TechViews News …..
If you were a victim of the WannaCry ransomware attack it may be too late for you. But if you weren’t, and you think you could be when the next wave of attacks hit, then here’s how to deal with the problem.
A group of security researchers have created a tool that can help those hit by the massive attack decrypt their files without paying the ransom or wiping their device.
The Wanakiwi tool, as it is called, is capable of defeating the WannaCry ransomware, which encrypts a user’s files and demands a payment made in Bitcoin in order for the victim to regain access to their machine.
WannaCry hit more than 300,000 machines in 150 countries earlier this month, including computer systems of hospitals in England and major corporations around the world. Those attacks have slowed since the first wave, but have not stopped entirely. As an example, we recently learned that the Russian Postal System was severely hit as well.
The tool doesn’t work for all machines, but it has been tested and shown to be successful on most Windows 7 operating systems.
It’s also important to note the decrypting tool will not work if the infected system has been restarted. The tool needs to be able to access the ransomware process, which appears as wnry.exe or wcry.exe and restarting the machine will kill that process.
Decrypting Files From WannaCry
First, download the tool from GitHub—ideally on a machine that is infection free. Extract the .zip file to a folder on your desktop. If you downloaded it on a machine other than the one hit by WannaCry, move the file to a USB drive and run it on the infected computer.
Open the tool by double clicking on it. Wanakiwi will begin searching the machine for the process tied to WannaCry. If they are named wnry.exe or wcry.exe, the tool should find them automatically.
If the tool can’t find WannaCry, it may be possible to manually identify the offending process by opening the Task Manager. This can be done by pressing Control + Alt + Delete on the keyboard. If there is a file that appears related to WannaCry, get the Process Identification Number (PID) and plug it into the command prompt after “wanakiwi.exe” to direct the tool to the ransomware.
Once the tool knows what it is targeting, it will begin searching for the decryption key. It does this by searching the system’s memory for prime numbers and piecing together the key used by the ransomware. The rest should be automatic; once Wanakiwi has the encryption key, it will decrypt the ransomed files on its own.
Once it is finished, users are advised to run an antivirus and anti-malware tool to remove any artifacts of WannaCry that may still be present on their system. To be safe, users may want to create backups of their most important files, wipe the machine and perform a fresh install of their operating system.
Wanakiwi doesn’t work 100 percent of the time—much of its success is dependent on timing, as it relies on reading the memory of the system at the time of the infection. If the system is restarted or too many processes have been run since the infection, the encryption key might be lost or overwritten by data from other applications. But the tool does provide some hope for those who may still be plagued by ransomware.
Be Safe – Backup Your Data Regularly!
And don’t forget to take advantage of our FREE subscription to the TechViews.org Newsletter. A must-read if you are interested in Internet Security.