But that doesn’t mean WannaCry was a high-quality piece of ransomware.
Security researchers have recently discovered some programming errors in the code of the WannaCrypt ransomware worm that might allow victims to restore their locked files without paying for any decryption key.
After deeply analysing the WannaCry code, security company at Kaspersky Lab found that the ransomware was full of mistakes that could allow some of its victims to restore their files with publicly available free recovery tools or even with simple commands.
According to researchers, the issues reside in the way WannaCry ransomware deletes original files after encryption. In general, the malware first renames files to change their extension to “.WNCRYT,” encrypt them and then delete the original files.
The files are located on the system drive:
- If the file is in an ‘important’ folder (from the malware developers’ point of view – e.g. Desktop and Documents), then the original file will be overwritten with random data before removal.
- In this case, unfortunately, there is no way to restore the original file content.
If the file is stored outside of ‘important’ folders, then the original file will be moved to %TEMP%\%d.WNCRYT (where %d denotes a numeric value).
Recovering Read-only Files
Since it is not at all possible for malicious software to directly encrypt or modify read-only files, WannaCry copies the files and creates their encrypted copies.
While the original files remain untouched but are given a ‘hidden’ attribute, getting the original data back simply requires victims to restore their normal attributes.
That wasn’t the only mistake within the WannaCry’s code, as in some cases, the malware fails to delete the files after encrypting them properly.
Recovering Files from the System Drive (i.e. C drive)
Researchers have said that files stored on the important folders, like Desktop or Documents folder, can not be recovered without the decryption key because WannaCry has been designed to overwrite original files with random data before removal.
“…the original file will be moved to %TEMP%\%d.WNCRYT (where %d denotes a numeric value). These files contain the original data and are not overwritten,” researchers said.
Recovering Files from the Non-System Drives
Researchers also found that for non-system drives, the WannaCry Ransomware creates a hidden ‘$RECYCLE’ folder and moves original files into this directory after encryption. You can recover those files just by unhiding the ‘$RECYCLE’ folder.
Also, due to “synchronization errors” in WannaCry’s code, in many cases the original files remain in the same directory, making it possible for victims to restore insecurely deleted files using available data recovery software.
Programming Blunders: The New Hope for WannaCry Victims
These programming errors in the code of WannaCry offer hope to many victims.
“If you were infected with WannaCry ransomware there is a good possibility that you will be able to restore a lot of the files on the affected computer,” Kaspersky Lab wrote in a blog post published Thursday. “The code quality is very low.”
“To restore files, you can use the free utilities available for data recovery.”
The recovery of files infected by WannaCry was first made possible by French researchers Adrien Guinet and Benjamin Delpy, who made a free WannaCry decryption tool that works on Windows XP, Windows 7, Windows Vista, Windows Server 2003 and Server 2008.
It’s been almost a month since WannaCry epidemic hit computers worldwide, but the hackers behind the self-spread ransomware, which leverages leaked NSA’s Windows SMB exploits EternalBlue and DoublePulsar, have not been identified yet.
While police and cyber security firms continue to search for answers surrounding the origins of the WannaCry campaign, Dark web intelligence firm Flashpoint recently indicated the perpetrators might be Chinese, based on its linguistic analysis.