The WannaCry malware that spread globally over the past weekend has cybersecurity researchers puzzled on a number of levels. How it all began, how the malware spread so rapidly and why it hasn’t been particularly profitable for the cybercriminals involved are all open questions.
There are many theories, according to a report from Reuters, but few definitive answers.
The main question on researchers’ minds is how exactly WannaCry spread. Many malware attacks spread via phishing emails containing malicious links or attachments. Once someone within a network clicks on the link or opens the attachment, the malware propagates.
So far, no evidence of an initial infecting email has been found, said IBM Security’s Caleb Barlow, even after looking through the company’s database of over 1 billion emails dating back to the beginning of March.
“It’s statistically very unusual that we’d scan and find no indicators,” Barlow told the newswire. “How the hell did this get on there, and could this be repeatedly used again?”
Other researchers agree. “Right now there is no clear indication of the first compromise for WannaCry,” said Budiman Tsjin of RSA Security, a part of Dell.
Other companies, such as enterprise cybersecurity provider FireEye, told the newswire some of their customers found phishing emails, noting however that WannaCry relied less on this inciting factor and more on Microsoft’s vulnerability to spread within any given network.
Then, of course, there’s the issue of payment itself. Relative to its effect, WannaCry hasn’t been very profitable for the attackers.
According to live data from Elliptic Enterprises, a London-based company that tracks illegal bitcoin use found that, as of Tuesday (May 16), the total amount of ransom paid out to the three bitcoin wallet addresses known to be associated with the WannaCry fraudsters had totaled just over $71,600 (about 40.4 bitcoin).
That’s a fraction of what smaller malware campaigns have managed to raise and significantly less what it could have brought in.