This New Tool Can Free Files from WannaCry

UPDATED 3:00 pm Friday with clarification that WannaCry does not spread to computers running Windows XP.

If you've had your files encrypted by the WannaCry ransomware, and you happen to be running Windows XP, Windows Vista or Windows 7, you may be in luck. A newly released tool reverses the WannaCry encryption and frees up the files — but only sometimes.

Credit: Zhou Eka/Shutterstock

(Image credit: Zhou Eka/Shutterstock)

The caveat is that the tool, posted online today (May 19) by French researcher Benjamin Delpy and called Wanakiwi, may not always work for technical reasons. And it won't work at all if you've rebooted your computer since the WannaCry infection, or if you're running Windows 8, 8.1 or 10.

But if it's been nearly a week since you were infected by WannaCry, and the ransomware is threatening to delete your files, then it couldn't hurt to try this. Your only other option may be to pay the ransom, and it's not clear if the WannaCry operators are living up to their word.

MORE: What You Need to Know About WannaCry

The decryptor tool arrives just as the first computers infected by WannaCry a week ago (May 12) reach a crucial deadline set by the WannaCry developers. Victims were given three days to pay the $300 ransom before it doubled, and seven days to pay before the encrypted files were deleted.

How to use WanaKiwi

To try to free up your files, download wanakiwi.zip, the compressed version of Wanakiwi, here. Right-click the file in your Downloads folder and select "Extract all."

Then find the Wanakiwi folder in Downloads, open it and double-click wanakiwi.exe to begin the decryption process. (Caveat: We couldn't get wanakiwi.exe to run on our uninfected workplace Windows 7 system, but that may have been due to a permissions issue.)

However, Wanakiwi will not always work, for reasons explained below.

How Wanakiwi works

Delpy's Wanakiwi is based on a different tool called Wannakey, released yesterday (May 18) by Adrien Guinet, another French researcher. Guinet exploited a flaw in older versions of Windows to retrieve WannaCry's encryption key from a PC's memory.

More specifically, both of these decryption tools dive into the computer's running memory to retrieve the two random prime numbers that were used to compute the encryption key.

"His tool is very ingenious as it does not look for the actual key but the prime numbers in memory to recompute the key itself," noted French malware researcher Matt Suiche, who runs the information-security Comae in Dubai, in a blog post. "In short, his technique is totally bad ass and super smart."

But the longer a computer runs after encryption, the greater the chances that the WannaCry random prime numbers may be overwritten in memory. And if a computer is rebooted, the memory wipes and the keys are lost.

Guinet's tool works only on Windows XP. Delpy's Wanakiwi extends compatibility to Windows 7 and, by implication, to Windows Vista, which was released between Windows XP and Windows 7. However, the flaw that the decryption tools exploit was fixed in Windows 8 and later.

Ironically, some researchers think that WannaCry may not have directly infected Windows XP computers because there was a flaw in the way the ENTERNALBLUE exploit, stolen from the NSA, attacked XP machines through a network. The ransomware part of WannaCry does work on Windows XP, if it gets on to the machine some other way, and on all other versions of Windows.

UPDATE: "The worm that spreads WannaCry does not work for XP," Jerome Segura, lead malware intelligence analyst for Malwarebytes, told Tom's Guide. "So yes, you'd have to install the ransomware by other means, which is why there aren't many infections on XP at all."

TOPICS
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Latest in Online Security
23andME box
23andMe has declared bankruptcy — here's how to delete your data now
A magnifying glass on top of the Steam logo in a web browser
Valve just pulled a malicious game demo spreading info-stealing malware from Steam
A man filing his taxes electronically on a laptop
AI-powered tax scams are here - how to stay safe from deepfakes, phishing and more this tax season
MacBook Pro 2023
New Mac attack is tricking users into thinking their computer is locked — how to stay safe
Hacker using a stolen social security card
Your Social Security number is a literal gold mine for scammers and identity thieves — here’s how to keep it safe
An open lock depicting a data breach
Half a million teachers hit in major data breach with SSNs, financial data and more exposed — what to do now
Latest in News
Gemini screenshot image
Google unveils Gemini 2.5 — claims AI breakthrough with enhanced reasoning and multimodal power
Samsung Galaxy Z Flip 6 review.
Samsung Galaxy Z Flip 7 design just teased in new cases leak — and the outer display is huge
Google Chrome
Chrome failed to install on Windows PCs, but Google has issued a fix — here's what happened
nyc spring day AI image
OpenAI just unveiled enhanced image generator within ChatGPT-4o — here's what you can do now
WWDC logo on yellow background
Apple WWDC 2025 date set for June 9 — iOS 19, Apple Intelligence and more expected
Motorola Razr Plus 2024 cover display
Motorola Razr Plus (2025) leaked specs hint at bigger upgrades — here's what we know