WanaKiwi

A software tool that can help victims of the WannaCry ransomware to recover data in their infected files under certain circumstances.

  • WanaKiwi
  • Version :0.2
  • License :Trial
  • OS :Windows All
  • Publisher :Benjamin Delpy

Download Now

WanaKiwi Description

WanaKiwi is a file recovery solution for victims of the WannaCry ransomware. Relying on an ingenious idea, the application analyzes the traces left in the memory by the process that created the encryption keys. The only catch is that, if the PC is shut down or rebooted, the memory state, together with the keys, are erased and, therefore, WanaKiwi is useless.

Based on wanadecrypt, WanaKiwi can find the prime numbers that were used during encryption and were not yet erased from the process memory. Under certain conditions, the key recovery process might not work as it should, because the prime numbers might be reused by the process that created them or overwritten. In other words, it is important to try this application as soon as possible after getting infected.

Once launched, WanaKiwi starts searching for the public key and then looks for the prime numbers in the address space of the “wnry.exe” or “wcry.exe” processes, if the process name is not passed as a parameter. If the keys are found, the private encryption key can be then reconstructed and the locked files can be decrypted.

The application does not alter the original encrypted files (ending in .WNCRY); instead, it saves the decrypted files in a separate location. It is advisable you create a backup of these files as soon as possible and then reinstall a fresh copy of Windows on your PC.

To fool the ransomware virus, WanaKiwi builds the DKY files and sends them to the cyber criminals. This way, WanaKiwi blocks any future attempts of WannaCry to encrypt more files.

While it might not work in some cases, WanaKiwi remains a good alternative as a post-infection solution. The cyber security division of Europol tested this application and certified that it carries out the recovery process in some circumstances.

Advisory note: Due to its decryption method that scans the original process of the ransomware in the attempt to retrieve the keys, WanaKiwi might be detected as harmful by some antivirus applications. It is advisable you read more about the application and how it works before using it.

Leave a Reply

Your email address will not be published.