<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1626328370711236&amp;ev=PageView&amp;noscript=1">
Blog-Hero.jpg

blog

WCry: Reviewing the Info (So Far)

May 18, 2017 12:28:43 PM

gloves 600x300.jpg

An attacker would probably consider that installing their ransomware to almost 200,000 machines globally in over 150 countries over 2 days would be a huge success.

But, here are a number of reasons why the WCry attack was actually a big failure.

wcry2.png

Source: https://intel.malwaretech.com/botnet/wcrypt

Ransomware, by its very nature, holds what you find precious for ransom - your data - thereby ensuring you pay the money to get your data back.

If every user with a compromised machine had paid out the $300 USD ransom fee, the attackers could have netted $58,412,100 USD. Currently the WCry ransomware is estimated to have netted the attackers only between $60,000 - $75,000 USD, depending on the report. Based on a $300 ransom payment, at the top end total payout amount of $75,000, that’s only 250 users whom, to date, have paid the ransom, i.e. only 1 person in 800 victims has paid.

Not quite the payback the attackers hoped for, I’m sure. But, possibly not the infection rate they intended, either. Several things stand out about about this attack, including:

  • The number of infected devices was very high relative to other exploit kits, one might say possibly higher than they intended it to be.
  • E.g Sality botnet is at 44,000 devices, ZeroAccess at 21,000 devices, and the Mirai botnet is at 54,000 devices, so WCry is significantly larger than any major botnet at this time around the world. 
  • By using a leaked Server Message Block (SMB) vulnerability, did the attackers unintentionally or deliberately choose to avoid lots of consumers. Consumers are generally likely to pay because they have weaker backup processes, if any at all. By using SMB they instead hit organisations who have a legitimate business need for SMB but have backup plans and mostly won’t need to pay.
  • By using a leaked SMB vulnerability, did the attackers underestimate how much the attack would propagate around the world?
    • Research indicates that they had intended for a broad international deployment with language packs built in for 75 languages; so, that fact would contradict this.
  • Possible North Korea attribution.
    • This makes sense, as a payout does not appear to be a motive in the attack, just high-level impact across the world, which again would make sense.
    • North Korea is well documented to need cash, so ransomware attacks to raise $$ could be plausible.
    • However the link with a few lines of code is tenuous and could be a false flag to trick intel attribution providers.
  • Those organisations, such as the UK’s National Health Services (NHS) trusts work closely with law enforcement agencies (LEA’s), who are working hard to work out the TTP’s of the attackers and work out their identities.

Given the scale of the impact felt across the world on this attack, these authors may well be in handcuffs before too long. 

Jason Steer
Written by Jason Steer

Connect with us

Lists by Topic

see all