Sometimes ransomware developers make mistakes in the code. These errors can help the victims to have access to their files again after the ransomware infection.
This article is a short description of several errors that have been made by the developers of WannaCry ransomware.
Errors in file deletion logic:
When Wannacry encrypts the victim’s files, reads the original file, encrypts the content, and saves the file with “.WNCRYT” extension. After encryption it converts it from “.WNCRYT” to “.WNCRY” and erases the original file.
This deletion logic varies depending on the location and properties of the victim’s files.
These files are stored in the system drive:
- If the files are in an important location (from the point of view of the Malware developer; eg Desktop and Documents), then the original files will be replaced with random data before deletion. In this case, there is no possibility of restoring files and content.
- If the files are stored outside the important folders’ locations, then the originals will be transferred to %TEMP% \%d.WNCRYT (where %d is a random number). These files include original data and are not replaced, they are simply deleted from the disk, which means that there is a high probability that they will be recovered with Recovery Software.
The files that have been renamed are in the %TEMP% folder.
The files are located on another disk (off-system):
- Ransomware creates the $RECYCLE folder and defines hidden system properties in this folder. This makes the folder invisible in Windows Explorer if it has the default settings. Malware transfers the original files to this file after encryption.
The process finds the temporary file path to save the original before deleting.
- In other words, because of sync errors in the ransomware code in many cases original files are in the same location and are not moved into $RECYCLE.
- Original files are deleted in an unsafe way. Given this, it is possible to recover lost files with Recovery Software.
Original files can also be recovered from a disk out of the system.
This process produces a temporary path for the original files.
The code piece that does the above procedures.
The processing error of read-only files:
As we analyzed WannaCry, we found that this ransomware has a Read-Only file processing error. If there are files like those in the infected machine, then ransomware will not encrypt the files. It will create an encrypted copy for every original file, while original files are defined with new “hidden” properties. As long as this happens, it’s simple to find them and recover their original properties.
Original read-only files are not encrypted and are in their original locations.
- From our research on ransomware, it is clear that ransomware developers made many mistakes and the quality of the code is very low.
- If you are infected with WannaCry ransomware there are a lot of chances to retrieve your original files. To recover the files you can use free “File Recovery” tools.
- We suggest companies share this article with system administrators because they can use free “File Recovery” programs for their infected machines on their network.
(Συνολικές Επισκέψεις: / Total Visits: 10)
(Σημερινές Επισκέψεις: / Today's Visits: 1)