14 DAY TRIAL // Windows XP was one of the Windows versions hit by the WannaCry ransomware, and despite the patch released by Microsoft, there were still thousands of computers that ended up infected.
And thanks to new software developed by French researcher Adrien Guinet, Windows XP users whose computers were compromised by WannaCry can remove the infection without having to pay the $300 ransom.
A tool that he posted on Github can search for the decryption key in the memory if the computer wasn’t rebooted after being infected, so if you already restarted the system and it then got locked down by WannaCrypt, this isn’t going to work.
If the aforementioned condition is met, the app can recover the prime numbers of the RSA private key that are being used by WannaCry to encrypt your files.
“It does so by searching for them in the wcry.exe process. This is the process that generates the RSA private key. The main issue is that the CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory,” the researcher explains.
Only working on Windows XP
What’s important to note is that this application works exclusively on Windows XP, and the researcher says it hasn’t been tested on a different Windows version.
On the other hand, Windows XP systems that haven’t been infected just yet must deploy Microsoft’s patch that’s available even for unsupported versions of Windows.
The WannaCry ransomware is based on a vulnerability in all Windows versions that was stolen from the NSA and posted only by hacking group Shadow Brokers earlier this year. Microsoft patched all supported versions of Windows, including Vista, 7, 8.1, and 10 as part of the March Patch Tuesday, while Windows XP remained vulnerable to attacks as it’s no longer getting support.
After thousands of computers got infected, Microsoft decided to release the patch for Windows XP systems as well, thus publishing the first update in 3 years for the operating system launched in 2001.