글 작성자: ikimonotaku

워너크라이 랜섬웨어 복구 방법이 공개되어 번역 포스팅합니다.

(메모리에서 pky 매칭으로 키값 긁어오는 형태로 확인 됩니다.)


복구방법

1. 일단 랜섬웨어에 감염되면 재부팅은 하지 마십시오.

2. 그리고 아래 파일을 다운로드합니다.

wanakiwi

3. wanakiwi.exe 를 실행하기전에 같은 폴더내에 당신의 .pky 파일을 복사합니다.

(*.pky 로 검색하여 검색된 파일 복사 혹은 바탕화면에 XXXXXXXXXXX.pky 복사하셔도 됩니다.)



4. wanakiwi.exe 실행하면 복구됩니다.^^ wanacry 변종은 불가하니 참고바래요.









출처 및 하단 원본 글 : https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d


WannaCry — Decrypting files with WanaKiwi + Demos

Working Windows XP & 7 demos. #FRENCHMAFIA

Read MorePart 1 — Part 2 — Part 3 — Part 4

DO NOT REBOOT your infected machines and TRY wanakiwi ASAP*!

*ASAP because prime numbers may be over written in memory after a while.

Don’t cry yet.

UPDATE: Actually, wanakiwi from Benjamin Delpy (@gentilkiwi) works for both Windows XP (confirmed) and Windows 7 (confirmed)This would imply it works for every version of Windows from XP to 7, including Windows 2003 (confirmed), Vista and 2008 and 2008 R2. See demos in the below GIFs.

Wannakey

Yesterday, Adrien Guinet published a tool called wannakey to perform RSA key recovery on Windows XP. His tool is very ingenious as it does not look for the actual key but the prime numbers in memory to recompute the key itself. In short, his technique is totally bad ass and super smart.

Unfortunately, this only works on Windows XP as those values are cleaned during the CryptReleaseContext in later version of Windows.

UPDATEForget the above statement, this has been successfully tested with wanakiwi up to Windows 7.

As Adrien stated in his README, this is not a mistake from the author but an issue with Windows XP — the author themselves make sure to release the user key as soon as they are done with it. And that key never touches the disks unless encrypted with the attacker public key. Although, some file format issue happened with the exported key that didn’t make it compatible with other tools such as wanadecrypt from Benjamin Delpy (@gentilkiwi) on Windows XP, as the Windows Crypt APIs on Windows XP are expecting a very strict input to work unlike Windows 10. Which is the reason why my initial tests failed with the output key using Wannakey.

Moreover, the output file format was not compatible with the ransomware WannaCry either. Unlike Wanakiwi from gentilkiwi as we can see in the demo below.

Wanakiwi

  1. Download wana kiwi here
  2. wanakiwi.exe needs to be in the same folder as your .pky file when you launch it
  3. Cross fingers your prime numbers haven’t been erased from memory.

After, doing some tests and discussing with Benjamin — he decided to rewrite his own version using OpenSSL and based on Adrien’s methodology to retrieve the key to directly fix the file format issues and build a version 100% compatible with Windows O.S. from Windows XP to Windows 7. Amazing job! (see below for full working demos!)

Wanakiwi also recreates the .dky files expect from the ransomware by the attackers, which makes it compatible with the ransomware itself too. This also prevents the WannaCry to encrypt further files.

After further testing with Benjamin, we noticed the info leak on the prime numbers in the Microsoft Crypt API was still present on Windows 7. \o/