WannaCry hackers had no intention of giving users their files back even if they pay
- Written by David Glance, Director of UWA Centre for Software Practice, University of Western Australia
As the effects of the WannaCry global ransomware attack continue to be felt, there is evidence emerging that the hackers are not decrypting the files of victims who decided to pay the US $300 ransom.
A commenter on cybersecurity expert Troy Hunt’s blog recounted that one of his customers had paid the ransom and still not received any updates from the hackers after 24 hours.
An analysis of the ransomware has shown that it is highly unlikely that the hackers ever intended to decrypt files for several reasons.
Firstly, there has been no reports of anyone getting their files back, despite nearly 170 payments (about US $50,000 at the time of writing) having been made to the bitcoin wallets associated with the ransomware.
The second reason, is that the software is not like normal ransomware in that it hasn’t used a unique payment address that would identify which user has paid for their files to be decrypted. Consequently, there is no way for the hackers to actually know who has paid and who hasn’t.
Thirdly, ransomware developers provide “customer support”, ways of contacting them to get help in making payments or decrypting files. In the case of WannaCry, there has been absolute silence from the hackers behind it.
Finally, the way the ransomware is encrypting the files on a computer suggest that it would be almost impossible for the ransomware developers to be able to decrypt the files even if they wanted to.
Ironically, the WannaCry hackers are likely to have a negative impact on the entire ransomware industry by taking this action. Not decrypting files even after users have paid serves as a very salient lesson to anyone effected by ransomware that there is little benefit in paying the ransom. If everyone stopped paying, the motivation for ransomware largely disappears.
Since the attack, Microsoft has responded to the seriousness of the situation by issuing security updates to older versions of Windows that are normally unsupported.
Microsoft’s Chief Legal Officer, Brad Smith has voiced direct criticism of the US National Security Agency for not revealing the details of the vulnerability that was at the root of the WannaCry ransomware. In a blog post, Smith said:
“this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage.”
Brad Smith has argued that digital weapons need to be treated in the same way as physical ones, governed by a “Digital Geneva Convention” that would limit the stockpiling of computer vulnerabilities that can cause this widespread damage if they end up in the hands of the wrong people. Whilst commendable, it is extremely unlikely that governments would sign up to a limitation of how their secret services and law enforcement agencies operate in the area of cyber warfare or cyber espionage.
For a start, it is unlikely that the adversaries that these efforts are aimed at thwarting would sign up to any such agreement. Secondly, despite the chaos inadvertently unleashed by the NSA, most of it was felt by countries like Russia, Ukraine and China and not the US. There would certainly be no internal pressure on the NSA from anyone in the current government to change their current behaviour.
WannaCry will eventually stop spreading as people upgrade and patch their systems. Variants of the malware have surfaced that avoid being switched off by techniques discovered earlier by researchers. There will be no quick fix to the spread of the malware and it will ultimately only end when all systems have been updated.
Authors: David Glance, Director of UWA Centre for Software Practice, University of Western Australia