18 May 2017

The Death of Ransomware?

Author:

(WCry) was successful in infecting over 300,000 computers in 150 countries. It is likely the worst ransomware attack to date. WCry works by locking the files with encryption on each device. Victims are promised a decryption key to unlock their files once they pay a ransom of $300 in Bitcoin.

But incredibly, as pervasive as the WannaCry attack has been, it’s creators have only collected about $80,000 in Bitcoin ransom. Less than 0.1% of the victims have paid their $300 ransom. What went wrong for the hackers?

Some victims who paid the ransom never received their decryption keys. Word spread and victims stopped paying, realizing paying the ransom would not resolve their problems. The WCry developers designed the program to require a unique decryption key for each victim. The hackers don’t have an easy way to check if a victim has actually paid the ransom so they are checking it manually. The hackers may simply be overwhelmed with requests and still plan to provide decryption keys to everyone who pays. Or, they may have never intended to provide the decryption keys to many of their victims. To summarize, you may not be able to trust these criminals to honor their commitments.

It’s also really complicated to pay with Bitcoin when you have no idea what that means. Since one Bitcoin is valued at about $1,800, victims would have to buy 17% of a Bitcoin for their ransom payment. This is possible, but really confusing. WCry works on computers running a Windows operating system. Many victims are still running Windows XP, a 16 year old operating system. If they haven’t bought a new computer in 16 years, they are not going to have Bitcoin accounts. They may have never heard of Bitcoin. They are not going to pay.
 
Could this be the death of ransomware?

With this kind of failure on their hands, hackers may decide to abandon ransomware attacks altogether.  Or, perhaps other hackers will take their anger out on the WCry hackers for ruining this type of Internet crime perhaps forever.

“From a ransom perspective, it’s a catastrophic failure,” says Craig Williams, a cybersecurity researcher with Cisco’s Talos team. “High damage, very high publicity, very high law-enforcement visibility, and it has probably the lowest profit margin we’ve seen from any moderate or even small ransomware campaign.” Source

WCry hackers may have lacked experience with ransomware attacks. They included a “kill switch” in the ransomware which reduced the spread initially. A kill switch is a backdoor way to shut down the ransomware. The kill switch was later removed from the code. WCry is not user friendly. It’s not easy to pay the ransom and it’s not easy to get a decryption key back. Finally, the hackers are likely to have a hard time liquidating their cash since their Bitcoin accounts are all being monitored by authorities.
 
If there are future ransomware attacks on the same scale as WCry, they are likely to be better executed. The attack will spread even more quickly, more ransom will be collected and victims will receive a decryption key right away, encouraging others to pay. The criminals may even get to spend their ill-gotten gains.

In the meantime, please update your Window operating system with the latest Microsoft patches. Backup your data files and store them somewhere besides your computer.

And consider encrypting your email messages with RMail.