We all know about the panic made by the infamous ransomware worm wannacry. It hit more than 3lakhs of systems within 72 hours. The latest reports says that there are some errors found in the wannacry code and it might allow the victims to restore the files without any decryption keys.
Senior researcher at security company kasperkey lab Anton Ivanov, along with his team mates’ fedor sinitsy and orkhan mamedov explained thursday that some critical errors in the code made by wannacry developers. They made mainly 2 types errors.
- While deleting the original file.
- While processing the read-only files.
By utilizing these errors, the victims can restore their files using just a recovery software.
1.Error in the removal logic
When wannacry encrypts a file it first reads the original file, encrypts it and save it to an extension .WNCRYT. Then it moves to another extension .WNCRY and deletes the original file. Our issue resides in this area that is in the way the ransomware deletes the original file after encryption.
The deletion logic may vary depending on the location and the properties of the victim’s files.
The Files are located on the system drive c:
- If the files is in the desktop or documents folder, the original file will be overwritten with random data before removal. In this case, there is no way for restoring the files.
- If the files are stored outside the important folders(ie, Desktop and Documents), then the original files will be moved into a temporary folder(%TEMP%\%d.WNCRYT, where %d denotes a numeric value). In this case, the original files are not overwritten, but only deleted, it means there is a chance to recover it.
The files are located on other drive:
- Ransomware creates a folder($RECYCLE folder) and intents to move the original files to it. The files In this folder will be also set to hidden attribute. But, in some case, due to the synchronization errors, the ransomware doesn’t move the files to that folder. Even if it, deletion is not in the secure way, which makes the restore of file into available.
The standard way a computer deletes a file is by designating the area of the hard drive as an area that other files can go. But until new data takes up the physical space of the old data the old remains on the hard disk.
In order to delete a file so that file recovery software cannot recover it, malware developers or security minded user must overwrite the original file with new disk. Wannacry did not do this in any but the desktop and documents folders. Instead it uses the normal mechanism to delete files, which can be undone.
2.Read-Only files processing error
The developers also found a bug in read-only file processing. If such files are there in the machine, it create an encrypted copy. But the original files are not deleted or overwritten. But set to the the hidden attribute.
The researchers concluded,
“From our in depth research into this ransomware, it is clear that the ransomware developers have made a lot of mistakes and, as we pointed out, the code quality is very low.
If you were infected with WannaCry ransomware there is a good possibility that you will be able to restore a lot of the files on the affected computer. To restore files, you can use the free utilities available for file recovery. We advise organizations share this article with their system administrators – as they can use the file recovery utilities on affected machines in their network.”