The WannaCry Ransomware attack on computer systems all over the world from the weekend is one of the most successive digital disasters of the Internet era. But what initially looked like a genius of gifted hackers looks more and more like sloppy amateur work in the eyes of security experts. Because the criminals behind WannaCry had made avoidable mistakes on practically every corner.
While the Ransomware attack with the nickname WannaCry (or also Wcrypt) is still in progress, the international community of Internet security experts is especially amazed by numerous flaws of malware developers.
Although hackers were able to infect more than 200,000 computer systems in 150 countries by exploiting a security vulnerability in Windows XP. This is a weakness of the Microsoft operating system, which the US intelligence service NSA knew but had kept behind for a long time to be able to use it as a secret backdoor.
The malicious software, which is to extort ransom money, lame British hospitals, infected ATMs and led to the German railway to blackout the timetable ads. But now analysts say a number of developer failures have severely restricted the extent of the attack and the potential prey.
The weak points include – a built-in stop switch for the attack that a malware expert could quickly find and thus prevent worse; An awkward handling of the ransom payment using Bitcoin, which makes it easy for professionals to track where the prey migrates; And finally the implementation of the blackmail function in the software itself. The Ransomware is so sloppily programmed, experts say that their developers can not recognize which victims paid for the release of their information and which not.
The fact that an attack, which was apparently so amateurly planned, could nevertheless have such far-reaching consequences. It shows that if professional criminals take an example at WannaCry and perfect the principle, the damage could be significantly larger.
So far, the WannaCry hackers have captured the equivalent of around 60,000 euros – a fraction of the millions of profits that professional-made ransomware attacks can otherwise make. The damage is high, the public’s attention is even higher, the police and the judicial authorities are on alert, and at the same time, the profit margin is as low as we have ever seen in a moderate or even a small Ransomware attack.
The meager profit is at least partly due to fundamental weaknesses in the ransom function, says Matthew Hickey of Hackerhouse in London, a provider of security services. When Hickey investigated the blackmail software over the weekend, he found that the code lacked a crucial function: WannaCry does not automatically check whether a victim has paid the ransom of $ 300 by making each payment – which is done in Bitcoin – Unambiguously identifiable bitcoin address. Instead, the hackers rely on four Bitcoin addresses, which are built into the code of the software.
As a result, instead of being able to verify payments automatically, the attackers have to check each case individually. This might happen with a manageable number of extortion victims – but with hundreds of thousands, it becomes impossible. This method, warns the expert, inevitably causes the criminals not to take care of the victims, even if the victims pay the ransom.
The four static Bitcoin addresses not only make hackers hassle-free – they also allow security experts and judicial authorities to more easily track down criminals as soon as anybody tries to redeem the Bitcoin. Because all transactions in the crypt diet are publicly visible – thanks to the so-called blockchain.
“One might think that geniuses were at work here. Finally, the programmers have turned a security gap created by the NSA into a computer virus,” said Rob Graham, an analyst at the service provider Errata Security. “In this, however, the only real achievement of these types is – in every other respect, they are zeros. The fact that they use static bitcoin addresses instead of dynamically allocating each victim dynamically shows how limited these people are in their thinking.”
Cisco analysts say they have found a pay-button function in the code of Ransomware, although the program does not even verify if someone actually paid for the data. Instead, Williams explains, sending the software randomly selected one of three error messages or a fake decryption message.
If the hackers actually help their victims to recover data, this happens by the manual way or via direct communication, when someone clicks the “Contact” button, or the perpetrators randomly send codes to decrypt a handful of victims. This chance principle gives the victims little incentive to engage in blackmail.
Of course, it is true that WannaCry has spread more quickly and further than any other blackmail software ever. The fact that the hackers used a Windows security vulnerability called EternalBlue, which goes back to the NSA, led to a malware epidemic of unprecedented proportions.
But even if you only look at how WannaCry was programmed to infect computer systems, there are enormous flaws of the developers. It was unexplainable, for example, that they decided to install a kill switch, which allowed the software to be deactivated via a certain Internet address – which happened promptly.
Security experts speculate that this feature should prevent the developers from flying in a virtual software environment. But on Friday, shortly after the attack began, a private security researcher called MalwareTech discovered the weakness and registered the Internet domain, which caused the stop switch and prevented a further spread of WannaCry.
A new version of the malicious software, which used a different Internet address for the stop switch, appeared immediately over the weekend. But also this was quickly found: security expert Matt Suiche from Dubai registered the domain, as soon as the new version emerged, and thus prevented the modified WannaCry version of spreading further.
It is not clear for Suiche that the hackers did not come up with the idea of dynamically querying the Internet domain for the stop switch instead of installing it in the malware code. To make the same mistake twice, does not make sense – especially in the event of an error that neutralizes WannaCry.
All these weaknesses have greatly reduced the income of blackmailers. Cisco expert Williams points out that a much less noticed Ransomware attack called anglers brought an estimated $ 60 million a year to the criminal developers – before it managed to harm the software in 2015.
In WannaCry, on the other hand, the mismatch between damage and revenue is so great that some security experts suspect other motives than money. Instead of killing millions, they speculate, the developers might have been to embarrass the NSA – and possibly the same hacker gang called Shadow Brokers behind the attack, which had originally succeeded in revealing the instruments of the NSA.
Beyond all speculation, the most important lesson from this attack is likely to be that the damage could have been much greater in professional implementation – and the lure for criminals, blackmail software to the networked world will only increase in the future.
Without question, we see the next stage in the development of malware. And they can learn a lot from the errors of the WannaCry developers – in order to be successful.