The WannaCry ransom attack that quickly circled the globe last week is not yet fully contained. So far, it has impacted more than 300,000 computers in 150 countries. However, one of the remarkable things about it is that only a trifling US$100,000 in ransom, give or take, apparently has been paid.
Hackers behind the WannaCry attack originally demanded victims pay between $300 and $600 in bitcoin for every encrypted computer. Only about $70,000 in payments were known to have been made as of Monday, Trump administration officials said.
That represents a surprisingly low response from an attack generally considered the biggest ever.
The WannaCry attack resulted from the theft of a hacking tool from the National Security Agency, Microsoft has charged.
A hacking group known as the “Shadow Brokers” has been blamed for stealing surveillance tools from both the NSA and the CIA and then leaking them online.
Great Scale, Small Sophistication
There are several possible explanations for the relatively low haul the WannaCry attackers have taken, suggested Kevin O’Brien, CEO of GreatHorn.
The attack was widely publicized, its kill switch was identified early, the malware was poorly coded from a profit perspective, and the attack was amateurish overall, he told the E-Commerce Times.
Even so, “while the total take is expected to cap out under $200,000, it will continue to grow over the coming days as the ransom almost doubles,” O’Brien said.
The use of four preassigned bitcoin addresses makes it nearly impossible for the attackers to figure out exactly when a victim pays, he said. Since the decryption key has to be sent manually to the victim after payments are verified, the victims are unlikely to get their data back, which further reduces the incentive to pay a ransom.
“We strongly recommend not paying the ransom in any case of ransomware infection,” said Mark Nunnikhoven, vice president of cloud research at Trend Micro.
Ransomware is almost always a financially motivated crime, he told the E-Commerce Times, and paying ransom incentivizes cyberthieves to invest in new tools and attack more victims.
University of Calgary Attack
Sometimes paying a ransom appears to be the wiser course of action, though.
The University of Calgary was hit with one of the largest acknowledged ransomware attacks in Canada’s history in May of last year. University officials first realized something was wrong when critical system errors showed up on a monitoring log at 500 endpoints. Investigation of the anomaly turned up a ransom note.
The attackers said they had encrypted the school’s data and were holding it for ransom, according to Linda Dalgetty, vice president of finance and services at the university.
They offered two options, she told the E-Commerce Times. The university could pay individual ransoms to unlock each computer, or it could pay a single ransom of CA$20,000 within seven days.
Officials reviewed the university’s cyberinsurance policy and brought in a data breach coach — a lawyer who specialized in cyberattacks. They also enlisted Deloitte Global as a third-party consultant to the university. Eventually, they contacted the Calgary Police Service to investigate.
The university was in a dilemma, as 10,000 faculty and staff emails were locked down, and the extent of the attackers’ access to data was unclear. Also, being victimized by ransomware was a crisis that many organizations did not acknowledge publicly a year ago.
“Our biggest issue was we only knew what we knew,” Dalgetty recalled, noting that many faculty were off site or had left campus for the summer, and much of the data was backed up on local drives that were compromised by the attacks.
After working with the breach coach and Deloitte, the university was able to obtain a “proof of life” key to get reassurance that the attackers had the data they said they did.
Working with an unrelated third-party entity to avoid exposing its IT systems, the university paid the ransom in bitcoins, and decryption keys were released. All faculty and staff were able to access their data less than two weeks after the attack.
The University of Calgary’s experience is unique in a couple of ways. Most obvious is that a high-profile ransomware victim rarely is as open and transparent about its handling of such a cyberattack.
Organizations ranging from Sony Pictures to NASA in recent years have fallen prey to similar cyberattacks, with the latter hit by CryptoLocker malware in 2013.
Actual Tally Unknown
In the case of the WannaCry attack, it’s still too soon to determine how much ransom actually has been paid to the attackers, contended Vikram Thakur, technical director at Symantec.
The publicly known ransom figures are based on three bitcoin wallets that the attackers provided as a fallback, he noted.
The attackers provided unique bitcoin wallets to individual victims, and any ransom payments made through those wallets were not counted in the official estimates, Thakur told the E-Commerce Times.
Still, there are no guarantees that a victim actually will receive a decryptor key after paying a ransom to cyberthieves, he acknowledged, making the decision to pay a ransom a difficult call.
“It’s a critical decision someone needs to make about whether to fund criminals and whether to spend corporate dollars with unknown probability of getting your data back,” Thakur said.
Symantec’s security software has prevented 22 million attempts by the WannaCry attackers to penetrate machines across 300,000 endpoints, the firm claimed.
North Korea Connection?
The WannaCry attack could be linked to the North Korea-backed Lazarus Group, based on some similarities in the computer codes found in the attack vectors, according to multiple reports.
Symantec has found two possible links between WannaCry and the Lazarus Group, Thakur said, including shared code between the WannaCry ransomware and known tools used by Lazarus, and exclusive tools used by Lazarus that were found on machines infected with earlier versions of WannaCry.
While not conclusive, he said, there is enough evidence of similarities to warrant further investigation.