Over a million developers have joined DZone.

Good News for WannaCry Victims: Poor Coding Helps in File Recovery

DZone's Guide to

Good News for WannaCry Victims: Poor Coding Helps in File Recovery

If your data was encrypted by the WannaCry ransomware you can now safely retrieve it with code written by security researchers.

· Security Zone
Free Resource

Address your unique security needs at every stage of the software development life cycle. Brought to you in partnership with Synopsys.

Image title

WannaCry created a historical breach record of 400,000 computers across 150 countries in a very short period of time. Major organizations were affected by this breach and are still confused on how to go about retrieving those files that were encrypted by WannaCry. Security researchers have discovered that WannaCry is not as effective as it appears to be, as there exist some mistakes in coding which will allow us to retrieve our files safely.

Thank You, Kaspersky Researchers

Kaspersky Security researchers have identified a coding error which will help users to recover their files easily using a simple data recovery software. Kaspersky researchers have identified three mistakes made by WannaCry developers that could allow sysadmins to restore those encrypted files. The issues reside in the way WannaCry ransomware deletes those original files after encryption. In general, WannaCry first renames files to change their extension to ".WNCRYT," encrypts them, and then deletes the original files. 

Malware can't directly encrypt the read-only files, hence WannaCry copies the files and creates their encrypted copies, while the original files remain hidden. To recover those files, victims have to make them visible by resetting those attributes to the default settings, because WannaCry is not capable of deleting those files at all. The files that are stored on the important folders, like the Desktop or Documents folder, can't be recovered without the decryption key because WannaCry has been designed to overwrite original files with random data before removal. Other files stored outside of important folders on the system drive can be recovered from the temporary folder using a data recovery software.

For non-system drives, the WannaCry creates a hidden '$RECYCLE' folder and moves those original files into a different directory after encryption. You can recover those files by unhiding the '$RECYCLE' folder. Also, due to "synchronization errors" in WannaCry's code, in many cases the original files remain in the same directory, making it possible for victims to recover deleted files using a data recovery software. All these programming errors in the code of WannaCry offer hope to many victims. French researchers have also built a WannaCry data recovery tool, that works on Windows operating systems.

Alternative to Shadow Broker's Subscription Model

While WannaCry was huge, it did, fortunately, have a coding error so the files could be safely recovered; but expecting the same every time would not be realistic. Shadow Brokers has already laid out their proposal for this subscription model of theirs.

Through this model, vulnerabilities will be disclosed to subscription members at least a month in advance, allowing them to escape attacks by paying for pertinent information upfront. This subscription service will include exploits for web browsers, routers, smartphones, operating systems, that is compromised of data from banks, and even stolen network information from Russian, Chinese, Iranian, and North Korean nuclear missile programs.

The road ahead looks dubious, gearing up your network security is definitely going to help. To improve your security keep your patches updated and go forward with confidence.

Find out how Synopsys can help you build security and quality into your SDLC and supply chain. We offer application testing and remediation expertise, guidance for structuring a software security initiative, training, and professional services for a proactive approach to application security.

security ,wannacry ,cyberattack ,cybersecurity

Opinions expressed by DZone contributors are their own.


Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.


{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}