Can files locked by WannaCry be decrypted: A technical analysis

The WannaCry ransomware worm has dominated the global news cycle since it started spreading on Friday.

The ransomware has now been reported in more than 150 countries around the globe, affecting hundreds of thousands of machines and more than 10,000 companies.

Symantec has already published a blog detailing much of what you need to know about this ransomware, and how to protect yourself. However, further investigation by our expert analysts who are trying to discover a decryption key to neutralize this threat has uncovered more technical details.

The WannaCry ransom note

How does this malware work

Analysis by our engineers indicates that the malware has two hardcoded public keys deployed as part of this ransomware: one is used for the main task of encrypting files, while the other is used to encrypt a small number of files for “demo decryption” — so the ransomware authors can “prove” to victims that they are able to decrypt the files. Let’s call them attacker public key and demo public key, which will be explained further later.

Once the malware is running on the victim machine it will generate a new unique RSA 2048 bit asymmetric key pair. This means that each victim needs their own decryption key.

Once the new unique key pair is generated, the malware exports the victim’s public RSA key to a local file called 00000000.pky using CryptExportKey API. Next, it exports the victim’s private RSA key and encrypts it with the hardcoded attacker public key from the malware and stores it as 00000000.eky on disk. Now that the key has been stored safely, the malware uses CryptDestroyKey API to destroy the private key in memory, which limits the time for recovering private key parameters from memory by any other tool. Unfortunately, the lifetime of private victim RSA keys is so limited that there is no good option to recover it later once the encryption has happened.

Now the malware will enumerate all interesting files based on their extension. If the original file size is less than 209,715,200 bytes, or a configurable limit of files is not yet reached, then the malware will use the demo RSA public key, which is hardcoded in the malware. For this key the private key is actually known and can be used to decrypt the content. For all the other files the victim’s RSA public key, for which the private key has been securely encrypted and stored locally, will be used.

This means the ransomware now generates a new 16-byte symmetric key using the CryptGenRandom API for each file it wants to encrypt. This symmetric key is encrypted using one of the available RSA public keys and stored together with a copy of the original file in encrypted form. The use of the demo key allows the attackers to decrypt a few files to prove that they are the actual authors. Unfortunately, this does not guarantee that they actually have the required RSA private key to decrypt the victim’s private key that was stored locally.

Not all files are unrecoverable

This explains why there have been claims that some tools are available to decrypt all the files locked by WannaCry. Unfortunately, from our analysis of how this ransomware works, it appears that only a few files encrypted with the demo key are decryptable by the tool.

But there might be some hope. Files stored in Desktop, My Documents, or on any removable disks in the computer at the time of the infection are overwritten with randomly generated data and deleted. This means it is not possible to recover them with a file undelete or disk recovery tool.

However, due to possible weaknesses in the malware it is possible to recover other encrypted files on the system when they were stored outside of these three locations, using an undelete of disk recovery tool, as most of the files are moved to a temporary folder and then normally deleted, without being overwritten by a wiper. However, the recovery ratio may vary from system to system because the deleted file may be overwritten by other disk operations.

In short, it should be possible to recover some of the files that have been encrypted with WannaCrypt without paying the ransom, however, the recovery of all files without a backup does not seem possible at the present time.

As a security note, be wary of any services offering to decrypt all files etc…, as these decryptors could very well be malware in disguise.

We have verified the file recoverability with a disk recovery tool named Disk Drill, the screenshot below shows the deleted files being discovered and recovered by this tool:

Older software may reveal key

Computers running exceptionally old versions of XP may actually be able to generate a decryption key. This is due to a flaw that exists in Windows XP versions SP1 and SP2, and which was patched way back in 2008 in Windows XP SP3, so the percentage of computers still running those versions of the operating system is tiny.

However, those that do still have computers running those systems could exploit a flaw in its pseudo-random number generator (PRNG) that allows someone to predict encryption keys that would be created in the future and, crucially, reveal keys that had been generated in the past.

An individual could exploit this flaw to reveal the decryption key in memory if the malware is still running, and hence free their files from the grip of WannaCry.

UPDATE: Researcher Adrien Guinet has used a different XP flaw to recover keys from memory: https://github.com/aguinet/wannakey
There are claims that the same technique also works on Windows 7. However in our original analysis we determined that would only work in a laboratory setting, for example where:
- few files are encrypted
- the tool is already available for execution
- the tool is executed immediately post infection
The tool is searching memory for key components however in multiple tests we found that these key components were overwritten.
Despite these limitations, there are no negative side-effects for victims who wish to try out the tool.
Heatmap shows how WannaCry spread around the world

Symantec’s investigations into the WannaCry ransomware are continuing. Keep an eye on the Threat Intel Twitter account for up-to-the-minute updates, and visit the Security Response blog for more information on this threat.