Recover files encrypted by the WannaCry ransomware: wanakiwi
Recover files encrypted by the WannaCry ransomware This utility allows machines infected by the WannaCry ransomware to recover their files. wanakiwi is based on wanadecrypt which makes possible for lucky users to : Recover the private user key in memory to save it as 00000000.dky Decrypt all of their files The primes extraction method is based on Adrien Guinet’s [wannakey] (https://github.com/aguinet/wannakey) which consist of scanning the WannaCry process memory to recover the prime numbers that were not cleaned during CryptReleaseContext(). Usage wanakiwi.exe [PID] PID is an optional parameter, by default the utility will look for any of this process: wnry.exe wcry.exe data_1.exe ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe Limitations Given the fact this method relies on scanning the address space of the process that generated those keys, this means that if this process had been killed by, for instance, a reboot – the original process memory will be lost. It ...