A Comae Technologies blog post by Matt Suiche, who describes himself as a “Hacker, Microsoft MVP and Founder of @comaeio” has arrived, entitled “WannaCry - Decrypting files with WanaKiwi + Demos.”
Confirmed to work with Windows XP x86 and Windows 7 x86, the tool has serious caveats but shoud also work for Windows 2003, 2008, 2008 R2 and Windows Vista.
The blog post starts off by stating:
“In Short
DO NOT REBOOT your infected machines and TRY wanakiwi ASAP*!
*ASAP because prime numbers may be over written in memory after a while.”
This means that anyone infected by the Wannacry ransomware can use the decryption tools linked below to scour a computer's memory to find the ransomware's encryption and decryption key, and to then use that key to decrypt encrypted files. It depends on you not rebooting your comptuer, and it depends on timely usage of the decryption tools, so it's not a magic bullet fix for all Wannacry infections.
That said, if used quickly, it could well help you decrypt your files quickly and easily - but please, if you haven't patched your Windows XP through Windows 7 computers yet, please do so immediately!
More detail continues below.
{loadposition alex08}Suiche notes that “Adrien Guinet" published a tool called "Wannakey" to perform RSA key recovery on Windows XP. His tool is very ingenious as it does not look for the actual key but the prime numbers in memory to recompute the key itself. In short, his technique is "totally bad ass and super smart.”
Clicking on the “Wannakey” link above causes the Norton Security on my Mac to state it is a dangerous site, but this may simply be a false positive - but please take caution.
However, Wannakey worked on Windows XP only, with Suiche updating his blog post to note that "Benjamin Delpy" had released "WanaKiwi" which “works for both Windows XP (x86 confirmed) and Windows 7 (x86 confirmed). This would imply it works for every version of Windows from XP to 7, including Windows 2003 (x86 confirmed), Vista and 2008 and 2008 R2. See demos in the below GIFs.”
The WanaKiwi link also brings up a Norton Security warning that the site has security risks, but again, this may well be a false positive.
The GIFs referred to can be found at Suiche’s blog post.
At his Twitter page, Adrien Guinet stated two hours ago at time of publication that:
Working on the next version of wannakey to make it user-friendly! You'd just have to launch it and use the "Decrypt" button of the malware!
— Adrien Guinet (@adriengnt) May 20, 2017
Twenty hours ago at time of publication, Benjamin Delpy tweeted:
#Wannacry decrypting files tested by @EC3Europol & found to recover data in some circumstances: https://t.co/E9j59j4p0c https://t.co/3n8hd4hrQi
— Europol (@Europol) May 19, 2017
Are Technica has more information here, as does CNET here.