As of now, the three addresses have received a total of about 20 BTC, or about $36,000 at current exchange rates. The most typical transaction sends about $300 to the addresses. No funds have left the addresses yet.
This is pretty common whenever there is a Bitcoin theft people sent small amounts of Bitcoin to the suspected theft address. I believe they do it as a means to tracking what happens to the stolen funds. It keeps them from having to keep track of every address instead they just send a small amount of BTC to it and then they just need to remember their wallet address in the future to track to all the addresses they "marked".
Another theory is that it's Law Enforcement. In order to get a conviction, their case is improved if they can show a trail of money just in case they can't get a witness that paid the ransom to testify with proper documentation.
Not enough to make up for having every spy agency on your back. Is there a realistic way to get the funds free and clear even if NSA /FBI /CIA / et al are on your trail?
I don't know, but I can think of a few possibilities:
1. The amount demanded varies from incident to incident. Bitcoin is fractional to 8 decimal places, so it's possible to narrow down the list of victims by the last N digits of the payment.
2. The original demand for payment includes instructions to list the address you sent from. This would be a lame solution for many reasons, including (1) these victims are probably all new to Bitcoin and would have no idea what an address is, and (2) according to an article I read, some security consultants keep a Bitcoin wallet handy to pay on behalf of their clients, leading to duplicate payer addresses.
3. Same as #2 but demanding that the victim include the transaction ID, which is a long hex string. Similar usability issues.
4. It's possible to embed metadata into Bitcoin transactions. As with the prior approaches, victims would likely get this wrong.
Most likely there's a human criminal on the other end of the exchange, and that human matches up victims and payments.
Because the paying victims are surely unsophisticated about Bitcoin and terrified about what is happening to them, it seems likely that the risk of one victim claiming another victim's payment is small, so the manual match-up method is probably the most practical solution from the criminals' standpoint.
> Because the paying victims are surely unsophisticated about Bitcoin and terrified about what is happening to them, it seems likely that the risk of one victim claiming another victim's payment is small, so the manual match-up method is probably the most practical solution from the criminals' standpoint.
Is it really that small? What's stopping a victim from claiming someone else's payment by watching transactions and notifying the criminal that "their" payment has been sent?
If you barely understand how computers work, but you know your business's accounts receivables file is gone, and somebody is saying they will retrieve it if you send them some weird internet money, you're probably going to do exactly what they say rather than view this as a great opportunity to scam a scammer.
Plus, the criminals they might be trying to scam are almost certainly the victims' only hope of obtaining the symmetric encryption key (there are exceptions; some of these programs have been shown to be written by people not entirely clear on how crypto works -- single global key, obfuscated key on client machine, etc.). By definition, the only people interested in paying are the people who have no backups of data they need, so they have no options, and taking the risk of pissing off the criminal doesn't really make sense.
Moreover, for all we know, some victims haven't figured out that they're paying the same people who did the encryption in the first place. From their point of view, this is just like buying antivirus software or taking their computer to Geek Squad.
Sometimes they accidentally weaken the algorithm (like by chopping it's key bits in half through a weak RNG). Crypto is hard, even when the scammer probably has a good grasp. Which is useful in this case.
A cursory analysis of the bitcoin addresses for this malware suggests that sending US$300 in BTC can be difficult. I see sends of US$178, US$189, US$332, US$280, US$362, US$220, etc.
Except that supposedly the CNC servers that allow users to contact support and get the key for their files have been down for some time now. The creator may well have done a runner once they realised just how much of a bad idea this was.
It's hard to evaluate whether that's a good or bad thing. It'd be good if the victims got their files back. So you want to keep the server up. But this kind of scam must be stopped. So you want to kill the server quickly so scammers understand the scheme is unlikely to be profitable.
Unfortunately the economics probably work out the same way spam does, meaning it won't go away. All it takes is a couple people to pay up to make it profitable, because the criminal doesn't bear the cost of distribution.
So, it would seem reasonable to assume that around ~120 people/entities have caved in to the ransom demand and paid the USD 300? I wonder if they all actually got their files decrypted?
What surprises me about this case is how little information there is about that. Has anyone paid? Did they get their content back? If so, that would encourage others to pay up, making this attack more profitable, and more likely in the future. So I suppose that's why everybody keeps quiet about this. But for important systems, $300 is very cheap compared to restoring the system from backup including all the missed operation time, so I can imagine a lot of people would be tempted to pay.
