Hunt for WannaCry Ransomware Attackers

Published on May 18, 2017

As organisations around the world recover and begin to count the cost of the biggest ransomware attack in history, cyber security and law enforcement agencies around the world have turned their attention to tracking down the perpetrators.

Cruel Irony

The irony of the WannaCry ransomware attacks is that it exploits a vulnerability that was identified by the US National Security Agency. The vulnerability is a hacking tool called ‘Eternal Blue’ that gives access to Microsoft Windows, and was originally developed by the NSA to access the computers of suspected terrorists.

Tracking Gangs

It has been reported that security companies and agencies have analysed the malware and are tracking over 100 different ransom Trojan gangs, with no success as yet.

The ransomware first appeared on 10th February this year and was then used two months later in a short ransomware campaign.

Almost no one fell for version 1.0, which used spam email and booby-trapped websites. However, version 2.0, which incorporated a single additional module to make it self-replicating, wrought much more havoc over the weekend.

Clean Launch Means No Clues

One factor that has frustrated the search for the WannaCry perpetrators is the absence of any real clues in the way that the ransomware code has been written and launched. For example, there were no clues based on strings of characters in the executables or whether it was uploaded to Virus Total to check for detections before distribution.

The relatively ‘clean’ launch of the ransomware has, therefore, meant that there are no real pointers as to which group is responsible for its creation and launch.

Probably Not the Russians

The ransomware does not seem to hesitate when infecting machines running Cyrillic script and systems in Russia, which has led security commentators to believe that the Russian State is unlikely to be responsible.

In addition, timestamps on the code show that it may have been created on a machine in a +9 GMT timezone – Japan, Indonesia, Philippines are part of this zone, as well as far eastern parts of China and Russia.

One of the other clues that hint to the creators being a new group is, ironically, the success of the malware. WannaCry has hit far more than the usual number of victims targeted by ransomware aimed at large organizations.

The huge number of victims makes ransom management very difficult.

WannaCry’s Achilles Heel

Another clue is the failure to register the domain written in its core code. By not doing so, the creators unwittingly crippled the malware by allowing security researcher Marcus Hutchins to register and take over the domain, limiting its spread.
Other methods that have been used to administer infected machines like the Tor dark web network are being monitored for activity.

Other useful artifacts in the code like a kill-switch domain may have provided clues e.g. to see if it was queried before WannaCry was distributed, but it is also worth noting that criminals sometimes put deliberate false flags in the code to confuse and frustrate attempts to crack it.

Following the Money

To make it easy for criminals to track ransoms and restore only the files of obliging victims, large-scale ransomware campaigns usually generate unique bitcoin addresses for every infection.

In contrast, WannaCry created only three hard-coded bitcoin addresses for ransom payments.This makes it difficult to keep track of who has paid, which calls into question the creators’ intention – or ability – to actually restore locked files, even if the Bitcoin payments are made.

However, Bitcoin is not as anonymous as most criminals appear to believe. Every bitcoin transaction is publicly recorded in the blockchain, creating a spending log, and analysis of transactions on the blockchain can help investigators follow the flow of money and hopefully lead them to the criminals.

Collecting The Money

All eyes are now on where/when the money is collected by the criminals (to provide a clue) plus any possible leads as to WHO actually collects the money. The total amount of ransom paid so far is estimated at £39,000, which many commentators have noted is a relatively small amount of money for a crime of this scale.

What Does This Mean For Your Business?

The massive ransomware attack that infected the computers of an estimated 300,000 victims in 150 countries worldwide, many of them large, well-known businesses and organisations (including 16 health service organisations in the UK) has been a massive Internet and data security wake-up call.

Internet and data security, particularly with GDPR due to come into force next year, must surely now be given high priority by businesses and must be championed at board level.

The danger and false economy of staying with old operating systems as long as possible has been painfully exposed in this attack.

One piece of sheer luck with the WannaCry ransomware is the fact that the domain written in its core code had not been registered, and a security researcher was, therefore, able to stop its spread by registering the domain himself. It is highly likely though that there will be more, large-scale ransomware attacks in the near future, and for businesses, relying on luck and minimal preparation is not an option.

Businesses need to take a range of measures to ensure that they are well defended against known cyber threats, and prepared for the aftermath, should defences be breached. Preparations could include making sure that all the latest updates and patches are installed on systems and that anti-virus software is up to date, all important data is regularly and securely backed-up, all staff are trained to spot and deal correctly with potential threats, and workable Disaster Recovery and Business Continuity Plans are in place.