Microsoft was quick to respond to the attack, releasing an emergency patch which closed the exploited vulnerability on all operating systems - including the long-out-of-support Windows XP - while simultaneously blaming the US National Security Agency for having discovered the vulnerability but not informing Microsoft in order for it to be fixed only to have the vulnerability made public when the NSA itself was attacked and a cache of its exploit software and related documents stolen.
Sure, a handful of companies that didn't patch their Windows systems got hit hard, but organizations that were broadly impacted were, in many cases, using outdated, unsupported computers that were not patched.
The new fix, developed by French security researchers, only works if your computer hasn't been rebooted since becoming infected with WannaCry. "Please also note that you need some luck for this to work (see below), and so it might not work in every cases!"
The group includes Adrien Guinet, who works as a security expert, Matthieu Suiche, who is an internationally known hacker, and Benjamin Delpy, who helped out by night, in his spare time, outside his day job at the Banque de France.
WannaCry, which also goes by the name WCry or Wanna Decryptor, covertly encrypts computer files after infecting a computer and then demands owners pay a $300 to $600 ransom to obtain the decryption key required to restore a computer to normal working condition.
WannCry uses the Microsoft Cryptographic Application Program Interface to handle numerous functions, including generating a key for encrypting and decrypting the files.
Suiche, based in the United Arab Emirates and one of the world's top security researchers, provided advice and testing to ensure the fix worked across all various versions of Windows.
A previously overlooked limitation in XP, however, can prevent the erasure from occurring in that Windows version. It's called Wanakiwi, and it attempts to replicate WannaCry's encryption key by sniffing out prime numbers-the building blocks of the widely used RSA encryption method-that are stored in the ransomware's code.
"If you are lucky (that is the associated memory hasn't been reallocated and erased), these prime numbers might still be in memory", Guinet wrote. This is why many users even after paying the ransom have not been able to get their data back. Still, Guinet's finding offers hope.