Worm busters: Monitoring cyberattacks
Is your information worth $300 dollars to you? “Hell, no” is the answer from the victims of the WannaCry ransomware attack.
The magnitude of the cyberattack — reaching 150 countries and infecting 230 000 computers since it was launched two weeks ago — is headline-grabbing. The financial gain is not. As of Wednesday evening, 269 people, less than 1% of the victims, had opted to pay the $300 ransom in bitcoin, a virtual currency that is hard to trace.
According to the Twitter account of @actual_ransom, a bot monitoring the three wallets hardwired into WannaCry, the total ransom received by Wednesday evening was equivalent to $79 000. If all affected users paid the ransom, the criminals would be in for a haul of more than $63-million.
Cybersecurity organisation Performanta’s chief executive Guy Golan praised the nonpayment, saying: “Ransomware will die if people do not pay.”
In years gone by, even United States police departments have paid the ransom to cybercriminals to recover valuable data — but overwhelmingly the advice from cyber security specialists is to cut your losses and not to pay.
“By paying you are funding the next attack, you are funding cybercrime — anything should be done not to pay,” said Tyrone Erasmus, a director at MWR InfoSecurity.
In the case of WannaCry, an analysis from Perfomanta suggests the ransom seekers have no way of telling who has paid the ransom.
“In a typical ransomware operation, a unique bitcoin wallet ID is created for each victim. This ensures that the ransomware operators know who has paid,” said Golan. “The WannaCry 2.0 malware author decided to use only three bitcoin wallets, with no unique wallet generated per victim. This makes it extremely difficult for the WannaCry operators to know who has paid the ransom. A victim would have to tell them the bitcoin wallet ID they paid from. However, due to the bitcoin ledger being publicly viewable it would be possible for anybody to claim ownership of a wallet ID which has sent a payment.”
Golan said he was unaware of any cases where somebody has made contact with the WannaCry operators, and certainly none where victims had their files decrypted.
Exchanging bitcoin into cash was the most difficult part of the chain, said Erasmus. Cashing in on their paltry gains could prove difficult as the accounts would be closely monitored. But cybercriminals know how to launder bitcoin online and may never need to convert because the virtual currency can be used to purchase goods and services from the web and the dark web.
Ransomware is not new. The first case dates back to 1989, but the emergence of CryptoLocker in 2013 was a game-changer; it was the first malware to be distributed through downloads, web links and email attachments. Ransomware has since become the most lucrative malware in history.
The WannaCry encryption is different in that it does not require any human intervention. It has instead exploited a Microsoft Windows vulnerability, which allowed it to infect a computer autonomously.
“This is the first notable ransomware worm — meaning it infects one computer and then looks around and sees what else it can exploit,” said Erasmus.
The vulnerability became known after an information leak from the US government’s National Security Agency six months ago.
The attack launched on May 12 is WannaCry 2.0. Previous versions of WannaCry date back to February. A number of variations have followed since the May 12 attack but Performanta’s security experts believe these are probably spin-offs created by other parties.
Malware attacks are usually run like a business by large criminal enterprises. But something about WannaCry is not quite right.
Apart from the ransom seekers’ inability to trace payments, the malware is also poorly written. The code was found to include a kill switch, which security experts have since used to stop it from spreading from one machine to another.
“They definitely did it on purpose so they could stop the spread at will. But, obviously, it [WannaCry] is not designed very well,” said Erasmus.
The unsophisticated code has security experts debating who the creators might be. Some of the code lurking in the first iteration of WannaCry is connected to that of the Lazarus group — thought to be linked to North Korea after it attacked Sony Pictures Entertainment prior to the release of The Interview, a satirical movie about an assassination attempt on North Korean leader Kim Jong-un.
“The link is, however, tentative as this could simply be a case of two malware authors reusing the same third-party source code,” said Golan.
Performanta’s analysis found a reasonable chance the original attack on May 12 was an accident. “The existence of a kill switch may have been to protect the author or authors in their own analysis environment, and the absence of any newly compiled versions of WannaCry 2.0 shows a lack of commitment to cause more damage or increase their profits.”
Golan said this “flimsy attack” may also have been an attempt to test the malware before the “big attack”.
Although the ransom seekers may not have gained an impressive sum from their victims, the attack has still come at a significant cost, said Golan. Of his company’s 170 staff, 30 have dedicated all their time to the matter since the attack began.
Globally, it must have cost companies hundreds of millions of dollars in time spent on defending against this attack, Golan said.