# Security researcher says he’s figured out how to decrypt WannaCry

## The ransomware WannaCry has infected hundreds of thousands of computer systems around the globe, but a security researcher claims he’s figured out how to beat it.

Adrien Guinet says that he was able to decrypt a ransomwared computer running Windows XP in his lab by discovering the prime numbers that make up the WannaCry private key. The private key is what a ransomware victim would need to buy off his attackers in order to regain access to his own files, but Guinet says he was able to do this without paying

.

.

## Introduction

This software allows to recover the prime numbers of the RSA private key that are used by Wanacry.

It does so by searching for them in the wcry.exe process. This is the process that generates the RSA private key. The main issue is that the CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory.

This is not really a mistake from the ransomware authors, as they properly use the Windows Crypto API. Indeed, for what I’ve tested, under Windows 10, CryptReleaseContext does cleanup the memory (and so this recovery technique won’t work). It can work under Windows XP because, in this version, CryptReleaseContext does not do the cleanup. Moreover, MSDN states this, for this function : “After this function is called, the released CSP handle is no longer valid. This function does not destroy key containers or key pairs.”. So, it seems that there are no clean and cross-platform ways under Windows to clean this memory.

If you are lucky (that is the associated memory hasn’t been reallocated and erased), these prime numbers might still be in memory.

That’s what this software tries to achieve.

## Usage

You can use the binary in the bin/ folder. You first need to find the PID of the wcry.exe process using the Task Manager, and locate the 00000000.pky file.

Once you’ve got this, launch using cmd.exe:

> search_primes.exe PID path\to\00000000.pky


If a valid prime is found in memory, the priv.key file will be generated in the current directory.

You can then use https://github.com/odzhan/wanafork/ or https://github.com/gentilkiwi/wanadecrypt to decrypt your files! (working on XP!)

## Compile from source

You can use Visual Studio 2015 express to compile the associated project. Be sure to select the compatible Windows XP toolchain in the project properties!

Sourses GitHub    mashable.com

.