WannaCry : Coding Mistakes Can Help Files Recovery

Last month WannaCry ransomware hit more than 300,000 PCs across the world within just 72 hours by using its self-spreading capabilities to infect vulnerable Windows PCs, particularly those using vulnerable versions of the OS, within the same network.

But that doesn’t mean WannaCry was a high-quality piece of ransomware.

Security researchers have recently discovered some programming errors in the code of the WannaCrypt ransomware worm that might allow victims to restore their locked files without paying for any decryption key.

After deeply analysing the WannaCry code, security company at Kaspersky Lab found that the ransomware was full of mistakes that could allow some of its victims to restore their files with publicly available free recovery tools or even with simple commands.

Anton Ivanov, senior malware analyst at Kaspersky Lab, along with colleagues Fedor Sinitsyn and Orkhan Mamedov, detailed three critical errors made by WannaCry developers that could allow sysadmins to restore potentially lost files.

According to researchers, the issues reside in the way WannaCry ransomware deletes original files after encryption. In general, the malware first renames files to change their extension to “.WNCRYT,” encrypt them and then delete the original files.

The files are located on the system drive:

    • If the file is in an ‘important’ folder (from the malware developers’ point of view – e.g. Desktop and Documents), then the original file will be overwritten with random data before removal.
    • In this case, unfortunately, there is no way to restore the original file content.

If the file is stored outside of ‘important’ folders, then the original file will be moved to %TEMP%\%d.WNCRYT (where %d denotes a numeric value).

These files contain the original data and are not overwritten, they are simply deleted from the disk, which means there is a high chance it will be possible to restore them using data recovery software.

Recovering Read-only Files


Since it is not at all possible for malicious software to directly encrypt or modify read-only files, WannaCry copies the files and creates their encrypted copies.

While the original files remain untouched but are given a ‘hidden’ attribute, getting the original data back simply requires victims to restore their normal attributes.

That wasn’t the only mistake within the WannaCry’s code, as in some cases, the malware fails to delete the files after encrypting them properly.

Recovering Files from the System Drive (i.e. C drive)

Researchers have said that files stored on the important folders, like Desktop or Documents folder, can not be recovered without the decryption key because WannaCry has been designed to overwrite original files with random data before removal.

However, researchers noticed that other files stored outside of important folders on the system drive could be restored from the temporary folder using a data recovery software.

“…the original file will be moved to %TEMP%\%d.WNCRYT (where %d denotes a numeric value). These files contain the original data and are not overwritten,” researchers said.

Recovering Files from the Non-System Drives


Researchers also found that for non-system drives, the WannaCry Ransomware creates a hidden ‘$RECYCLE’ folder and moves original files into this directory after encryption. You can recover those files just by unhiding the ‘$RECYCLE’ folder.

Also, due to “synchronization errors” in WannaCry’s code, in many cases the original files remain in the same directory, making it possible for victims to restore insecurely deleted files using available data recovery software.

Programming Blunders: The New Hope for WannaCry Victims

These programming errors in the code of WannaCry offer hope to many victims.

“If you were infected with WannaCry ransomware there is a good possibility that you will be able to restore a lot of the files on the affected computer,” Kaspersky Lab wrote in a blog post published Thursday. “The code quality is very low.”

“To restore files, you can use the free utilities available for data recovery.”

The recovery of files infected by WannaCry was first made possible by French researchers Adrien Guinet and Benjamin Delpy, who made a free WannaCry decryption tool that works on Windows XP, Windows 7, Windows Vista, Windows Server 2003 and Server 2008.

It’s been almost a month since WannaCry epidemic hit computers worldwide, but the hackers behind the self-spread ransomware, which leverages leaked NSA’s Windows SMB exploits EternalBlue and DoublePulsar, have not been identified yet.

While police and cyber security firms continue to search for answers surrounding the origins of the WannaCry campaign, Dark web intelligence firm Flashpoint recently indicated the perpetrators might be Chinese, based on its linguistic analysis.


Please enter your comment!
Please enter your name here

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.