NHS ransomware: UK government says it's North Korea's fault WannaCry happened

The Foreign Office said it will find, pursue and respond to the malicious activity

19/05/2017:Researcher claims to have bypassed WannaCry encryption

Victims hit by the recent WannaCry attack may be able to avoid paying the $300 to $600 ransom demand, as a researcher says he has found a way to access the secret decryption key.

Adrien Guinet of Franced-based research firm Quarkslab, has made software available that he says granted him access to the decryption key on a system running Windows XP, allowing him to bypass the payment demand and recover his files.

"This software has only been tested and known to work under Windows XP," wrote Guinet, in a message alongside his GitHub post. "In order to work, your computer must not have been rebooted after being infected. Please also note that you need some luck for this to work and so it might not work in every case!"

So far it appears the software, known as WannaKey, hasn't been tested fully in the wild so it's difficult to say whether it's a reliable work around.

Advertisement - Article continues below
Advertisement - Article continues below

WannaCry is the most recent widespread ransomware campaign, which infected and encrypted data on networks across the world last week, most notably the NHS. The infection is able to block users from accessing files that are normally only recoverable through a $300 to $600 payment. WannaCry exploited vulnerabilities in the Microsoft Cryptographic API built into Windows to create and hide a decryption key.

More modern versions of Windows erase this key through memory cleanups, however a flaw in Windows XP allows for some instances where WannaKey is able to scour the system memory for traces of the variables used to generate the key. Importantly, this only works if the computer has not been powered down, so it is advised that affected machines are left running.

If a match is found during the scan, a key will be generated which can then be used to decrypt affected files."If you are lucky (that is the associated memory hasn't been reallocated and erased), these prime numbers might still be in memory," added Guinet.

As the software makes use of an oversight on Windows XP, those affected users running later operating systems will need to look elsewhere for a solution. The advice is to leave affected machines powered on and wait to see if a work around becomes available.

Update: A second WannaCry software workaround appears to have been successful at sourcing the decryption key on a Windows 7 machine. Matt Suiche, researcher and founder of Comae Technologies, reports that a tool known as WannaKiwi, which works in a similar way to Wannakey, has been able to decrypt data on a machine running Windows 7.

16/05/2017:WannaCry attackers may be North Korean

Similarities between the WannaCry ransomware attack that knocked NHS hospitals offline and previous cyber incidents suggest the culprits are based in North Korea, security experts have said.

The evidence is not conclusive, but multiple security researchers have discovered similarities between the code used in early versions of the WannaCry ransomware and attacks on targets including Bangladeshi and Polish banks and Sony Pictures - attacks that were later attributed to North Korea. "The scale of the Lazarus operations is shocking," Kaspersky Lab researchers said in a blog post.

These links were pointed out by a Google researcheron Twitter, and the New York Timesreports that they were corroborated by Symantec. However, Kaspersky researchers noted that this could be a 'false flag operation', designed to trick experts into thinking the attacks were carried out by someone else.

It was also spotted that the code linking WannaCry to the Lazarus attacks was not present in the latest sample of the malware, meaning that the perpetrators could be trying to cover their tracks. Kaspersky Labs called for further scrutiny. "For now, more research is required into older versions of Wannacry," the post said. "We believe this might hold the key to solve some of the mysteries around this attack."

Advertisement - Article continues below

Indeed, others noted that such code overlap doesn't prove anything other than the fact hackers borrow and steal from each other."The similarities we see between malware linked to that group and WannaCry are not unique enough to be strongly suggestive of a common operator," FireEye researcher John Miller told Newsweek.

Advertisement - Article continues below

Whoever the culprits are, they haven't made much cash from the disruption their hack has caused. A White House spokesperson said yesterday that while 300,000 computers in 150 countries were infected, only about $70,000 in ransom had been paid, according to a Reuters report.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now

Most Popular

data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
cyber security

If not passwords then what?

8 Jan 2020
Policy & legislation

GDPR and Brexit: How will one affect the other?

9 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020