Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/gentilkiwi/wanakiwi

Automated wanadecrypt with key recovery if lucky
https://github.com/gentilkiwi/wanakiwi

Last synced: 20 days ago
JSON representation

Automated wanadecrypt with key recovery if lucky

Awesome Lists containing this project

README 

        
# wanakiwi



## Introduction

This utility allows machines infected by the WannaCry ransomware to recover their files.



**wanakiwi** is based on [wanadecrypt](https://github.com/gentilkiwi/wanadecrypt) which makes possible for lucky users to :

- Recover the private user key in memory to save it as `00000000.dky`

- Decrypt all of their files



The Primes extraction method is based on Adrien Guinet's [wannakey](https://github.com/aguinet/wannakey) which consist of scanning the WannaCry process memory to recover the prime numbers that were not cleaned during CryptReleaseContext().



Adrien's method was originally described as only valid for Windows XP but @msuiche and I proved this can be extended to Windows 7.



![Alt text](/win7x86.png?raw=true "Optional Title")



## Usage

### Process access

`wanakiwi.exe [/pid:PID|/process:program.exe]`



`pid` or `process` are optional parameters, by default the utility will look for any of this process:

- wnry.exe

- wcry.exe

- data_1.exe

- ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

- tasksche.exe



## Limitations

Given the fact this method relies on scanning the address space of the process that generated those keys, this means that if this process had been killed by, for instance, a reboot - the original process memory will be lost. It is very important for users to *NOT* reboot their system before trying this tool.



Secondly, because of the same reason we do not know how long the prime numbers will be kept in the address space before being reused by the process. This is why it is important to try this utility ASAP.



This is not a perfect tool, but this has been so far the best solution for victims who had no backup.



## Compatibility



O.S.  | x86 | x64 |

------------- | ------------- | ------------- 

Windows XP  | :white_check_mark:  | ?

Windows 2003  | :white_check_mark:  | ?

Windows 7  | :white_check_mark:  | ? 



## Frequently Asked Questions

### Does it modify the original encrypted files ?

No, the original encrypted files (.WNCRY) remain unmodified. The decrypted files are generated as separate files.



### Does it work on an infected machine that had been rebooted or shutdown ? 

No, the whole point is to be able to analyze the process memory of the process which created the keys. If it had been shutdown or rebooted, this memory state is lost.



### What about hibernated machines ?

Yes, when you hibernate your machine it actually saves the state of memory on disk which allows to keep the process memory state. In those scenarios, a machine which has been hibernated for multiple days has her memory state intact and identical to the day it hibernated. Which actually raises your chances of file recovery.



### What shall we do after recovering our files ?

We **strongly** recommend you to **immediately** back up those decovered files on an external empty disk **before** rebooting or shutting down your machine - including the `00000000.dky` file generated by **wanakiwi** which is the decryption key. 

Once you backed-up up your recovered files, we recommend you to reinstall a fresh version of Windows.



## Acknowledgement

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)



With BIG thanks and love to:

- @msuiche <3

- @halsten

- @malwareunicorn

- @adriengnt



## Resources

- https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d