Good News for WannaCry Victims: Poor Coding Helps in File Recovery
If your data was encrypted by the WannaCry ransomware you can now safely retrieve it with code written by security researchers.
Join the DZone community and get the full member experience.Join For Free
WannaCry created a historical breach record of 400,000 computers across 150 countries in a very short period of time. Major organizations were affected by this breach and are still confused on how to go about retrieving those files that were encrypted by WannaCry. Security researchers have discovered that WannaCry is not as effective as it appears to be, as there exist some mistakes in coding which will allow us to retrieve our files safely.
Thank You, Kaspersky Researchers
Kaspersky Security researchers have identified a coding error which will help users to recover their files easily using a simple data recovery software. Kaspersky researchers have identified three mistakes made by WannaCry developers that could allow sysadmins to restore those encrypted files. The issues reside in the way WannaCry ransomware deletes those original files after encryption. In general, WannaCry first renames files to change their extension to ".WNCRYT," encrypts them, and then deletes the original files.
Malware can't directly encrypt the read-only files, hence WannaCry copies the files and creates their encrypted copies, while the original files remain hidden. To recover those files, victims have to make them visible by resetting those attributes to the default settings, because WannaCry is not capable of deleting those files at all. The files that are stored on the important folders, like the Desktop or Documents folder, can't be recovered without the decryption key because WannaCry has been designed to overwrite original files with random data before removal. Other files stored outside of important folders on the system drive can be recovered from the temporary folder using a data recovery software.
For non-system drives, the WannaCry creates a hidden '$RECYCLE' folder and moves those original files into a different directory after encryption. You can recover those files by unhiding the '$RECYCLE' folder. Also, due to "synchronization errors" in WannaCry's code, in many cases the original files remain in the same directory, making it possible for victims to recover deleted files using a data recovery software. All these programming errors in the code of WannaCry offer hope to many victims. French researchers have also built a WannaCry data recovery tool, that works on Windows operating systems.
Alternative to Shadow Broker's Subscription Model
While WannaCry was huge, it did, fortunately, have a coding error so the files could be safely recovered; but expecting the same every time would not be realistic. Shadow Brokers has already laid out their proposal for this subscription model of theirs.
Through this model, vulnerabilities will be disclosed to subscription members at least a month in advance, allowing them to escape attacks by paying for pertinent information upfront. This subscription service will include exploits for web browsers, routers, smartphones, operating systems, that is compromised of data from banks, and even stolen network information from Russian, Chinese, Iranian, and North Korean nuclear missile programs.
The road ahead looks dubious, gearing up your network security is definitely going to help. To improve your security keep your patches updated and go forward with confidence.
Opinions expressed by DZone contributors are their own.