From Kill Switch To Bitcoin, 'WannaCry' Showing Signs Of Amateur Flaws

May 16, 2017
Originally published on May 16, 2017 10:08 am

Cops have a decent shot at catching run-of-the-mill online scammers — say, the guy selling a car that's just too good to be true on Craigslist. But catching ransomware attackers is generally much more difficult — unless they slip up.

The criminals behind the "WannaCry" ransomware attack may have done just that. Experts are now seeing some amateur flaws emerging including an easy-to-find kill switch and the unsophisticated way the attackers are demanding bitcoin from their victims.

Ransomware "tends to be a crime that is born on the Internet, born through kits sold on the dark web that already pre-build in anonymity of the perpetrators," said police detective Nick Selby, who specializes in cybercrime.

Those "kits" Selby describes are what experts think they're seeing with WannaCry. Somebody's using software tools created by somebody else.

"The ransomware itself, we have seen that before in the wild and it's not that sophisticated," said Paul Burbage, malware researcher for Flashpoint-Intel.

He says the most obvious tip-off is the fact that the malware contained an easy-to-find "kill switch" — basically, a URL address included in the code, which was used to stop the malware's spread.

"The kill switch allowed people to prevent the infection chain fairly quickly," Burbage explained. "It was kind of a noob mistake, if you ask me."

And WannaCry has other deficiencies. Sophisticated ransomware usually has an automated way to accept payments from victims who want to unlock their computers. But Burbage says WannaCry's system seems to be manual — the scammers have to send each victim a code. Not very practical for an infection involving thousands and thousands of computers.

"It leads me to think they did not think it would spread as far as it is," he said. "You know I really think these guys are running scared and they're probably laying low at this point."

And then there's this: So far, the scammers have collected payments from fewer than 200 victims. We know this, because they're demanding bitcoin — and bitcoin transactions are public. We don't know the scammers' names, but we know the bitcoin addresses they're using to receive payment — just three addresses. Again, more sophisticated ransomware would have the ability to generate a unique bitcoin address for each victim.

So far, the attackers have collected about $60,000 worth of bitcoins which are just sitting there untouched, according to Jonathan Levin, co-founder of Chainalysis, a company that analyzes bitcoin usage to identify money-laundering. He's been watching the bitcoins accumulating at WannaCry's three addresses.

"It might be that they don't have a good idea yet about how to launder the bitcoin," he said. "Perhaps they're not really set up to take advantage of the success of their campaign so far."

Levin says one way to turn dirty bitcoin into real-world money is to do the conversion in a jurisdiction where financial authorities will turn a blind eye. So scammers sometimes have safe-zones — usually their home country — where their malware doesn't do any damage. He gives the example of a very successful ransomware called "locky," which favors Russia.

"So if it detects Russian language on the machine, it actually does not execute and deletes itself," he said.

WannaCry, in contrast, doesn't seem to be playing geographic favorites that way. Two cybersecurity firms now say they've found some technical similarities between the WannaCry ransomware and earlier attacks from hackers in North Korea, though they're not calling the clues proof that North Korea is behind the worldwide attacks. Burbage says his company, Flashpoint-Intel, does not see a link between WannaCry and North Korea at this point.

Levin says if the perpetrators actually live in one of the countries hit hard by this attack — say, Russia — that would be, as he puts it, "an incredibly bad life choice."

Copyright 2017 NPR. To see more, visit http://www.npr.org/.

DAVID GREENE, HOST:

Two cybersecurity firms say they have found some technical similarities between the WannaCry ransomware and earlier attacks from hackers in North Korea, though they are not calling these clues proof that North Korea is behind the worldwide attacks that began last week. Other experts are saying that they are puzzled by WannaCry. As NPR's Martin Kaste reports, they say the ransomware actually contains some pretty amateurish flaws.

MARTIN KASTE, BYLINE: Nick Selby's a police detective in Texas who specializes in cybercrime. He says the cops have a decent shot at catching certain kinds of online scammers - say, that guy selling the too-good-to-be-true car on Craigslist. But when it comes to ransomware, that's tougher.

NICK SELBY: It tends to be a crime that is born on the Internet, is born through tips that are sold on a dark web that already prebuild in anonymity of the perpetrators.

KASTE: And that's what the experts think they're seeing here with WannaCry. Somebody is using software tools that were created by somebody else. Paul Burbage is a malware researcher for Flashpoint-Intel.

PAUL BURBAGE: The ransomware itself - we have seen that in the wild before, and it's not that sophisticated.

KASTE: He says the most obvious tip-off is the fact that the malware contained an easy-to-find kill switch, basically a URL address included in the code, which was used to stop the malware's spread.

BURBAGE: The kill switch allowed people to prevent the infection chain fairly quickly. It was kind of a new mistake, if you ask me.

KASTE: And WannaCry has some other deficiencies, too. Sophisticated ransomware usually has an automated way to accept payments from its victims who want to unlock their computers. But Burbage says WannaCry's system seems to be manual. The scammers have to send each victim a decryption code, which isn't very practical for an infection that involves thousands and thousands of computers.

BURBAGE: It leads me to believe that they did not think that it was going to spread as far as it is. You know, I really think that these guys are running scared, and they're probably laying low at this point.

KASTE: And then there's this - so far, at least, the scammers have collected payments from fewer than 200 victims. We know this because they're demanding Bitcoin, and Bitcoin transactions are public. We don't know the scammers' names, but we know the Bitcoin addresses they're using to receive payment - just three addresses. Again, a more sophisticated ransomware would have had the ability to generate a unique Bitcoin address for each victim.

Jonathan Levin is a co-founder of Chainalysis. It's a company that analyzes Bitcoin usage to identify money laundering. He's been watching the Bitcoins accumulating at WannaCry's three addresses. So far, they've collected about $60,000 worth. But those Bitcoins are just sitting there, he says, untouched.

JONATHAN LEVIN: It might be that they don't have another good idea yet about how they want to launder the Bitcoin. Perhaps they're not really set up to take advantage of the success of their campaign so far.

KASTE: Levin says one way to turn dirty Bitcoin into real-world money is to do that conversion in a jurisdiction where the financial authorities turn a blind eye, so the scammers will sometimes have safe zones. Usually it's their home country, where the malware is not allowed to do any damage. He gives the example of a very successful ransomware called locky, which favors Russia.

LEVIN: So if it detects that there is a Russian language on the machine, it actually does not execute and deletes itself.

KASTE: WannaCry, in contrast, does not seem to be playing geographic favorites this way. And Levin says if the perpetrators live in one of the countries that have been hit hard by this - say, in Russia - that would be, as he puts it, an incredibly bad life choice. Martin Kaste, NPR News.

(SOUNDBITE OF FLVKE'S "ZERO STATION") Transcript provided by NPR, Copyright NPR.