If really only 120 people paid, I'd find that quite surprising.
I don't quite understand how WannaCry became such a big deal. Ransomware is already old thing, SMB worms even older. WannaCry didn't even use a 0day ffs, the patch for this was already published few months ago (and not particularly quietly I might add). There is very little novel about WannaCry as far as I can tell. Additionally W10 apparently was not vulnerable in the first place.
All this, and still WannaCry hit the main evening news, which at least around here is somewhat high bar. Not sure what to think about that.
>>the patch for this was already published few months ago
2 months ago, March 17th, and many organizations do not patch as often as they should, Many have even started delaying longer since MS patches of late have been causing more problems for people breaking Office, Breaking WiFi and breaking other critical systems with MS normal response of "opps our bad, well fix it in another month until then get fucked"
> Additionally W10
Win10 has about a 12% Market share, about the same as Windows XP still does.
Win10 has not been widely adopted outside the consumer market.
>All this, and still WannaCry hit the main evening news,
Made the news because of the numbers of systems, and number of high profile systems like Hostipols that were infected not because it was a Technical marvel of malware engineering
It also made the news because the NSA is indirectly responsible for not disclosing these vulnerabilities when they were discovered until they weaponized them for their own gain. While I do not blame the NSA for this infaction, I believe they should be forced, today, to disclose to all software vendors any other vulnerabilities they want to play Hacker with....
>Many have even started delaying longer since MS patches of late have been causing more problems for people breaking Office
It's not just Office that's an issue, it's Windows Update itself. In late 2016 both a Vista and a Windows 7 machine stopped updating. The windows update service on both just hung at 100% cpu time, not updating anything. I didn't actually realise for a few months. Apparently it's a common problem, and the only solution is to manually download and install all the updates. Even after doing that, the problem kept occurring.
I've now upgraded everything to windows 10, and so far no problems.
you can postpone general updates while still having critical/security updates go through at the normal pace
And, shouldn't a workplace be setup for re-imaging if updates go wrong? I know its easy to just store files in C:\user\name\documents, but then it makes it just as easy to be forced to pay $300 for each computer in the network
Many of these systems infected are server systems, not End User Desktops.
That said, yes in a perfect world everyone would have perfect backups, and perfect imaging systems that makes ransomeware a non-event, we do not live in a perfect world and it is easy to monday morning QB the IT Staff.
Most IT depts are understaffed and corners are cut because you have to keep your head above water, business do not want to pay for proper staff or proper infrastructure,
IT is a "cost center" that should be cut every year in perpetuity, after all everything is working so why do I need to pay you to sit there all day
For one thing it hit UK hospitals in a major way. That's not something that happens every day. If this was just hurting some random people we probably would hear a lot less about. It's not the technology but more of the impact (though those two are related).
> the patch for this was already published few months ago
On an OS where even the biggest geek advocates insist on running outdated versions (7) + "Common Sense 2017" virus protection and institutions don't want to foot the bill for an XP system upgrade.
Its because Microsoft tries to milk some old cows who remained at a old windows for some additional protection money. (Which is by definition: CostOfRewrite + Deploy + Retraining Employees + Fencing of adware infected by default OS - 1 $)
I think the longterm solution is delayed execution. Meaning everything entering such a old, but functional system - no matter what port, will have to get through a VM that simulates a near similar working computer, and checks for data availability. Once the safety of the arriving chunk is confirmed, the data is mirrored up.
One day someone is going to write a filesystem filter driver that does this and build in a much longer delay, which will allow the malware to spread for a lot longer before dumping the keys and demanding ransom.
The filter driver would ensure access to the files continues transparently even though the underlying data is encrypted.
I don't understand how a machine becomes infected, it is perhaps not very clear yet? this article explains receiving an email containing a link OR a PDF with a link to a .hta file ? what a strange sentence. Can one get infected without user interaction, or even with a passive client ?
Yes, a vulnerable system can get infected without user interaction.
This malware somehow got seeded, either by (1) direct scanning the internet for vulnerable systems, or (2) traditional "open-this-link / install-this-file" emails/downloads. Maybe that's why we see at least 3 bitcoin addresses: 3 different "seeding" groups.
