WannaCry – Paid Time Off?

May 14, 2017

Let us open with a TL;DR – DO NOT pay the ransom demanded by the WannaCry ransomware!

Now, let us explain why:

As of this writing , the 3 bitcoin accounts associated with the WannaCry ransomware have accumulated more than $33,000 between them. Despite that, not a single case has been reported of anyone receiving their files back.

The decryption process itself is problematic, to say the least.

Unlike its competitors in the ransomware market, WannaCry doesn’t seem to have a way of associating a payment to the person making it. Most ransomware, such as Cerber, generate a unique ID and bitcoin wallet for each victim and thus know who to send the decryption keys to. WannaCry, on the other hand, only asks you to make a payment, and then… Wait. You can press the ‘Check Payment’ button, but so far this is the only outcome:



Most A-list ransomware pride themselves on customer support, and are usually very easy to contact. Again, not the case with WannaCry. The only way of contacting the malware creators is through the “Contact Us” option on the ransom note screen. Despite our best efforts, we have yet to receive a reply.

Lastly, our research so far puts into question the ability of WannaCry’s creators to decrypt your files at all. The malware contains two separate decryption/encryption routines- one for the bulk of the victims’ files, encrypted with a unique key per file. To decrypt the files, a private RSA key is needed from the creators, who are supposed to deliver it in a “.dky” file.

The second encrypt/decrypt routine is for the 10 files you can decrypt as a “free demo”- as if to assure the victims decryption of their files is possible, and persuading them to pay the ransom. Those 10 specific files are chosen at random during the time of encryption, and are also encrypted with a unique key per file. However, the private RSA key for these 10 is stored locally on the victim’s computer. As you can see below:


(fig. a. The main decryption function)


(fig. b. The demo decryption function)


As can be seen in Figure A, the main decryption function tried to call a “.dky” file- supposedly containing the private RSA key, and with it decrypt all the files on the victims computer. In Figure B, we can see a similar function, this time calling the “f.wnry” file dropped by the encryptor module, which contains a list of the demo files. The private RSA key is already hard coded into the module. Both functions call the module import_RSA_key (fig. C)- the main decryptor with the path to the “.dky” file as an argument, and the demo with null instead.


(fig. C. import_RSA_key function for the two routines)


Taking all this into consideration- the lack of reports of anyone getting their files back, the problematic payment and decryption system and the false demo of the decryption operation, puts into question the capability of the WannaCry’s developers to deliver on their promises to decrypt your files.

But maybe we should wait and see what happens during “business hours”- 9:00-11:00am GMT?

The Check Point Threat Intelligence and Malware Research Teams are continuing to research WannaCry. The Check Point Incident Response Team is also monitoring the situation closely and is available to assist customers.

The previous blog provides detail that Check Point customers can use to understand how the company’s solutions can be leveraged to analyze, report and prevent the elements of the attack. And to learn more about ransomware in general, click here.



  • Check Point Research Publications
  • Global Cyber Attack Reports
  • Threat Research
February 17, 2020

“The Turkish Rat” Evolved Adwind in a Massive Ongoing Phishing Campaign

  • Check Point Research Publications
August 11, 2017

“The Next WannaCry” Vulnerability is Here

  • Check Point Research Publications
January 11, 2018

‘RubyMiner’ Cryptominer Affects 30% of WW Networks