WannaCry ransomware code errors could give victims a chance to get files back

Cybersecurity researchers at Kaspersky Lab have analysed the ransomware and say it's of "very low" quality.
Written by Danny Palmer, Senior Writer

WannaCry was widespread - but had many errors in the code.

Image: File photo

The code behind WannaCry, the ransomware which recently infected hundreds of thousands of victims around the globe, was full of mistakes and of very low quality, to such an extent that some victims may able to regain access to their original files even after they've been encrypted.

Analysis of WannaCry by researchers at security company Kaspersky Lab has found that most of the mistakes meant files could be restored with publicly available software tools or even simple commands.

"If you were infected with WannaCry ransomware there is a good possibility that you will be able to restore a lot of the files on the affected computer", the researchers at Kaspersky Lab said in a blog post. "The code quality is very low."

In one instance, a mistake in the read-only file processing mechanism of WannaCry means it isn't able to encrypt read-only files at all. Instead, the ransomware creates encrypted copies of the victims' files, while the original files remain untouched but are set to 'hidden'. That means its easy to get the files back by simply un-hiding them.

This isn't the only example of poor coding within WannaCry. If the ransomware infiltrates a system and the files aren't deemed important by the developers the files are moved to a temporary folder.

Within these files is the original data, which isn't overwritten, but merely deleted from the disk, meaning it's possible to get them back using data recovery software. Unfortunately, if the files are in an 'important' folder, like Documents or Desktop, WannaCry will overwrite the original file with random data and it remains impossible to restore it in this case.

Nonetheless, the many mistakes in the code offer hope to those who become infected as the amateurish nature of the ransomware leaves a lot of leeway for retrieving at least files.

"If you were infected with WannaCry ransomware there is a good chance that you will be able to restore a lot of the files on your affected computer. We advise private users and organizations to use the file recovery utilities on affected machines in their network" said Anton Ivanov, security researcher at Kaspersky Lab.

It isn't the first time WannaCry has been described as something of an amateur form of ransomware - and the fact that only a tiny percentage of infected victims have paid a combined total of $120,000 in Bitcoin ransoms in the three weeks since the attack suggests that while it caused widespread disruption, it has failed to make money, which is the ultimate goal of ransomware.

And while WannaCry did infect many Windows XP systems, many failed attacks resulted in computers crashing and displaying the 'blue-screen of death', again suggesting that might not all be well with the code.

While the identity of those behind the WannaCry campaign remains unknown, police and cybersecurity firms continue to look for answers surrounding the origins of this ransomware.


Editorial standards