French researchers have released software tools that they claim can restore some of the computers infected by the WannaCry ransomware. The researchers said, however, the tools are not perfect and only work if the infected computers have not been rebooted after being hit by the program. The researchers _ Adrien Guinet, Matthieu Suiche and Benjamin Delpy, worked separately.
In his research summary, Guinet _ who works for the Paris-based firm Quarkslab _ said his software had only been tested to work under Windows XP. He added the software helps recover the prime numbers of the RSA private key that are used by WannaCry. After Guinet’s fix for Windows XP came out, others looked for ways to extend that to other operating systems and have succeeded in applying the technique to the newer Windows 7 program as well.
The developments came Friday, the apparent deadline for owners of some infected machines to pay the ransom or lose their files forever. Still it’s not likely the technique will help many people, particularly because it works only if their machines have not been rebooted. Companies needing to restore their operations right away likely would have turned to backups, if available, by now.
Chris Wysopal, chief technology officer with the software security company Veracode, says after ransomware attacks, researchers will often infect one of their own machines on purpose to see if the key is somehow left in the memory. That happened here with some systems of Windows. WannaCry encrypts victims’ computer files and displays a message demanding ransoms to be paid in the digital currency Bitcoin before people can get their files back.