NHS ransomware: UK government says it's North Korea's fault WannaCry happened

The Foreign Office said it will find, pursue and respond to the malicious activity

19/05/2017:Researcher claims to have bypassed WannaCry encryption

Victims hit by the recent WannaCry attack may be able to avoid paying the $300 to $600 ransom demand, as a researcher says he has found a way to access the secret decryption key.

Adrien Guinet of Franced-based research firm Quarkslab, has made software available that he says granted him access to the decryption key on a system running Windows XP, allowing him to bypass the payment demand and recover his files.

"This software has only been tested and known to work under Windows XP," wrote Guinet, in a message alongside his GitHub post. "In order to work, your computer must not have been rebooted after being infected. Please also note that you need some luck for this to work and so it might not work in every case!"

So far it appears the software, known as WannaKey, hasn't been tested fully in the wild so it's difficult to say whether it's a reliable work around.

Advertisement - Article continues below
Advertisement - Article continues below

WannaCry is the most recent widespread ransomware campaign, which infected and encrypted data on networks across the world last week, most notably the NHS. The infection is able to block users from accessing files that are normally only recoverable through a $300 to $600 payment. WannaCry exploited vulnerabilities in the Microsoft Cryptographic API built into Windows to create and hide a decryption key.

More modern versions of Windows erase this key through memory cleanups, however a flaw in Windows XP allows for some instances where WannaKey is able to scour the system memory for traces of the variables used to generate the key. Importantly, this only works if the computer has not been powered down, so it is advised that affected machines are left running.

If a match is found during the scan, a key will be generated which can then be used to decrypt affected files."If you are lucky (that is the associated memory hasn't been reallocated and erased), these prime numbers might still be in memory," added Guinet.

As the software makes use of an oversight on Windows XP, those affected users running later operating systems will need to look elsewhere for a solution. The advice is to leave affected machines powered on and wait to see if a work around becomes available.

Update: A second WannaCry software workaround appears to have been successful at sourcing the decryption key on a Windows 7 machine. Matt Suiche, researcher and founder of Comae Technologies, reports that a tool known as WannaKiwi, which works in a similar way to Wannakey, has been able to decrypt data on a machine running Windows 7.

16/05/2017:WannaCry attackers may be North Korean

Similarities between the WannaCry ransomware attack that knocked NHS hospitals offline and previous cyber incidents suggest the culprits are based in North Korea, security experts have said.

The evidence is not conclusive, but multiple security researchers have discovered similarities between the code used in early versions of the WannaCry ransomware and attacks on targets including Bangladeshi and Polish banks and Sony Pictures - attacks that were later attributed to North Korea. "The scale of the Lazarus operations is shocking," Kaspersky Lab researchers said in a blog post.

These links were pointed out by a Google researcheron Twitter, and the New York Timesreports that they were corroborated by Symantec. However, Kaspersky researchers noted that this could be a 'false flag operation', designed to trick experts into thinking the attacks were carried out by someone else.

It was also spotted that the code linking WannaCry to the Lazarus attacks was not present in the latest sample of the malware, meaning that the perpetrators could be trying to cover their tracks. Kaspersky Labs called for further scrutiny. "For now, more research is required into older versions of Wannacry," the post said. "We believe this might hold the key to solve some of the mysteries around this attack."

Advertisement - Article continues below

Indeed, others noted that such code overlap doesn't prove anything other than the fact hackers borrow and steal from each other."The similarities we see between malware linked to that group and WannaCry are not unique enough to be strongly suggestive of a common operator," FireEye researcher John Miller told Newsweek.

Advertisement - Article continues below

Whoever the culprits are, they haven't made much cash from the disruption their hack has caused. A White House spokesperson said yesterday that while 300,000 computers in 150 countries were infected, only about $70,000 in ransom had been paid, according to a Reuters report.

Featured Resources

How inkjet can transform your business

Get more out of your business by investing in the right printing technology

Download now

Journey to a modern workplace with Office 365: which tools and when?

A guide to how Office 365 builds a modern workplace

Download now

Modernise and transform your sales organisation

Learn how a modernised sales process can drive your business

Download now

Your guide to managing cloud transformation risk

Realise the benefits. Mitigate the risks

Download now

Most Popular


How to use Chromecast without Wi-Fi

5 Feb 2020
cloud computing

Google Cloud snaps up multi-cloud analytics platform for $2.6bn

13 Feb 2020
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020
Microsoft Windows

Microsoft pulls disastrous Windows 10 security update

17 Feb 2020