DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Good News for WannaCry Victims: Poor Coding Helps in File Recovery

If your data was encrypted by the WannaCry ransomware you can now safely retrieve it with code written by security researchers.

Giridhara Raam user avatar by
Giridhara Raam
·
Jun. 15, 17 · Opinion
Like (9)
Save
Tweet
Share
3.93K Views

Join the DZone community and get the full member experience.

Join For Free

Image title

WannaCry created a historical breach record of 400,000 computers across 150 countries in a very short period of time. Major organizations were affected by this breach and are still confused on how to go about retrieving those files that were encrypted by WannaCry. Security researchers have discovered that WannaCry is not as effective as it appears to be, as there exist some mistakes in coding which will allow us to retrieve our files safely.

Thank You, Kaspersky Researchers

Kaspersky Security researchers have identified a coding error which will help users to recover their files easily using a simple data recovery software. Kaspersky researchers have identified three mistakes made by WannaCry developers that could allow sysadmins to restore those encrypted files. The issues reside in the way WannaCry ransomware deletes those original files after encryption. In general, WannaCry first renames files to change their extension to ".WNCRYT," encrypts them, and then deletes the original files. 

Malware can't directly encrypt the read-only files, hence WannaCry copies the files and creates their encrypted copies, while the original files remain hidden. To recover those files, victims have to make them visible by resetting those attributes to the default settings, because WannaCry is not capable of deleting those files at all. The files that are stored on the important folders, like the Desktop or Documents folder, can't be recovered without the decryption key because WannaCry has been designed to overwrite original files with random data before removal. Other files stored outside of important folders on the system drive can be recovered from the temporary folder using a data recovery software.

For non-system drives, the WannaCry creates a hidden '$RECYCLE' folder and moves those original files into a different directory after encryption. You can recover those files by unhiding the '$RECYCLE' folder. Also, due to "synchronization errors" in WannaCry's code, in many cases the original files remain in the same directory, making it possible for victims to recover deleted files using a data recovery software. All these programming errors in the code of WannaCry offer hope to many victims. French researchers have also built a WannaCry data recovery tool, that works on Windows operating systems.

Alternative to Shadow Broker's Subscription Model

While WannaCry was huge, it did, fortunately, have a coding error so the files could be safely recovered; but expecting the same every time would not be realistic. Shadow Brokers has already laid out their proposal for this subscription model of theirs.

Through this model, vulnerabilities will be disclosed to subscription members at least a month in advance, allowing them to escape attacks by paying for pertinent information upfront. This subscription service will include exploits for web browsers, routers, smartphones, operating systems, that is compromised of data from banks, and even stolen network information from Russian, Chinese, Iranian, and North Korean nuclear missile programs.

The road ahead looks dubious, gearing up your network security is definitely going to help. To improve your security keep your patches updated and go forward with confidence.

Coding (social sciences) Data recovery News

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Express Hibernate Queries as Type-Safe Java Streams
  • How to Secure Your CI/CD Pipeline
  • How To Check Docker Images for Vulnerabilities
  • Event Driven 2.0

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: