From Kill Switch To Bitcoin, 'WannaCry' Showing Signs Of Amateur Flaws
A screenshot of the warning screen from a purported ransomware attack on a laptop in Beijing. Mark Schiefelbein/AP hide caption
toggle caption
Mark Schiefelbein/AP
A screenshot of the warning screen from a purported ransomware attack on a laptop in Beijing.
Mark Schiefelbein/AP
Cops have a decent shot at catching run-of-the-mill online scammers — say, the guy selling a car that's just too good to be true on Craigslist. But catching ransomware attackers is generally much more difficult — unless they slip up.
The criminals behind the "WannaCry" ransomware attack may have done just that. Experts are now seeing some amateur flaws emerging including an easy-to-find kill switch and the unsophisticated way the attackers are demanding bitcoin from their victims.
Ransomware "tends to be a crime that is born on the Internet, born through kits sold on the dark web that already pre-build in anonymity of the perpetrators," said police detective Nick Selby, who specializes in cybercrime.
Those "kits" Selby describes are what experts think they're seeing with WannaCry. Somebody's using software tools created by somebody else.
"The ransomware itself, we have seen that before in the wild and it's not that sophisticated," said Paul Burbage, malware researcher for Flashpoint-Intel.
He says the most obvious tip-off is the fact that the malware contained an easy-to-find "kill switch" — basically, a URL address included in the code, which was used to stop the malware's spread.
The Two-Way
North Korea May Be Linked To WannaCry Ransomware, Researchers Say
"The kill switch allowed people to prevent the infection chain fairly quickly," Burbage explained. "It was kind of a noob mistake, if you ask me."
And WannaCry has other deficiencies. Sophisticated ransomware usually has an automated way to accept payments from victims who want to unlock their computers. But Burbage says WannaCry's system seems to be manual — the scammers have to send each victim a code. Not very practical for an infection involving thousands and thousands of computers.
"It leads me to think they did not think it would spread as far as it is," he said. "You know I really think these guys are running scared and they're probably laying low at this point."
And then there's this: So far, the scammers have collected payments from fewer than 200 victims. We know this, because they're demanding bitcoin — and bitcoin transactions are public. We don't know the scammers' names, but we know the bitcoin addresses they're using to receive payment — just three addresses. Again, more sophisticated ransomware would have the ability to generate a unique bitcoin address for each victim.
So far, the attackers have collected about $60,000 worth of bitcoins which are just sitting there untouched, according to Jonathan Levin, co-founder of Chainalysis, a company that analyzes bitcoin usage to identify money-laundering. He's been watching the bitcoins accumulating at WannaCry's three addresses.
"It might be that they don't have a good idea yet about how to launder the bitcoin," he said. "Perhaps they're not really set up to take advantage of the success of their campaign so far."
Levin says one way to turn dirty bitcoin into real-world money is to do the conversion in a jurisdiction where financial authorities will turn a blind eye. So scammers sometimes have safe-zones — usually their home country — where their malware doesn't do any damage. He gives the example of a very successful ransomware called "locky," which favors Russia.
"So if it detects Russian language on the machine, it actually does not execute and deletes itself," he said.
All Tech Considered
Microsoft's President Reflects On Cyberattack, Helping Pirates And The NSA
WannaCry, in contrast, doesn't seem to be playing geographic favorites that way. Two cybersecurity firms now say they've found some technical similarities between the WannaCry ransomware and earlier attacks from hackers in North Korea, though they're not calling the clues proof that North Korea is behind the worldwide attacks. Burbage says his company, Flashpoint-Intel, does not see a link between WannaCry and North Korea at this point.
Levin says if the perpetrators actually live in one of the countries hit hard by this attack — say, Russia — that would be, as he puts it, "an incredibly bad life choice."
FAQs
Experts are now seeing some amateur flaws emerging including an easy-to-find kill switch and the unsophisticated way the attackers are demanding bitcoin from their victims. The ransomware itself, we have seen that before in the wild and it's not that sophisticated.
What is the WannaCry kill switch? ›
From what I have read, the kill switch was either a way to check that it was running within a virtual environment, or to prevent the ransomware from spreading too much.
What is the vulnerability code of the vulnerability used by WannaCry? ›
The associated ransomware attack, dubbed “WannaCry”, is initiated through an SMBv2 remote code execution in Microsoft Windows. This exploit (codenamed “EternalBlue”) has been made available on the internet through the Shadowbrokers dump on April 14th, 2017 and patched by Microsoft on March 14.
Which vulnerability does WannaCry spread by using? ›
WannaCry exploited a known vulnerability in older Windows systems called EternalBlue, which was found by the United States National Security Agency (NSA). EternalBlue was stolen and leaked by a group called The Shadow Brokers a few months prior to the attack.
How does WannaCry ensure persistency on a machine that has infected? ›
Persistence. The malware establishes the following two registry run keys to maintain persistence: Key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Random>, Value: <Full_path>\tasksche.exe. Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Random>, Value: <Full_path>\tasksche.exe.
What are the disadvantages of a kill switch? ›
Complexity for Modern Cars: Modern vehicles rely significantly on electronics, and a sudden cutoff might disrupt those systems, resulting in unforeseen effects. Reduced Convenience: It might be inconvenient to activate and deactivate the kill switch every time you go in and out of the car.
What happens when a kill switch is activated? ›
Unlike a normal shut-down switch or shut-down procedure, which shuts down all systems in order and turns off the machine without damage, a kill switch is designed and configured to abort the operation as quickly as possible (even if it damages the equipment) and to be operated simply and quickly (so that even a ...
What is the root cause of WannaCry? ›
It was propagated by using EternalBlue, an exploit developed by the United States National Security Agency (NSA) for Windows systems. EternalBlue was stolen and leaked by a group called The Shadow Brokers a month prior to the attack.
Is WannaCry still active? ›
Is WannaCry a threat today? The version of WannaCry that was released into the world in 2017 no longer functions, thanks to Hutchins' kill switch domain. Additionally, a patch has been available for the EternalBlue vulnerability that WannaCry exploited since March 2017. However, WannaCry attacks continue to occur.
How do you prevent WannaCry virus? ›
What can I do to protect myself?
- Update Windows. WannaCry only affects computers running Microsoft Windows operating systems that don't have the latest security patches installed. ...
- Run antivirus. Make sure your antivirus product is turned on and up to date. ...
- Keep a safe backup of your important files.
Home remediation. Malwarebytes can detect and remove Ransom. WannaCrypt without further user interaction. Please download Malwarebytesto your desktop.
Who can share the blame for the spread of WannaCry? ›
The US and UK governments have said North Korea was responsible for the WannaCry malware attack affecting hospitals, businesses and banks across the world earlier this year.
Can Windows Defender remove WannaCry? ›
Microsoft released a patch, and if you have an old Windows machine that's infected, the best way to remove WannaCry is to update and use Windows Defender or an antivirus tool.
What is the purpose of the kill switch? ›
The purpose of a kill switch is usually to prevent theft of a machine or data or shut down machinery in an emergency. The degree to which a kill switch limits, alters or stops an action or activity depends on the production, process or program it is intended to protect.
What is a kill switch in malware? ›
At its core, a kill switch is a safety mechanism that allows for the immediate shutdown or isolation of a system, application, or device. Think of it as an emergency stop button for potential cyber threats. If malicious activity is detected, the kill switch can be activated to prevent further damage or breach.
What is the kill switch effect? ›
So a guitar kill switch can be used to create a staccato or tremolo-like effect, And it works best when used rhythmically and in conjunction with your playing. The stuttering effect can be used to accentuate certain notes before or after, Or it can create a dead silence which can be equally as powerful.
Should I enable kill switch? ›
Yes, you should turn on your VPN kill switch — and leave it on. It's an additional security feature that'll keep you safer if the VPN connection unexpectedly drops.
