May 25th 2017
Know How... 314
Networking 102 Part 3 - WannaCry 2
Community questions, WannaKiwi, and how to get your files back! Maybe...
We answer community questions about how WannaCry works and what files are affected, along with WanaKiwi which can help if you've been infected, but it's not guaranteed.
The original memory scrubbing, prime number searching WannaKey decryptor tool (for XP) was written by Adrien Guinet (@adriengnt) and then used as the base for Wanakiwi developed by Benjamin Delpy (@gentilkiwi).
How it works:
- WanaKey was developed by Ardien Guinet (@adriengnt)
- WanaKey was used as a base for WanaKiwi
WanaKey only works on XP
WanaKiwi works on XP, Vista, 7, 8, 8.1
They're "Memory Scrubbing" programs:
- The way that WannaCry works is that it generates a public and private key.
- The keys are generated using primes
- WannaCry then deletes the private key // you need to pay the ransom to get that key for decryption
- WanaKey & WanaKiwi both take advantage of the fact that even though the program deletes the private key, the PRIMES that were used to generate that key is still in memory
- However, this is VERY time sensitive
- WK scans the address space of the WannaCry process (This is why the PID is important)
- We need to find the keys BEFORE the process reuses that memory space
- This is why you can't reboot or kill the process
Connect with us!
- Don't forget to check out our large library of projects at https://twit.tv/shows/know-how.
- Join our Google+ Community.
- Tweet at us at @PadreSJ, @Cranky_Hippo, and @Anelf3.
Thanks to CacheFly for the bandwidth for this show.