Researchers publish WannaCry decryptor for Windows 7 and other systems
After a decryption program was released on Thursday evening for Windows XP systems infected with the WannaCry ransomware, an additional tool has since appeared. This allows Windows 7 systems, among other things, to be restored under certain conditions.
Europol leave Friday evening that his Cybercrime Center has tested the decryption tool and can confirm that it can recover files encrypted by WannaCry under certain circumstances. The tool, called WanaKiwi, automatically searches for a particular file to start decryption. This will only work if the necessary prime numbers are still in the memory of the infected system. It is therefore a requirement that the system in question has not been rebooted in the meantime.
One of the developers of the tool, Matt Suiche, writes that there is now confirmation that the software works on infected Windows XP and Windows 7 systems. He is talking about the x86 variant. He suspects that WanaKiwi also works on operating systems in between. The tool builds on the decryption software for Windows XP systems, which was developed by Adrien Guinet. This became available Thursday evening under the name WannaKey.
The difference with WannaKey is that the current tool is capable of recovering more infected systems. The WannaCry ransomware did not spread to Windows XP systems, although the encryption worked on that OS. Windows 7 was vulnerable, which means that WanaKiwi may be able to help a larger part of the affected users. From statistics from security company Kaspersky turns out that the 64-bit variant of Windows 7 has been by far the hardest hit by WannaCry.
Kaspersky Statistics
WanaKiwi in action, demo by Matt Suiche