The newly created software in fact tries to recover the prime numbers of the RSA private key which is used by the WannaCry. This is why machine reboots are not allowed after the infection. Users must also have admin-level access to the infected system.
Check Point is among the cybersecurity firms warning that victims should not pay the ransom demanded by WannaCry ransomware. So far, it has hit more than 200,000 computers in 150 countries, crippling hospitals, governments and businesses, Xinhua news agency reported.
Attack will continue for a while - The WannaCry Ransomware spreads through unsafe file sharing practices all around the internet.
The group includes Adrien Guinet, who works as a security expert, Matthieu Suiche, who is an internationally known hacker, and Benjamin Delpy, who helped out by night, in his spare time, outside his day job at the Banque de France.
In reality, the best way to protect yourself and your company from ransomware and other cyber attacks is to keep your PC as up-to-date as possible. That's because the tool automatically seeks out prime numbers in a computer's memory and those numbers might get overwritten if the device has been restarted.
"Secondly, because of the same reason we do not know how long the prime numbers will be kept in the address space before being reused by the process". The WannaKey tool and the other one, which today's news is about - WanaKiwi. The system is expected to work on all Windows Operating Systems that have been affected by WannaCry.
How can you tell if a computer is infected? Remember, Microsoft guarantees no security support whatsoever for Windows XP.
"This is not a ideal solution", Suiche said.
In addition to Windows 7, 1.5% of the victims of WannaCry were users of Windows Server 2008, the server version of this operating system. Eastern U.S. Time on Monday, 315 victims had paid 49 bitcoins - worth about $108,000 - to one of the three bitcoin wallets tied to the ransomware. Indeed, for what I've tested, under Windows 10, CryptReleaseContext does cleanup the memory (and so this recovery technique won't work).
For particularly vulnerable systems, they should be shut down as a final fail-safe way to stop the ransomware. It's not clear when - or if - that might ever happen.
Of course, this strategy depends on WannaCry's developer or developers being identified, caught and brought to justice.