The number of infected by the WannaCry ransomware machines has decreased recently and researchers rushed to provide help to the victims by developing decryption tools. Up until now, two of the keys have been proven effective. The WannaKey tool and the other one, which today`s news is about – WanaKiwi.
The WanaKiwi decryptor is developed by the researcher Benjamin Delpy, who is also going by the nickname of gentlikiwi. The new decryptor is known to work on many Windows versions and its effectiveness is also confirmed by Europol.
WanaKiwi works on both Windows 7 and Windows XP, which suggests that “it works for every version of Windows XP to 7, including Windows 2003, Vista and 2008 and 2008 R2.” – confirms Matt Suiche from security firm Comae Technologies.
However, there is something else here. The victims of WannaCry ransomware should not reboot their machines after the infection is in because, this way, the prime numbers may be overwritten in the system memory which will lower the chances of the decryptor being efficient.
How does WanaKiwi work?
Once you download and run WanaKiwi decryptor, it will automatically start searching for the 00000000.pky file. During the scan, all you can do is wait and hope that your prime numbers have not been overwritten. This is why machine reboots are not allowed after the infection.
There is no guarantee that WanaKiwi will work on all infected computers but there is a good chance that it will decrypt many of them. The number of WannaCry targets reached 220,000 only for a week and very few of them have chosen to pay the $300 ransom, demanded by the crooks.
According to the information, dumped online by the cybercriminal gang Shadow Brokers, WannaCry relies on a Windows vulnerability that was being exploited by NSA. Microsoft has already patched the flaw but users are strongly advised to install an anti-malware program to help to fight the ransomware attacks.