Patient Research pays off Kaspersky Lab, has come to the conclusions that the ransomware contained mistakes in its code that would allow a user to decrypt/restore their files with publicly available tools or even basic commands. Anton Ivanov, senior malware analyst at Kaspersky Lab, along with colleagues Fedor Sinitsyn and Orkhan Mamedov, after deeply researching the malware, have detailed 3 critical errors made by the developers of the malware which can allow a sysadmin to restore these files. According to the researchers, the issue resides in the way the malware carries out the encryption. The malware will first rename the original files with the extension “.WNCRYT”, then encrypt them followed by deletion of the original files. It does this because it is not possible for a malware to directly encrypt or modify read-only files. Therefore the original files remain untouched with the files only receiving a “hidden” attribute and therefore, restoring the files only requires the user to restore the original attributes. This wasn’t the only error however, in some cases, the malware even failed to delete the original files after encryption. Recovery from System Drive The researchers have specified that recovering files that resided in the important locations such as Documents or in the Desktop folders will not be possible without the decryption key since the malware was coded to overwrite the original files with random data before they are deleted. Thus, negating any sort of recovery. However, data from files that resided in other locations, could be restored from the temporary folder by means of a data recovery software. The same researchers also found that the malware would create a hidden ‘$RECYCLE’ folder where it would transfer all of the original files after encrypting them thus, all you need to do is un-hide the ‘$RECYCLE’ and you get back all of your files. In some cases due to ” synchronization errors ” the original files at times also stayed put in their original directories thus allowing users to recover their files by using simple data recovery software. Hope for WannaCry victims These errors come as a ray of hope for victims of the malware who were unable to recover their files. French researchers Adrien Guinet and Benjamin Delpy made the recovery of files possible by creating a free WannaCry decryption tool that runs on Windows XP, Windows 7, Windows Vista, Windows Server 2003 and Server 2008.While all this, the world still hunts for the perpetrators of the headline grabbing ransomware. Source:The Hacker News