnry.exe
wcry.exe
data_1.exe
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Limitations

Given the fact this method relies on scanning the address space of the process that generated those keys, this means that if this process had been killed by, for instance, a reboot - the original process memory will be lost. It is very important for users to NOT reboot their system before trying this tool.

Secondly, because of the same reason we do not know how long the prime numbers will be kept in the address space before being reused by the process. This is why it is important to try this utility ASAP.

This is not a perfect tool, but this has been so far the best solution for victims who had no backup.

Download WanaKiwi