Crapness of WannaCrypt coding offers hope for ransomware victims

Mistakes in the WannaCrypt ransomware worm might allow files to be restored after infection.

A crack team of security researchers at Kaspersky Lab has discovered that WannaCrypt/WannaCry, which infected hundreds of thousands of victims at the beginning of May, contains several coding errors.

Most of the whoopsies make it possible to restore files with the help of publicly available software tools. In one case a mistake in the malware's read-only file processing mechanism does not allow it to encrypt read-only files at all. Instead, the malware creates encrypted copies of the files, while the original files remain untouched and are only given a "hidden" attribute, which is easy to undo.

The ransomware simply fails to delete original files. The work by the Kaspersky team gives new cause for hope to those organisations infected by WannaCrypt, the latest and most high-profile addition to a growing list of ransomware nasties. Coding mistakes in ransomware are by no means rare. Their recurrence in WannaCrypt offers a potential reprieve for those organisations struggling to recover from the outbreak three weeks on.

Anton Ivanov, security researcher at Kaspersky Lab, commented: "We've already seen it before – ransomware authors often make severe mistakes which allow the security industry to successfully recover the affected files. WannaCry – at least the first and most widespread versions of this ransomware family – is just that kind of malware.

"If you were infected with WannaCry ransomware there is a good chance that you will be able to restore a lot of the files on your affected computer. We advise private users and organisations to use the file recovery utilities on affected machines in their network."

The restoration approach has limitations. If the file is in an "important" folder (eg, Desktop and Documents), then the original file will be overwritten with random data before removal. In such cases, there is no way to restore the original file content – at least not without paying the ransom. Things are a lot rosier if the documents are stored elsewhere on the disk, according to Kaspersky Lab boffins.

If the file is stored outside of 'important' folders, then the original file will be moved to %TEMP%\%d.WNCRYT (where %d denotes a numeric value). These files contain the original data and are not overwritten, they are simply deleted from the disk, which means there is a high chance it will be possible to restore them using data recovery software.

"From our in-depth research into this ransomware, it is clear that the ransomware developers have made a lot of mistakes and, as we pointed out, the code quality is very low," the researchers conclude.

"If you were infected with WannaCry ransomware there is a good possibility that you will be able to restore a lot of the files on the affected computer. To restore files, you can use the free utilities available for file recovery."

More details on the mistakes in WannaCrypt can be found in a blog post by Kaspersky Lab researchers on its Securelist blog here.

Bootnote

Other researchers previously outlined how encryption keys needed to restore files on compromised Windows XP boxes might be recovered from volatile memory. This approach only worked in cases where an XP box had not been rebooted since infection. It's since emerged that the ransomware doesn't reliably infect Windows XP.