This New Tool Can Free Files from WannaCry

UPDATED 3:00 pm Friday with clarification that WannaCry does not spread to computers running Windows XP.

If you've had your files encrypted by the WannaCry ransomware, and you happen to be running Windows XP, Windows Vista or Windows 7, you may be in luck. A newly released tool reverses the WannaCry encryption and frees up the files — but only sometimes.

Credit: Zhou Eka/Shutterstock

(Image credit: Zhou Eka/Shutterstock)

The caveat is that the tool, posted online today (May 19) by French researcher Benjamin Delpy and called Wanakiwi, may not always work for technical reasons. And it won't work at all if you've rebooted your computer since the WannaCry infection, or if you're running Windows 8, 8.1 or 10.

But if it's been nearly a week since you were infected by WannaCry, and the ransomware is threatening to delete your files, then it couldn't hurt to try this. Your only other option may be to pay the ransom, and it's not clear if the WannaCry operators are living up to their word.

MORE: What You Need to Know About WannaCry

The decryptor tool arrives just as the first computers infected by WannaCry a week ago (May 12) reach a crucial deadline set by the WannaCry developers. Victims were given three days to pay the $300 ransom before it doubled, and seven days to pay before the encrypted files were deleted.

How to use WanaKiwi

To try to free up your files, download, the compressed version of Wanakiwi, here. Right-click the file in your Downloads folder and select "Extract all."

Then find the Wanakiwi folder in Downloads, open it and double-click wanakiwi.exe to begin the decryption process. (Caveat: We couldn't get wanakiwi.exe to run on our uninfected workplace Windows 7 system, but that may have been due to a permissions issue.)

However, Wanakiwi will not always work, for reasons explained below.

How Wanakiwi works

Delpy's Wanakiwi is based on a different tool called Wannakey, released yesterday (May 18) by Adrien Guinet, another French researcher. Guinet exploited a flaw in older versions of Windows to retrieve WannaCry's encryption key from a PC's memory.

More specifically, both of these decryption tools dive into the computer's running memory to retrieve the two random prime numbers that were used to compute the encryption key.

"His tool is very ingenious as it does not look for the actual key but the prime numbers in memory to recompute the key itself," noted French malware researcher Matt Suiche, who runs the information-security Comae in Dubai, in a blog post. "In short, his technique is totally bad ass and super smart."

But the longer a computer runs after encryption, the greater the chances that the WannaCry random prime numbers may be overwritten in memory. And if a computer is rebooted, the memory wipes and the keys are lost.

Guinet's tool works only on Windows XP. Delpy's Wanakiwi extends compatibility to Windows 7 and, by implication, to Windows Vista, which was released between Windows XP and Windows 7. However, the flaw that the decryption tools exploit was fixed in Windows 8 and later.

Ironically, some researchers think that WannaCry may not have directly infected Windows XP computers because there was a flaw in the way the ENTERNALBLUE exploit, stolen from the NSA, attacked XP machines through a network. The ransomware part of WannaCry does work on Windows XP, if it gets on to the machine some other way, and on all other versions of Windows.

UPDATE: "The worm that spreads WannaCry does not work for XP," Jerome Segura, lead malware intelligence analyst for Malwarebytes, told Tom's Guide. "So yes, you'd have to install the ransomware by other means, which is why there aren't many infections on XP at all."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.