[ahomescu1]

I don't know the exact details of how WannaCry encrypts the files, but ransomware generally works like this: when hitting a new machine, it generates a random key K1 and then encrypts all the user's files with AES (or some other symmetric key encryption) using K1 as the key. It then encrypts K1 itself using some public key Kpub embedded in the ransomware, then stores the encrypted K1 on disk. When the user pays the ransom, they receive the corresponding private key Kpriv that allows them to decrypt K1, which then lets them decrypt all their files.

I think what this tool does is read the unencrypted K1 directly from memory, which means Kpriv is no longer needed.

EDIT: One correction: the user doesn't receive Kpriv, instead they send the encrypted K1 to the ransomware owner who decrypts it and sends back K1.

[CiPHPerCoder]

There are 4+N keys involved.

  - The attacker's RSA private key (UNKNOWN)
  - The attacker's RSA public key (KNOWN)
  - The local device's RSA private key (KNOWN, but then poorly wiped)
    - This is encrypted with the attacker's RSA public key
  - The local device's RSA public key (KNOWN)
  - A separate AES key for each file
    - These are encrypted with the local device's RSA public key

How decryption should work: Get the local device's RSA private key from the attacker (EDIT: this is not the attacker's RSA private key, it's the local one), then you can decrypt the AES key for each file.

[uep]

If someone were to pay up and receive the attacker's private key, what's to stop them from distributing it to others?

[equivrel]

That's exactly the trick: the attacker doesn't send you their private key, they decrypt (using their private key) the other private key that the ransomware generated on your machine, which is what was used to encrypt the per-file AES keys.

[chinhodado]

To clarify, the files are encrypted with a symmetric key, which even though is "private", is not part of a public-private key pair in asymmetric crypto.

[knome]

The attacker probably just decrypts your locally generated key. I doubt they send along the master key.

[equivrel]

This doesn't appear to be how WannaCry works: as ridiculous as it sounds, it looks like WannaCry actually generates a private key on the infected machine. If you look in search_primes.cpp (from line 251) in the linked repo, you'll see that the tool is literally searching the memory for prime numbers that divide the public modulus.

EDIT: CiPHPerCoder appears to have figured how the key management works.

[ahomescu1]

Right, I see that now. Adding an additional layer of RSA and per-file keys is an interesting twist. Generating a public/private key pair instead of a symmetric key seems to let them encrypt as many files as they want without keeping the private key in memory (which they relied on Windows to erase).