Decrypting files after the WannaCry ransomware attack is possible, see how to do it

To decrypt files after the WannaCry ransomware attack, the following two conditions must be met.

First: Decryption is possible only for Windows XP, Windows Vista, Windows 7 and Windows Server 2003, 2008 and 2008 R2.

Second: The operating system after encrypting files can not be turned off. The data needed for decryption are stored in RAM, which after being restarted are irretrievably lost.

Step by step instructions

If you see similar images on your computer that are described in the article detailing the WannaCry ransomware , do not panic yet - there is a chance to decrypt files if you meet the above two conditions. First of all, do not turn off the computer!

1. Download the WanaKiwi software: https://github.com/gentilkiwi… and extract.

2. Copy " wanakiwi.exe " to the folder with the file .PKY extension, which should be in the location from which you started the ransomware. If you have a problem with determining the source of the virus, search the computer for " * .pky " files. You can do this using the file search function.

3. Run the CMD.exe interpreter (command line)

4. Drag and drop the file " wanakiwi.exe " to the CMD window or pass the " cd " command to the location where " wanakiwi.exe " is located. For example: " cd c: \ users \ username \ desktop "

5. Run the dekryptor at the command prompt with the " wanakiwi.exe " command

6. Wait patiently ...

Published another tool called WannaKey allowed to develop a seemingly simple program WanaKiwi and recover from the RAM two prime numbers, which are divisors of the RSA public key. Without knowing these numbers, deciphering encoded information is not possible. In this method factorization was not used, i.e. the distribution of an extremely large number of first to two products - it would take thousands of years for modern computers with a key length of 2048 bits (RSA-2048). Instead, an error was applied in older versions of Windows systems - the program searches the wcry.exe process in RAM for the prime numbers from which our public key is created. This information in Windows XP, Windows Vista, Windows 7 and Windows Server 2003, 2008 and 2008 R2 is not erased from RAM. In Windows 8 and 10 this is the reason why this method will not work for these systems.

7. If you see more or less such a record, everything went according to plan.


The author of this WanaKiwi program is Matt Suiche . A big thank you goes above all to Andrien Guinet for the tool for extracting RAM from prime numbers.

There is nothing else but to enjoy the recovered files. For more technical information about WannaCry and some practical tips on how to protect yourself against WannaCry's threat, please refer to the article titled. "We advise how to protect computers from WannaCry ransomware "



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.