Know How...

May 25th 2017

Know How... 314

Networking 102 Part 3 - WannaCry 2

Community questions, WannaKiwi, and how to get your files back! Maybe...
Although the show is no longer in production, you can enjoy episodes from the TWiT Archives.
Category: Help & How To

We answer community questions about how WannaCry works and what files are affected, along with WanaKiwi which can help if you've been infected, but it's not guaranteed.

The original memory scrubbing, prime number searching WannaKey decryptor tool (for XP) was written by Adrien Guinet (@adriengnt) and then used as the base for Wanakiwi developed by Benjamin Delpy (@gentilkiwi).

How it works:

  • WanaKey was developed by Ardien Guinet (@adriengnt)
  • WanaKey was used as a base for WanaKiwi

WanaKey only works on XP

WanaKiwi works on XP, Vista, 7, 8, 8.1

They're "Memory Scrubbing" programs:

  • The way that WannaCry works is that it generates a public and private key.
  • The keys are generated using primes
  • WannaCry then deletes the private key // you need to pay the ransom to get that key for decryption
    • WanaKey & WanaKiwi both take advantage of the fact that even though the program deletes the private key, the PRIMES that were used to generate that key is still in memory
    • However, this is VERY time sensitive
  • WK scans the address space of the WannaCry process (This is why the PID is important)
    • We need to find the keys BEFORE the process reuses that memory space
    • This is why you can't reboot or kill the process

Connect with us!

Thanks to CacheFly for the bandwidth for this show.