WannaCry’s programming errors help you to recover your files after infection.

WannaCry's programming errors help you to recover your files after infection.
WannaCry’s programming errors help you
to recover your files after infection.

Sometimes ransomware developers make mistakes in the code. These errors can help the victims to have access to their files again after the ransomware infection.

This article is a short description of several errors that have been made by the developers of WannaCry ransomware.

Errors in file deletion logic:

When Wannacry encrypts the victim’s files, reads the original file, encrypts the content, and saves the file with “.WNCRYT” extension. After encryption it converts it from “.WNCRYT” to “.WNCRY” and erases the original file.

This deletion logic varies depending on the location and properties of the victim’s files.

These files are stored in the system drive:

  • If the files are in an important location (from the point of view of the Malware developer; eg Desktop and Documents), then the original files will be replaced with random data before deletion. In this case, there is no possibility of restoring files and content.
WannaCry's programming errors help you to recover your files after infection.
Files are in an important location
  • If the files are stored outside the important folders’ locations, then the originals will be transferred to %TEMP% \%d.WNCRYT (where %d is a random number). These files include original data and are not replaced, they are simply deleted from the disk, which means that there is a high probability that they will be recovered with Recovery Software.
WannaCry's programming errors help you to recover your files after infection.
Renamed original files that can be restored from %TEMP%

The files that have been renamed are in the %TEMP% folder.

The files are located on another disk (off-system):

  • Ransomware creates the $RECYCLE folder and defines hidden system properties in this folder. This makes the folder invisible in Windows Explorer if it has the default settings. Malware transfers the original files to this file after encryption.
WannaCry's programming errors help you to recover your files after infection.
The procedure that determines the temporary directory to store original files before removal

The process finds the temporary file path to save the original before deleting.

  • In other words, because of sync errors in the ransomware code in many cases original files are in the same location and are not moved into $RECYCLE.
  • Original files are deleted in an unsafe way. Given this, it is possible to recover lost files with Recovery Software.
WannaCry's programming errors help you to recover your files after infection.
Original files that can be restored the from a non-system drive

Original files can also be recovered from a disk out of the system.

WannaCry's programming errors help you to recover your files after infection.
The procedure that constructs the temporary path for an original file

This process produces a temporary path for the original files.

The code piece that does the above procedures.

WannaCry's programming errors help you to recover your files after infection.
The piece of code calling the above procedures

The processing error of read-only files:

As we analyzed WannaCry, we found that this ransomware has a Read-Only file processing error. If there are files like those in the infected machine, then ransomware will not encrypt the files. It will create an encrypted copy for every original file, while original files are defined with new “hidden” properties. As long as this happens, it’s simple to find them and recover their original properties.

WannaCry's programming errors help you to recover your files after infection.
Original read-only files are not encrypted and stay in the same place

Original read-only files are not encrypted and are in their original locations.

Conclusions:

  • From our research on ransomware, it is clear that ransomware developers made many mistakes and the quality of the code is very low.
  • If you are infected with WannaCry ransomware there are a lot of chances to retrieve your original files. To recover the files you can use free “File Recovery” tools.
  • We suggest companies share this article with system administrators because they can use free “File Recovery” programs for their infected machines on their network.

Source: https://securelist.com/


(Συνολικές Επισκέψεις: / Total Visits: 9)

(Σημερινές Επισκέψεις: / Today's Visits: 1)
Σας αρέσει το άρθρο; / Do you like this post?
+1
0
+1
0
+1
0
+1
0
+1
0
+1
0
+1
0

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.