Corp networks shouldn't be accepting outside SMB connections, and home routers will block them too, so that's where user-initiated emails/downloads come in (or someone connecting an outside laptop).
From what I gather, it tends to be one person in an organisation opening a dodgy attachment, then it spreads through the internal network via unpatched SMB flaw.
That, or they bring a work computer home, get infected, then bring it back to work. Could happen if the network they got infected on resolved all domains (so it didn't execute then), but their corporate network didn't.
To mitigate, Install Security Patches in a Timely manner.
Also note that only works on windows 7 and later, dism is not a tool for XP or Windows 2003 which seem to be the largest numbers hit by this since there is/was no patches for them
In this case it is passive. SMB in unpatched windows has a Remote Code Execution vulnerability that allows attackers to execute arbitrary code on your system with out your knowledge or interaction
Does anyone have an estimate of how much money WannaCry has made in total?
Incentives matter, and if the ransomeware developers are actually getting paid a lot, they will continue exploiting these vulnerabilities. On the other hand, if it turns out people don't actually bother paying despite being locked out of their computers, would the hackers even bother continuing this line of attack?
I saw an article claiming they had infected a third of a million computers by 1-2 days ago. Google claims that private ransomware programs claim a 3% conversion rate, and because this one was spread by worm it is likely to have a greater rate of PCs in business settings (as they are networked) compared to normal. So at least 5 million dollars (avg payment of $450?) and probably pushing up to 8 million by now.
Perhaps a ransomware/malware criminal reading this can make a throwaway and provide a better estimate.
$18,000 (or $36,000 as another comment suggests) seems incredibly low for "The largest ransom-ware infection in history"... how can this be worth it for the hackers?
Depends on where they live. For most people on Earth this is a very large sum of money that will go a long way (just not 'here' in the countries where the virus spread).
Since this happened over the weekend I am sure there are many business in for a nasty suprise on monday, as well users getting in contact with their "Technical Help" monday
So I bet their plan was to infect as many as possible over the weekend, and see money roll in come Monday once the Business Decision makers are in play and IT has had time to say "Yea our backups are fucked so we either pay or lose all data"
It started at 0700 on Friday, UK time. The infections to businesses in the Americas and EU has been done. Asia might be unscathed since the "killswitch" URL was registered. Until it mutates.
Lots of money might pour in on Monday as those infected decide that paying the ransom maximizes business continuity.
Theoretically there's nothing legally stopping a NSA/GCHQ tag team from mercilessly hunting down and destroying ransomware operations.
NSA only has red tape when it comes to U.S. citizens, but GCHQ doesn't. GCHQ's mandate also includes serious organized crime. Moreover, considering the damage ransomware can do to critical government infrastructure (for example NHS), it's not a stretch to imagine that targeting ransomware operations would fall under legitimate national security grounds.
Personally I'm surprised they don't just completely fuck these people up to set an example. On the other hand, there's always the possibility WannaCry could be a mud slinging attempt from a state actor, given the much-publicized fact it uses leaked NSA vulns.
There are three reasons for hunting down and persecuting perpetrators of crime: vengeance, setting an example, and undoing the damage.
Only the last reason makes any practical sense here.
This attack works, so there will be others in the future, but it will happen regardless of the threat of punishment. Sure, if you set an example some people might be deterred, but surely not the bright hacker in a basement in Yekaterinburg, or the determined gang in Nigeria, or the mobsters in Chengdu City; i.e., anyone, anywhere without much to lose?
Its also put presure on govemnets that in the past dont coperate with extrdaitions.
Puting 50% of your diplomats on a plane with 48 hours notice sends a message - you can also start having the IRS / HMRC invstigate rich expats friedly to the regime.
>Only the last reason makes any practical sense here.
Admittedly there's only so much damage SIGINT agencies can do, but if you get other intelligence agencies involved that have a more human side about them, that changes.
At least within the realm of possibility (as far as I'm naively aware) that whoever did this didn't fuck up too badly and they're simply unable to track them.
I think that is bit disingenuous. The worm spreads through hole that was known to NSA and publicly disclosed and patched few months ago. That is hardly something I'd call "NSA tool", they didn't make the hole (best to our knowledge).
