The ransomware WannaCrypt generates both halves of its key pair client-side, but it releases the private key so that its victims can't decrypt their files. On Windows XP, though, the function responsible for destroying the key does not immediately erase it from memory.
Someone created a tool to take advantage of those facts. Wannakey searches a WannaCrypt process's memory for the private key, saving it to disk. The caveats are that it only works if the system hasn't rebooted since the infection and that the memory occupied by the key could have been repurposed for something else in the meantime. So this provides a small but nonzero amount of hope.
No comments:
Post a Comment