In the month of May 2017, WannaCry, a ransomware may have caused havoc all over the world when it hit nearly 300,000 PCs in 150 countries within just 72 hours, but that doesn’t mean it was a high-quality piece of ransomware. Yes, security researchers at Kaspersky Labs have recently discovered some programming errors in the code of the WannaCrypt ransomware worm.
These programming errors in the code of the WannaCrypt ransomware could allow some of its victims to restore their locked files with publicly available free recovery tools or even with simple commands, without paying for any decryption key.
Anton Ivanov, senior malware analyst at Kaspersky Lab, along with colleagues Fedor Sinitsyn and Orkhan Mamedov, after deeply researching the malware, have detailed three critical errors made by WannaCry developers that could allow sysadmins to restore potentially lost files.
According to the researchers, the issue resides in the way the malware carries out the encryption.
“When Wannacry encrypts its victim’s files, it reads from the original file, encrypts the content and saves it into the file with extension “.WNCRYT”. After encryption it moves “.WNCRYT” into “.WNCRY” and deletes the original file. This deletion logic may vary depending on the location and properties of the victim’s files.”
WannaCry copies the files and creates their encrypted copies because it is not possible for a malicious software to directly encrypt or modify read-only files. While the original files remain untouched but are given a ‘hidden’ attribute, getting the original data back simply requires victims to restore their normal attributes.
Recovering Files from the System Drive (i.e. C drive)
According to researchers, files stored in the ‘important folders’, like Desktop or Documents folder, cannot be recovered without the decryption key because WannaCry has been designed to overwrite original files with random data before removal.
However, researchers noticed that other files stored outside of ‘important folders’ on the system drive could be restored from the temporary folder using a data recovery software.
“If the file is stored outside of ‘important’ folders, then the original file will be moved to %TEMP%\%d.WNCRYT (where %d denotes a numeric value). These files contain the original data and are not overwritten, they are simply deleted from the disk, which means there is a high chance it will be possible to restore them using data recovery software.”
Recovering Files from the Non-System Drives
According to researchers, for non-system drives, the WannaCry Ransomware creates a hidden ‘$RECYCLE’ folder, which is invisible in Windows File Explorer if it has a default configuration. The malware then moves original files into this directory after encryption. However, you can recover those files just by unhiding the ‘$RECYCLE’ folder.
Also, due to “synchronization errors” in the ransomware code, in many cases the original files stay in the same directory and are not moved into $RECYCLE, making it possible for victims to restore insecurely deleted files using available data recovery software.
WannaCry Ransomware Programming Errors:
Kaspersky Lab researchers have discovered that this ransomware has a bug in its read-only file processing. If there are such files on the infected machine, then the ransomware won’t encrypt them at all. It will only create an encrypted copy of each original file, while the original files themselves only get the “hidden” attribute. When this happens, it is simple to find them and restore their normal attributes.
- The ransomware developers have made a lot of mistakes and the code quality is very low.
- If you were infected with WannaCry ransomware, there is a good possibility that you will be able to restore a lot of the files on the affected computer.
- To restore files, you can use the free utilities available for file recovery.
Article original source