Telefónica WannaCry File Restorer: How can we recover information deleted by WannaCry?

Thursday, May 18, 2017



When cyberattacks occur in large organizations, it is crucial to remember where duplicate files are stored, as this information is also subject to infection by a malware virus or more importantly in this case, by ransomware. Best practice involves first tracking where the information is located and then starting the data clean up, both for Wannacry and other future incidents:
  • Files that are not encrypted were not affected by the malware because the malware did not have time to affect them. There are ways to partially recover files affected by Wannacry, which will be shown throughout the course of this article.
  • It is important to always have backups and security copies that are available offline.
  • Information surrounding the shared units and the cloud units.
  • Information from Office365 email and the data units.
  • Information from removable devices, i.e. Pen drives.
  • Temporary Office files (Word, Excel, PowerPoint). If the infection was present when a document was open, a temporary file will also have been generated. These files will not be on the radar of Wannacry, meaning these files will not become encrypted. Once the files have been cleaned up, Office files can be recovered to the point they were at when Wannacry started. Once the system has been cleaned up, the temporary files generated at the time of infection can be restored.
Another recommendation for all systems is to include a restoration function to allow you to return to the original version of the system. Following this step will give the user access to their system pre-infection and they can patch up the weakness without losing data or suffering damage to the data. Along these same lines of prevention, the RECUVA tool is another way to recover data.


In order to fully understand the effects and weaknesses of the Wannacry ransomware, we have been conducting continuous tests for the past few days. Through these tests, we have learned key steps so that we can continue the fight against this issue troubling our users and organisations. These tests should only be carried out by a member of the IT department of the organization.

There are two ways in which the ransomware encrypts files. In both ways, Wannacry uses a temporary file to control the selected files with the malware. Thanks to this, it is possible to recover the files that were affected by the ransomware.

In the first instance, the malware will identify that the system has a partition with the data and use the %userprofile%\appdata\local\temp route to move the files so Wannacry can encrypt them. The first file that is moved will be renamed as 0.WNCRYT, the second, 1.WNCRYT, following this pattern successively. Wannacry will start to encrypt each one of the files to correspond with the WNCRYT title and instantly delete the infected file. The data that has been saved in the %userprofile%\appdata\local\temp location is a temporary file and is not encrypted. The location and name of the data has only been changed so that the content can be recovered, as it has managed to avoid encryption.


Not all files are moved by the ransomware as it is a random process in which the temporary and encrypted files are created. Due to this, not all files can be recovered.

In the second instance, the malware identifies two data partitions in each system. The malware then creates a second partition at the root of a file named $RECYCLE, which should not be confused with $RECYCLE.BIN. The $RECYCLE file follows the same pattern as before in which files are moved across with the aim of encrypting them. When a file is categorized under the WNCRYT extension, the content has not been lost as it has not been encrypted. As soon as Wannacry encrypts the archive as WNCRYT and it has been converted to the WNCRY format it is officially encrypted.

Unfortunately, it is not always possible to find this sort of file. When Wannacry encrypts a file, the corresponding temporary file is deleted, which means that the information is lost. However, if the user turned off or hibernated their system before the process of encryption or infection, the process would be prevented. This would prevent all the temporary WNCRYT files from being encrypted and the previously eliminated files would then be retrievable. These temporary files that are kept under the %userprofile%\appdata\local\temp or $RECYCLE will be available depending on the previously discussed conditions. They will simply have a different file extension.

However, if the ransomware finishes the encryption process for the archives, there would be no temporary files left, which would then stop this recovery process. On the other hand, if the ransomware does not complete the encryption process or the computer is turned off or on sleep mode, this would allow for partial retrieval of information.

For example, the previous image shows a large amount of temporary files that Wannacry was unable to encrypt. These files would be opened as a PDF file with a heading.


By simply renaming the file extension, the file and its content can be recovered. These files are recognisable by the heading of the file, as the original name is no longer available.


The following image, shows how to access the renamed files. This file name was changed from 11339.WNCRYT to 11339.WNCRYT.pdf and is now able to be opened through Windows, when the file is opened with the default application associated with the extension. The image below shows that the file is intact.

 

With this background information, here is a useful Telefónica WannaCry File Restorer script to use. This was developed in the labs of Telefónica with the objective of being able to retrieve and restore corrupted files.


Telefonica Wannacry File Restorer v0.1 Alpha


You can also find on our GitHub the Alpha Version script which we will be updating constantly.


Another important tip to prevent this or any other sort of future ransomware from infecting your PC or encrypting files is the Latch Antiransomware software developed by ElevenPaths. The following video highlights key programme features:


Latch Antiransomware instalation and configuration




Latch ARW: an AntiRansomware TOOL




WannaCry WITH Latch AntiRansomware




1 comment: