How to decrypt your files if you've been hit by WannaCry
The tool, named Wanakiwi, is capable of defeating the WannaCry ransomware, which encrypts a user’s files and demands a payment made in Bitcoin in order for the victim to regain access to their machine.
WannaCry hit more than 300,000 machines in 150 countries last Friday, including computer systems of hospitals in England and major corporations around the world. Those attacks have slowed since the first wave, but have not stopped entirely. The attackers have made more than $50,000 from the attacks thus far and will likely continue to attack.
For those still holding out from the initial infection or hit by the residual attacks, Wanakiwi may be able to offer some reprieve.
The tool doesn’t work for all machines, but it has been tested and shown to be successful on Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows Server 2008 R2 and Windows 7 operating systems.
It’s also important to note before the decryptor will not work if the infected system has been restarted. The decryptor needs to be able to access the ransomware process, which appears as wnry.exe or wcry.exe and restarting the machine will kill that process.
How To Decrypt Files From WannaCry
First, download the tool from GitHub—ideally on a machine that is free infection. Extract the .zip file to a folder on your desktop. If you downloaded it on a machine other than the one hit by WannaCry, move the file to a USB drive and run it on the infected computer from the drive.
Open the tool by double clicking on it. Wanakiwi will begin searching the machine for the process tied to WannaCry. If they are named wnry.exe or wcry.exe, the tool should find them automatically.
If the tool can’t find WannaCry, it may be possible to manually identify the offending process by opening the Task Manager. This can be done by pressing Control + Alt + Delete on the keyboard. If there is a file that appears related to WannaCry, get the Process Identification Number (PID) and plug it into the command prompt after “wanakiwi.exe” to direct the tool to the ransomware.
Once the tool knows what it is targeting, it will begin searching for the decryption key. It does this by searching the system’s memory for prime numbers and piecing together the key used by the ransomware. The rest should be automatic; once Wanakiwi has the encrpytion key, it will decrypt the ransomed files on its own.
Once it is finished, users are advised to run an antivirus tool to remove any artifacts of WannaCry that may still be present on their system. To be safe, users may want to create backups of their most important files, wipe the machine and perform a fresh install of their operating system.
Wanakiwi doesn’t work 100 percent of the time—much of its success is dependent on timing, as it relies on reading the memory of the system at the time of the infection. If the system is restarted or too many processes have been run since the infection, the encryption key might be lost or overwritten by data from other applications. But the tool does provide some hope for those who may still be plagued by ransomware.
.jpg)