File carving can reverse WannaCry ransomware encryption, says McAfee

News by SC Staff

Security researchers at McAfee say they have developed an experimental method for recovering files encrypted by WannaCry ransomware.

As the dust from the worldwide outbreak of the WannaCry ransomware settles, and the hunt for patient zero begins, Raj Samani, chief scientist at McAfee, claims he and his team may have found a way to recover data from files which the WannaCry ransomware has encrypted.

Samani, Christiaan Beek and Charles McFarland have written a blog post on the experimental recovery method and warned that the technique is “provided as is, we accept no responsibility if things don't go as expected”.

However, if your files are all encrypted and you don't have a backup, you typically don't have much to lose.

Samani has given an early sneak peak to SC which describes how the researchers used a file recovery method named “file carving” to recover WannaCry encrypted data. This is possible thanks to WannaCry's file handling methods.

According to the researchers, this depends on whether WannaCry copies and then encrypts files, with their originals deleted, or if there is a different method at play.

The researchers write: “In our testing we have had some cases where the recovery did an almost full recovery and others in which it was near zero.” However, they caution: “The number of variables are too exhaustive to list.”

More details are available in a post from McAfee in The SC Blog.

Samani told SC Media UK at a press conference hosted by Barracuda Networks yesterday that his work to figure out this method of recovery was spurred on by complaints that WannaCry victims who paid the ransom didn't get a decryption key.

According to various sources, WannaCry doesn't have an automated system for processing decryption keys when victims pay, so each request has to be handled manually.

Samani, who helps run the nonprofit ransomware recovery hub in partnership with Barracuda Networks and a number of other security companies and law enforcement agencies, said they had a very busy weekend.

On a normal day No More Ransom, which provides free-of-charge recovery tools for victims for ransomware, sees around 400,000 HTTP connections. On 12 May when news broke of the WannaCry infection, Samani told SC that their connection numbers rose to eight million.

The website is also suffering attacks. Samani wouldn't elaborate but said the technology and infrastructure around the website collects information about these and has essentially become a honeypot. One particular IP address had orchestrated over 600,000 attacks on the website, Samani said without revealing more details.

Unfortunately, Samani said an encryption key for WannaCry has not yet been discovered. He claimed that according to vulnerability search engine Shodan, 1.4 million machines around the world are still open to the SMB vulnerability.

Samani told the Barracuda Networks press conference of both trade, specialist and national press yesterday that, “Digitally speaking, we are constantly in crisis, and this has to stop.” He added, “Cyber-crime isn't bits and bytes, it's everyday life.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews