Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:30 AM
Gary Warner
Gary Warner
Connect Directly
E-Mail vvv

WannaCry: Ransomware Catastrophe or Failure?

Using Bitcoin payments as a measure, the WannaCry attack is not nearly as profitable as the headlines suggest. But you should still patch your Windows systems and educate users.

Wannacry (or WannaCrypt) is being called the "worst cyberattack in history" or at least the "biggest ransomware offensive in history," but those headlines just don’t line up with reality.

Despite public reports that as many as 300,000 computers in 150 countries have been infected with the malware, the normally observable pattern of delivery, destruction, and payment associated with a ransomware attack are largely missing. Phishing emails have been the primary delivery method for almost all other ransomware attacks to date. With this attack, the delivery method is still under debate but the main spreading mechanism is through Server Message Block (SMB) which is a protocol used by Windows computers to share files between each other. By invoking a flaw in SMB, a single infected computer can infect every other vulnerable machine on the same network. But is the attack size being touted in the media accurate? And is this really about ransomware?  After some very frightening initial headlines, the story just doesn't hold up to deeper inspection.

This is partly because the malware was disabled by a 22-year-old British malware researcher. Malware authors try to detect researchers by checking to see if the malware is running in a simulated network environment. One test is for the malware to ask the computer it is running on: "Can you reach this non-existent website?" If it can, then the malware can be certain it is running in a simulated network, where researchers are routing every Internet request to monitoring stations they control. (For those who do malware analysis – think ApateDNS redirecting everything to iNetSim.)

Figure 1 - WannaCry code calling non-existent domain 
Source: PhishMe
Figure 1 - WannaCry code calling non-existent domain
Source: PhishMe

By registering the "non-existent" Internet address that malware was using for its test, now every Internet user can resolve the address, which made the malware believe that everyone was in a simulated network, so they should not be infected because they were likely researchers.

The researcher, who guards his anonymity fiercely because he routinely ruins the lives of criminals, shares his intelligence here and blogged about his discovery here

The high count of "infected" computers are actually the number of computers that are asked to try to reach the formerly non-existent domain. However, analysis of the code shows that if that domain is reached, the malware simply terminates itself and offers no further risk to the computer that tried to infect itself. Perhaps these would be better counted as malware attempts rather than malware infections.

Payments Don't Add Up
The over-reporting of the malware is further confirmed by looking at the payment method. As far as researchers know, there are only three primary bitcoin addresses:

  • 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
  • 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
  • 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

After reviewing hundreds of screen shots and talking to dozens of other researchers, no one has seen another bitcoin for malware since this round of the attack began on May 12th.

By pasting the addresses above at https://blockchain.info/ you can get a screen shot that will tell you how many payments and how many bitcoins have been made to each of the addresses. For example:

(As of MAY 17, 2017 12:50 PM Eastern – 109  transactions totaling 16.75 bitcoins)

(As of MAY 17, [email protected]: 50 PM ET- 95 transactions totaling 16 Bitcoins)

(As of MAY 17, 2017 12:50 PM ET- 84 transactions totaling 11.17 bitcoins)

That’s only 288 payments totaling 43.92 bitcoins.

Bitcoin is currently trading at a near all-time high of $1,830 USDollars per BitCoin, which is about $80,000.  But if there were 300,000 victims … that wouldn’t make any sense. Certainly more than 1/10th of 1% of the victims would have paid the ransom! IBM claimed last year that 70% of companies admitted to paying ransom to get their files back.

So, $80,000 seems a bit shy of a ransomware catastrophe. Heck, Hollywood Presbyterian yielded 40 bitcoins just in a single ransomware instance in 2016. Want to discuss a ransomware catastrophe? Let's talk about Locky! Let's talk about Cerber! Let's talk about CryptoLocker! Remember that in Q1 2016 the FBI told CNN that ransomware had collected $209 million in ransom fees just that quarter.

WannaCry isn't even close. Sure, a handful of companies that didn't patch their Windows systems got hit hard, but organizations that were broadly impacted were, in many cases, using outdated, unsupported computers that were not patched.

Where are the ‘Mixers?’
The other interesting thing is that the criminals who steal money via Bitcoin normally immediately begin the process of laundering their Bitcoin by using online services called “mixers,” or by gambling with the money in Bitcoin casinos that also act as mixers. Bitcoin tracking services, such as Elliptic, a company that helps law enforcement de-anonymize Bitcoin, confirm that they can find no evidence of the Bitcoin received from ransomware victims being spent or cashed out.  It is likely that the criminals are too frightened to touch their ill-gotten gains knowing that there has never been closer scrutiny on a Bitcoin Wallet than there is right now.

Or is it possible that there is no financial criminal planning to make money from this attack? Could this be merely an attempt to discredit the U.S. intelligence agency, the NSA? Part of the drama about the attack is that, according to Russian security firm Kaspersky Lab, and confirmed by others, the ransomware spreads via an SMB exploit originally created by the NSA under the code name "EternalBlue" and leaked to the world by "Shadow Brokers" back on April 14th, a month after Microsoft patched the underlying vulnerability, known as MS17-010. Because Windows XP has gone through "end of life," security patches were no longer being created for XP, which is part of why XP systems have been said to be infected at a far greater rate than other Windows operating system versions. Microsoft has now issued an Emergency Patch for XP.

A Warning Shot
Whenever the entire world freaks about security, we have an opportunity as security practitioners. When every CEO, CSO, CISO, CIO and CRO on the planet is thinking about a cyberattack, there will certainly be questions asked such as, “Would this have impacted us?” or “Do you need anything to be safer?” This is not the time to go buy a new shiny toy to put on your shelf, but it is time to review your security practices.

In this situation, a March 14th 2017 patch would have saved your organization from a May 12th cyberattack. What is your timeline for implementing an urgent cybersecurity patch globally within your organization?  If it is less than two months, use this as an opportunity to improve that timeline.

In this situation, Windows XP within your network could have a devastating impact. Use this as a time to fight. Whatever reason someone has given to you that defended, "why we still must have XP" – fight them on it. Use this as an opportunity to insist that obsolete software be migrated away. If it’s a budgetary constraint, demand the budget. If it’s considered an irreplaceable piece of legacy special-purpose hardware, demand a replacement anyway, or a thorough penetration test to prove that your Windows XP is truly network-isolated from everything.

Remember that most of the ransomware that is actually being paid out is still being delivered by phishing email. Make sure that your employees know what to do when they see a suspicious email. If you don’t have a way to convert your employees from "the weak spot on the chain" to empowered "security sensors" feeding internal attack intelligence to your response teams then review your internal practices.

Related Content:

Gary Warner is one of PhishMe's elite cybercrime researchers, where his current research areas are malware analysis, social networks of cyber criminals, hate groups, and terrorists. Involved in cybersecurity since 1989, he began his career helping large organizations connect ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-23
Vulnerability in OpenGrok (component: Web App). Versions that are affected are 1.6.7 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok. CVSS 3.1 ...
PUBLISHED: 2021-06-23
A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.
PUBLISHED: 2021-06-23
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.