Share this article

Improve this guide

Wcry is a free ransomware decryption tool for Windows XP

2 min. read

Updated onOctober 4, 2023

updated onOctober 4, 2023

Share this article

Improve this guide

Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more

A security researcher found a way to retrieve the encryption keys used by theWannaCrypt(AKA WannaCry) ransomware without paying the ransom of $300. This is big because WannaCry uses Microsoft’s built-in cryptographic tools to do what it needs to do. WhileWindows XPwas not widely affected by the cyber-attack, the following technique may be applied in the case of other ransomware infections.

Wcry, now available on Windows XP

The tool is calledWcryand it plucks the key right out of the affected system’s memory. This solution is currently available for Windows XP and only when the PC in question hasn’t been rebooted or its memory overwritten.

Wcry was developed by Adrien Guinet, a French researcher, who posted the solutionon GitHub for free.

How it works

According to Guinet, the software has only been tested under Windows XP and it runs perfectly. The note found next to the app also reads that “in order to work, your computer must not have been rebooted after being infected. Please also note that you need some luck for this to work (see below), and so it might not work in every case!”

In Windows XP, there is a flaw which prevents the erasure of the keys from the memory and this flaw is lacking from newer operating systems. It is important that the prime numbers are still in the memory.

Guinet says that:

This software allows to recover the prime numbers of the RSA private key that are used by Wanacry. It does so by searching for them in the wcry.exe process. This is the process that generates the RSA private key. The main issue is that the CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory.

As you can use the tool for more ransomware infections, it will prove to be very useful for providing tech support.

RELATED STORIES TO CHECK OUT:

More about the topics:Cybersecurity,Ransomware

Radu Tyrsina

Radu Tyrsina has been a Windows fan ever since he got his first PC, a Pentium III (a monster at that time).

For most of the kids of his age, the Internet was an amazing way to play and communicate with others, but he was deeply impressed by the flow of information and how easily you can find anything on the web.

Prior to founding Windows Report, this particular curiosity about digital content enabled him to grow a number of sites that helped hundreds of millions reach faster the answer they’re looking for.

User forum

0 messages

Sort by:LatestOldestMost Votes

Comment*

Name*

Email*

Commenting as.Not you?

Save information for future comments

Comment

Δ

Radu Tyrsina