Tool can decrypt some files in WannaCry ransomware attack

Tool can decrypt some files in WannaCry ransomware attack
© Getty Images

A new tool can save some files encrypted by the international "WannaCry" ransomware attack, depending on users' operating systems.

The WannaCry attack, built off a tool believed to have been stolen from the National Security Agency, began encrypting files across the world last week.

Users warned that they would have to pay before receiving access to their files — an example of ransomware. The attack shut down hospitals in the United Kingdom and a telecommunications service in Spain. 

The WannaKiwi decryption tool works in Windows XP 2003 and 7 computers that have not been rebooted. 


WannaKiwi works by searching computer memory for remnants of the decryption key. Those remnants can be overwritten if a computer needs to use that memory for something else and are erased if a computer is turned off. But if they have not been overwritten or deleted, WannaKiwi can work. 

The program was written by Benjamin "GentilKiwi" Delpy. But it took advantage of the memory-scraping idea originally developed by Adrien Guinet in a decryption program Guinet released yesterday that only worked on Windows XP. 

Users looking to decrypt files from WannaCry should run WannaKiwi as soon as possible and not reboot or turn off their system until then.