Windows XP owners, who are infected by the WannaCry ransomware, may be able to decrypt their data without paying the ransom, according to a researcher from France.
Adrien Guinet, a researcher with Quarkslab, has released a decrypting tool that he says may be able to recover the secret decryption key required to restore the user's data. The software has only been tested on a handful on computers that too only machines using Windows XP.
"This software has only been tested and known to work under Windows XP," he wrote about the so-called decryptor which he calls WannaKey. "In order to work, your computer must not have been rebooted after being infected. Please also note that you need some luck for this to work and so it might not work in every case!"
The recovery rate from this software at this point looks limited as only XP users can try it out leaving Windows 2003 and server users out of its loop. Moreover not every XP users infected will be able to get back their data. Matt Suiche, founder of Comae Technologies for instance said he was unable to make Guinet's decryptor tool work.
How it works
WannCry uses the Microsoft Cryptographic Application Program Interface to handle many of the functions, including generating a key for encrypting and decrypting the files. After it creates this key the interface erases the key on most versions of Windows. This is why many users even after paying the ransom have not been able to get their data back.
Guinet says an overlooked limitation in XP, however, can prevent this erasure . According to him the prime numbers used to generate the secret key may remain intact in computer memory until the PC is powered down. His software Wannakey can scour the memory of an infected XP machine and extract the p and q variables that the secret key was based on. He then details how one can recover the key to decrypt the data here.
Do remember that this is only for Windows XP users infected with WannaCry who have not rebooted their systems at all since the encryption. In case it doesn't work or you don't have WIndows XP system infected, keep your system on for as long until some new research may come up with a better decryption tool.