The Wanna Decrypter ransomware that began floating around the Internet late last week, or WannCry as it's commonly known, has made a lasting impact, with hundreds of thousands of PCs worldwide being affected. What the malware does is even more alarming: one minute, you're using your computer normally; the next, your data is locked away behind a key unless you fork over hundreds of dollars in ransom money.
As has become typical of ransomware, WannaCry will demand payment via Bitcoin in order to recover the data the attackers locked down. Once payment is received, an encryption key is typically (but not always) sent that will allow the user to recover their data. It's a chore for the inexperienced user, and an outrageous demand for anyone involved.
Yesterday, a tool called WannaKey hit Github promising free recovery of data on PCs corrupted with Wanna Decrypter. This tool carried a number of caveats, though, with a big one being that it's exclusive to Windows XP, and the PC could not be rebooted after being infected.
Today, another developer has built on WannaKey's abilities and released wanakiwi, a tool with the same goal of recovering data, but will work on all versions of Windows between XP and 7 (that includes Vista and server variants). Unfortunately, this wanakiwi carries the same caveat of being useless after an infected PC has been rebooted.
Credit: /u/kevle6 (reddit)
The reason these tools can potentially save your data is because of remnants Wanna Decrypter leaves in the system memory after it's carried out its mission. In particular, the prime numbers of the RSA private key are left in memory, allowing these tools to recover them in order to decrypt the victim's data. In Windows 10, those prime number values would have been purged from memory, and presumably the same applies to Windows 8 (which is probably why the tool doesn't support these operating systems).
It's unfortunate that these tools have very specific limitations, but those who are able to take advantage of them are sure to be thankful.