|
WannaCry’s Decryptor interface – Image shows WannaCry providing two methods of communication with the attackers: the “Contact Us” link and the “Check Payment” button on the main decryptor interface (Source: McAfee)
An extensive analysis of WannaCry seems to indicate attackers would be unable to determine which users have paid the ransom and they cannot decrypt on a per-user basis. In other words, those behind the campaign would not (or could not) decrypt victims’ data once they received payment. The research team from McAfee that conducted the analysis finds the flaw to be somewhat puzzling given the WannaCry campaign’s incredibly effective propagation techniques, reasonable key and data management, and a working anonymous communication fabric with Bitcoin payments.
— Odd negligence: “The WannaCry authors demonstrated good technical governance, for example, the key handling, buffer sanitization, and private key security on disk using a strongly encrypted format. It is odd that with such good governance, the same group neglected to include something as essential as a unique ID for a user (or instance of attack) because this is mandatory to decrypt a specific user’s files. While much of the initial analysis described the WannaCry campaign as ‘shoddy,’ the use of good technical governance suggests that there are elements of this campaign that are well implemented.”
— Shoddy campaign: “This competence raises doubts that the campaign was shoddy. Given the level of capability demonstrated, we would expect the developers would have found and fixed basic errors. Indeed, could the inclusion of these basic errors be an attempt to make the campaign appear amateur? Without apprehending those behind the campaign, it is impossible to know their motivation; yet a thorough analysis of the technical artefacts questions the shoddy theory.”
Sponsored byRadix
Sponsored byIPv4.Global
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byCSC
Sponsored byVerisign
They are criminals seeking payment. Why would they care about the victims data after they were paid?
“Good guys” would care, but they ask would not author malware.
Let me add one more thing. So let us ASSuME for a moment that the authors are "honest thieves" (by definition, no such thing exists), how then were they to decrypt the victim's hard drive and then, since they are "honest thieves" insure the malware does not again encrypt the same victim's drive after they pay? To do so would, by necessity, creates a "feature" which could be used to defeat the malware in the first place. That is one give the malware the marker indicating the victim "is not to be victimized again", honest thieves indeed ...