In May the widespread WannaCry ransomware virus has infected more than 300,000 computers worldwide by using Windows 7 and Windows XP operating system vulnerabilities. However, the analysis showed that WannaCry wasn’t a high-quality piece of malware, leaving its victims a few opportunities to decrypt or recover their locked files for free without paying a Bitcoin ransom demand.
Security researchers at Kaspersky Lab have recently found that some of the WannaCry victims can restore their encrypted files with publicly available free recovery tools or even with simple PC commands.
Kaspersky Lab malware analysts described three main errors made by WannaCry creators that could allow users to recover their locked or lost files.
1. Recovering Read-Only Files
WannaCry ransomware is not able to delete read-only files from the system. In general, the WannaCry first renames files to change their extension to “.WNCRYT,” encrypts them and then deletes the original files. However, the original copies of read-only files remain untouched but are given a ‘hidden’ attribute. All you need to do is to make Windows show hidden files and folders, and then restore normal attributes to those hidden files.
2. Recovering Files from the System Drive (Disk C:)
Unfortunately, files stored on the important system folders, like Documents folder or Desktop, can not be recovered without the decryption key because WannaCry overwrites original files with random data before removal.
However, other files stored outside of important system folders on your Disk C could be recovered from the temporary folder using a data recovery software.
The original files are moved to %TEMP%\%d.WNCRYT (where %d denotes a numeric value) folder. These files contain the original data and are not overwritten, so you can easily restore them.
3. Recovering Files from the Non-System Drives
For non-system drives, the WannaCry ransomware creates a hidden ‘$RECYCLE’ folder and moves original files into this directory. You can restore those files just by showing the hidden ‘$RECYCLE’ folder on any partition of your hard drive.