Home Security 'WannaKey' and 'WanaKiwi' can decrypt Wannacry – in very specific circumstances

'WannaKey' and 'WanaKiwi' can decrypt Wannacry – in very specific circumstances

A Comae Technologies blog post by Matt Suiche, who describes himself as a “Hacker, Microsoft MVP and Founder of @comaeio” has arrived, entitled “WannaCry - Decrypting files with WanaKiwi + Demos.

Confirmed to work with Windows XP x86 and Windows 7 x86, the tool has serious caveats but shoud also work for Windows 2003, 2008, 2008 R2 and Windows Vista.

The blog post starts off by stating:

“In Short
DO NOT REBOOT your infected machines and TRY wanakiwi ASAP*!
*ASAP because prime numbers may be over written in memory after a while.”

This means that anyone infected by the Wannacry ransomware can use the decryption tools linked below to scour a computer's memory to find the ransomware's encryption and decryption key, and to then use that key to decrypt encrypted files. It depends on you not rebooting your comptuer, and it depends on timely usage of the decryption tools, so it's not a magic bullet fix for all Wannacry infections.

That said, if used quickly, it could well help you decrypt your files quickly and easily - but please, if you haven't patched your Windows XP through Windows 7 computers yet, please do so immediately!

More detail continues below.

Suiche notes that “Adrien Guinet" published a tool called "Wannakey" to perform RSA key recovery on Windows XP. His tool is very ingenious as it does not look for the actual key but the prime numbers in memory to recompute the key itself. In short, his technique is "totally bad ass and super smart.”

Clicking on the “Wannakey” link above causes the Norton Security on my Mac to state it is a dangerous site, but this may simply be a false positive - but please take caution. 

However, Wannakey worked on Windows XP only, with Suiche updating his blog post to note that "Benjamin Delpy" had released "WanaKiwi" which “works for both Windows XP (x86 confirmed) and Windows 7 (x86 confirmed). This would imply it works for every version of Windows from XP to 7, including Windows 2003 (x86 confirmed), Vista and 2008 and 2008 R2. See demos in the below GIFs.”

The WanaKiwi link also brings up a Norton Security warning that the site has security risks, but again, this may well be a false positive.

The GIFs referred to can be found at Suiche’s blog post.

At his Twitter page, Adrien Guinet stated two hours ago at time of publication that:

Twenty hours ago at time of publication, Benjamin Delpy tweeted:

Are Technica has more information here, as does CNET here.


Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips


Alex Zaharov-Reutt

One of Australia’s best-known technology journalists and consumer tech experts, Alex has appeared in his capacity as technology expert on all of Australia’s free-to-air and pay TV networks on all the major news and current affairs programs, on commercial and public radio, and technology, lifestyle and reality TV shows. Visit Alex at Twitter here.