Hacker Tracker: WannaCry

Last weekend, a major ransomware attack affected more than 200,000 computers in 150 countries across the globe.

Targeting computers running the Microsoft Windows operating system, the malware encrypted users’ files and demanded payment in bitcoin equivalent to about $300 within 72 hours to regain access.

If users didn’t pay within that time frame, the ransom would double. After a week, files were locked for good.

The incident, which notably affected major organizations like the British National Healthcare Service, Vodafone and Telefonica, was a bit odd as far as ransomware goes, said Andrew Douthwaite, VP Managed Services at cybersecurity company VirtualArmor.

“It is unusual for ransomware to have network worm capabilities,” Douthwaite said. “However it looks like this particular piece of ransomware was packaged in such a way as to take maximum advantage of this recent MS vulnerability allegedly discovered by the NSA.”

As of now, it’s unclear whether this vulnerability was discovered in parallel by cybercriminals or if the NSA leak dropped the information directly into their hands.

Puzzlingly, no evidence of an initial infecting email has been found by IBM Security, for instance, according to comments made to Reuters by IBM Security Vice President Caleb Barlow. The company has looked through its database of over 1 billion emails dating back to the beginning of March.

“It’s statistically very unusual that we’d scan and find no indicators,” Barlow said. “How the hell did this get on there, and could this be repeatedly used again?”

Other researchers agree. “Right now there is no clear indication of the first compromise for WannaCry,” said Budiman Tsjin of RSA Security, a part of Dell.

Other companies, such as enterprise cybersecurity provider FireEye, told the newswire some of their customers found phishing emails, though they echoed the sentiment that WannaCry relied less on this inciting factor and more on Microsoft’s vulnerability to spread within any given network.

What’s especially strange in all this is that the vulnerabilities WannaCry exploits have already been patched. Microsoft rolled out the patches in a software update in mid-April.

So how was the malware able to do so much damage?

In a nutshell, said VirtualArmor’s Douthwaite, it’s as simple as a lack of people using best cybersecurity practices.

“Many users simply just don’t think of the implications of opening a junk email and any attachments held within,” Douthwaite said. “This lack of awareness is a significant weakness in the current security environment.”

On top of this, many organizations take their time testing new patches before rolling them out across their enterprise networks, Douthwaite said, as some updates have the potential to cause issues and delays in day-to-day activities.

“Patching is not a guaranteed art,” Douthwaite added. “For every problem you solve, you may be creating another one which can lay undetected for some time.”

He noted, however, that organizations that don’t patch and fall behind on software and tech advances become highly susceptible to well-known exploits. This is especially true when organizations have legacy applications or production services dependent upon legacy servers.

While WannaCry may have made individuals and organizations do just that, it turns out that, after crying, not very many of them have actually paid up.

Data from Elliptic Enterprises, a London-based company that tracks illegal bitcoin use, found that, as of Thursday mid-day, the total amount of ransom paid out to the three bitcoin wallet addresses known to be associated with WannaCry totaled just under $86,000 (about 46.4 BTC).

That’s not very much considering the broad scale of the attack and the average ransom demanded.

If everyone paid up right away, rough calculations suggest there would be at least $60 million in it for the fraudsters. Given this rough estimate, the current payout for WannaCry is just over 0.14 percent of what it could have been.