Home / News

Major Flaw Found in WannaCry Raises Questions on Whether it was Really a Ransomware

WannaCry’s Decryptor interface – Image shows WannaCry providing two methods of communication with the attackers: the “Contact Us” link and the “Check Payment” button on the main decryptor interface (Source: McAfee)

An extensive analysis of WannaCry seems to indicate attackers would be unable to determine which users have paid the ransom and they cannot decrypt on a per-user basis. In other words, those behind the campaign would not (or could not) decrypt victims’ data once they received payment. The research team from McAfee that conducted the analysis finds the flaw to be somewhat puzzling given the WannaCry campaign’s incredibly effective propagation techniques, reasonable key and data management, and a working anonymous communication fabric with Bitcoin payments.

Odd negligence: “The WannaCry authors demonstrated good technical governance, for example, the key handling, buffer sanitization, and private key security on disk using a strongly encrypted format. It is odd that with such good governance, the same group neglected to include something as essential as a unique ID for a user (or instance of attack) because this is mandatory to decrypt a specific user’s files. While much of the initial analysis described the WannaCry campaign as ‘shoddy,’ the use of good technical governance suggests that there are elements of this campaign that are well implemented.”

Shoddy campaign: “This competence raises doubts that the campaign was shoddy. Given the level of capability demonstrated, we would expect the developers would have found and fixed basic errors. Indeed, could the inclusion of these basic errors be an attempt to make the campaign appear amateur? Without apprehending those behind the campaign, it is impossible to know their motivation; yet a thorough analysis of the technical artefacts questions the shoddy theory.”

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By CircleID Reporter

CircleID’s internal staff reporting on news tips and developing stories. Do you have information the professional Internet community should be aware of? Contact us.

Visit Page

Filed Under

Comments

They are criminals seeking payment. Why would Charles Christopher  –  Jun 9, 2017 2:44 PM

They are criminals seeking payment. Why would they care about the victims data after they were paid?

“Good guys” would care, but they ask would not author malware.

Let me add one more thing. So Charles Christopher  –  Jun 9, 2017 2:53 PM

Let me add one more thing. So let us ASSuME for a moment that the authors are "honest thieves" (by definition, no such thing exists), how then were they to decrypt the victim's hard drive and then, since they are "honest thieves" insure the malware does not again encrypt the same victim's drive after they pay? To do so would, by necessity, creates a "feature" which could be used to defeat the malware in the first place. That is one give the malware the marker indicating the victim "is not to be victimized again", honest thieves indeed ...

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

DNS

Sponsored byDNIB.com

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API