Oddities in WannaCry ransomware puzzle cyber security researchers

The WannaCry malware that spread to more than 100 countries in a few hours is throwing up several surprises for cybersecurity researchers, including how it gained its initial foothold, how it spread so fast and why the hackers are not making much money from it. Some researchers have found evidence they say could link North Korea with the attack, reports Reuters, but others are more cautious, saying that the first step is shedding light on even the most basic questions about the malware itself.

IBM Security’s Caleb Barlow said that researchers are still unsure exactly how the malware spread in the first place. Most cybersecurity companies have blamed phishing e-mails – e-mails containing malicious attachments or links to files – that download the ransomware.  That’s how most ransomware finds its way onto victims’ computers.  The problem in the WannaCry case is that despite digging through the company’s database of more than 1 billion e-mails dating back to 1 March, Barlow’s team could find none linked to the attack.  “Once one victim inside a network is infected it propagates,” he said, describing a vulnerability in Microsoft Windows that allows the worm to move from one computer to another.

The NSA used the Microsoft flaw to build a hacking tool codenamed EternalBlue that ended up in the hands of a mysterious group called the Shadow Brokers, which then published that and other such tools online.  But the puzzle is how the first person in each network was infected with the worm. “It’s statistically very unusual that we’d scan and find no indicators,” Barlow said. Other researchers agree. “Right now there is no clear indication of the first compromise for WannaCry,” said Budiman Tsjin, of RSA Security, a part of Dell.  Knowing how malware infects and spreads is key to being able to stop existing attacks and anticipate new ones. “How the hell did this get on there, and could this be repeatedly used again?” said Barlow.

Other highlights from the Reuters report:

  • Relatively small sums were collected by the hackers, mostly in the bitcoin cryptocurrency, and the attack has so far earned only around $50,000. The bitcoin that has been paid into the attackers’ wallets remains there, in contrast with another campaign, known as Locky, which made $15m while regularly emptying the bitcoin wallets;
  • Cybersecurity researchers say they have found evidence that could link North Korea to the attack. Simon Choi, a senior researcher at South Korea’s Hauri Labs, said the state had been developing and testing ransomware programmes in the past year. Some code in an earlier version of the WannaCry software had also appeared in programmes used by the Lazarus Group, allegedly a North Korea-run hacking operation which was accused by the US of being behind a cyber attack on Sony Pictures in 2014.