Sure, it would have been nicer if the discoverer would have been more forthcoming about the vulnerability, but that would have not really changed the fact that this exploitation happened well after the public disclosure and patch availability.
1. It was more than just a known known flaw, there was actual tools released, it was not simply "hey we know this flaw in SMB is there
2. Timely discloure is very important, and could have infact prevented this, If the NSA knew about this years ago then chances are far far far far more systems including the older XP/2003 system could have been patch, and some systems may have never had the flaw at all. So it is completely false to say that even if the NSA would have disclosed it when they found it everything would have still happened the way it did. The Patches where only released for Win7/10/2008/2012 2 months ago, many companies hold back MS patches for any where from 1 to 3 months because MS has shitty quality control. On top of that MS stopped allowing individual patches instead going to a "update rollup" meaning you take all of MS's shitty patches or none of them
Further XP and 2003 Patchs where not released until Sat.
1. I'm not convinced that the tool release was instrumental for the success of this worm, considering the timeline. Besides, having PoC code for public vulnerabilities is not exactly rare.
2. If a worm is based on the disclosure and hits two months after public disclosure of a hole, then it doesn't really matter if that disclosure happens in 2014, 2017, or 2020. Heck, in this case specifically it could be argued that the delay has been beneficial because we are now better equipped in general to manage such attacks.
If you can't get critical security patches deployed in two months, then it is your problem, not NSAs or MS'. If you can't deal with MS patch quality then don't frikkin use their software.
Running XP/2003 in a non-isolated environment is irresponsible as hell and utterly inexcusable. This sort of infection was completely predictable outcome for XP/2003. Considering that MS was under no obligation to patch XP/2003, I can't imagine what the admins were planning to do in this inevitable situation other than bury their heads into sand.
> If a worm is based on the disclosure and hits two months after public disclosure of a hole, then it doesn't really matter if that disclosure happens in 2014, 2017, or 2020. Heck, in this case specifically it could be argued that the delay has been beneficial because we are now better equipped in general to manage such attacks.
First off I never said disclose publicly, I said disclose to software vendors.
Further you can not know if it disclosed soon after discovery, which I personally believe was discovered long before 2014, probably has been in the NSA inventory for a decade or more, it would have had a worse impact, or that a ransomware worm would have been developed 2 months later
Ransomware is reality new in this kind of attack, most likly if this would have been released in say 2007 it would have been a Spam Botnet or a DDOS Botnet if anything, not Ransomeware.
>>>If you can't deal with MS patch quality then don't frikkin use their software.
Ohh that is the dream. I use bullshit like this to advocate dropping MS like a bad habit, every year I get more traction in my crusade to rid my company of MS
Everyone talks about how people get infected but is there a guide around somewhere about how do I protect my computer from such attacks? I install all updates and I have an antivirus program but I don't know what else can I do.
Don't open dodgy files (like in emails), or if you must, do it in a VM.
Run adblock and no-script on your web browser, only visit trusted sites. If you must, use a VM.
Don't download and install software you don't trust. Either it should be a big company in the news regularly, have good reviews from people you trust, or it should be open source. If you must use a VM.
Backup your files regularly (and have offline backups, the data is the most important thing), reinstall your OS regularly (this gets rid of old and outdated software you don't remember; because I doubt you install all updates, have you updated Java recently? How about adobe flash or reader? How about the chipset drivers that likely came with your machine?).
I'm more interested in the passive infections where I get infected without my prior actions (some comments say it is possible). Java is not a good example because I program (sometimes in java) and it is always up to date. I uninstalled Flash and I have the automatic updates enabled in all software I use day-to-day. Doing regular re-installs is a good idea though. Thanks for the tip.
It uses a vulnerability that allows another computer on the same network to execute arbitrary code on your computer. So you work for a UK hospital, your co-worker downloads an attachment and executes it, and that can be enough to get on your machine if it doesn't have up-to-date security patches.
yes, 'WannaCry Ransomeware Attack' is the largest ransom in history. However, it's the time to increase windows security and updates. So that anyone can't do this in future https://wuinstall.com/
https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNX... https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8is... https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6N...
As of now, the three addresses have received a total of about 20 BTC, or about $36,000 at current exchange rates. The most typical transaction sends about $300 to the addresses. No funds have left the addresses yet.