This application lets in machines inflamed through the WannaCry ransomware to get better their information.
wanakiwi is according to wanadecrypt which makes conceivable for fortunate customers to :
- Get better the non-public person key in reminiscence to reserve it as
00000000.dky - Decrypt all in their information
The primes extraction means is according to Adrien Guinet’s wannakey which encompass scanning the WannaCry procedure reminiscence to get better the top numbers that weren’t wiped clean throughout CryptReleaseContext().
Adrien’s means was once at the beginning described as most effective legitimate for Home windows XP however @msuiche and I proved this can also be prolonged to Home windows 7.
Utilization
wanakiwi.exe [PID]
PID is an not obligatory parameter, through default the application will search for any of this procedure:
- wnry.exe
- wcry.exe
- data_1.exe
- ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
- tasksche.exe
Limitations
Given the truth this system is determined by scanning the deal with house of the method that generated the ones keys, because of this if this procedure were killed through, as an example, a reboot – the unique procedure reminiscence shall be misplaced. You will need to for customers to NOT reboot their gadget ahead of making an attempt this software.
Secondly, on account of the similar reason why we have no idea how lengthy the top numbers shall be saved within the deal with house ahead of being reused through the method. Because of this it is crucial to take a look at this application ASAP.
This isn’t a really perfect software, however this has been up to now the most productive answer for sufferers who had no backup.
Compatibility
| O.S. | x86 | x64 |
|---|---|---|
| Home windows XP | ✅ | ? |
| Home windows 2003 | ✅ | ? |
| Home windows 7 | ✅ | ? |
Frequently Asked Questions
Does it modify the original encrypted files ?
No, the unique encrypted information (.WNCRY) stay unmodified. The decrypted information are generated as separate information.
Does it work on an infected machine that had been rebooted or shutdown ?
No, the entire level is so that you could analyze the method reminiscence of the method which created the keys. If it were shutdown or rebooted, this reminiscence state is misplaced.
What about hibernated machines ?
Sure, while you hibernate your gadget it if truth be told saves the state of reminiscence on disk which permits to stay the method reminiscence state. In the ones eventualities, a gadget which has been hibernated for a couple of days has her reminiscence state intact and just like the day it hibernated. Which if truth be told raises your possibilities of document restoration.
What shall we do after recovering our files ?
We strongly counsel you to instantly again up the ones decovered information on an exterior empty disk ahead of rebooting or shutting down your gadget – together with the 00000000.dky document generated through wanakiwi which is the decryption key. When you backed-up up your recovered information, we suggest you to reinstall a contemporary model of Home windows.
