WannaCry Ransomware has a coding mistake that can let you get your file back
Last month, the computing world was shaken by the WannaCry ransomware that at its peak, had affected over a quarter million PCs across the globe. However, that does not mean that it was a high quality malware with research into the malware coming out with reports that you can decrypt your files without needing a decryption key due to flaws in the coding process of WannaCry.
Patient Research pays off
Kaspersky Lab, has come to the conclusions that the ransomware contained mistakes in its code that would allow a user to decrypt/restore their files with publicly available tools or even basic commands. Anton Ivanov, senior malware analyst at Kaspersky Lab, along with colleagues Fedor Sinitsyn and Orkhan Mamedov, after deeply researching the malware, have detailed 3 critical errors made by the developers of the malware which can allow a sysadmin to restore these files.
According to the researchers, the issue resides in the way the malware carries out the encryption. The malware will first rename the original files with the extension “.WNCRYT”, then encrypt them followed by deletion of the original files. It does this because it is not possible for a malware to directly encrypt or modify read-only files.
Therefore the original files remain untouched with the files only receiving a “hidden” attribute and therefore, restoring the files only requires the user to restore the original attributes. This wasn’t the only error however, in some cases, the malware even failed to delete the original files after encryption.
Recovery from System Drive
The researchers have specified that recovering files that resided in the important locations such as Documents or in the Desktop folders will not be possible without the decryption key since the malware was coded to overwrite the original files with random data before they are deleted. Thus, negating any sort of recovery. However, data from files that resided in other locations, could be restored from the temporary folder by means of a data recovery software.
“…the original file will be moved to %TEMP%\%d.WNCRYT (where %d denotes a numeric value). These files contain the original data and are not overwritten,” researchers said.
The same researchers also found that the malware would create a hidden ‘$RECYCLE’ folder where it would transfer all of the original files after encrypting them thus, all you need to do is un-hide the ‘$RECYCLE’ and you get back all of your files. In some cases due to ” synchronization errors ” the original files at times also stayed put in their original directories thus allowing users to recover their files by using simple data recovery software.
Hope for WannaCry victims
These errors come as a ray of hope for victims of the malware who were unable to recover their files.
“If you were infected with WannaCry ransomware there is a good possibility that you will be able to restore a lot of the files on the affected computer. The code quality is very low. To restore files, you can use the free utilities available for data recovery.”
French researchers Adrien Guinet and Benjamin Delpy made the recovery of files possible by creating a free WannaCry decryption tool that runs on Windows XP, Windows 7, Windows Vista, Windows Server 2003 and Server 2008.While all this, the world still hunts for the perpetrators of the headline grabbing ransomware.
Source:The Hacker News
