Now, I nearly wrote about this in my previous post (The WannaCrypt Outbreak) but I felt it was getting a bit lengthy… Anyway, WannaCrypt and all other ransomware ultimately have the same goal. To infect you computer, encrypt your files and demand a ransom be paid in order to decrypt them. The ransomware will provide a Bitcoin address to make payment to and this is where it gets interesting.
The anonymity of Bitcoin
I won’t go too in depth on this here but Bitcoin is what is known as a cryptocurrency. Cryptocurrencies are a currency like any other except they are entirely digital (well, there’s a small exception). If you want a Bitcoin “account” you create a digital wallet and Bitcoin addresses. The WannaCrypt ransomware has three of these addresses hard coded into it. All transactions are public and thus there is a public record of all the transactions for any Bitcoin address.
Here’s an online record for each of WannaCrypt’s three addresses:
On each of those links there’s a total for each address and the full transaction history. This is where it gets interesting. In the ransomware it says to send $300 to one of these three addresses. The question is, how do they know who’s sent it to them? Everyone is using their own anonymous address to send payment and some people could be using the same address multiple times. How on earth do you link this back to a computer?
Paying the Ransom
As with all ransomware strains any one who pays up is funding the criminal organisations who created it in the first place. It doesn’t need saying that this is a bad thing. However, what’s the alternative? Lose all your corporate documents or a lifetime of pictures? Wait on the off chance someone finds a way to decrypt your files?
I, as everyone should, strongly advise against paying the ransom. Partly because of the reason I just listed but also because there’s NO guarantee you’ll be given a decryption key. Especially in this case. Look at it this way, normally the creator of ransomware this “successful” would pride themselves on customer support however, as you’ll see below WannaCrypt is a bit different.
Okay, so what’s going on?
Well, frankly, I’m not entirely sure. I’ve been keeping a close eye on this as it unfolds and haven’t heard of anyone who’s paid and successfully had their files decrypted. However, I know of several people who have paid up but not yet received anything. Oddly, they’re greeted with a “Check payment” button that displays the following:
The ransomware encrypts all files with a unique encryption key, the private key file (the part needed for decryption) is then encrypted with the malware creators public key. (This also means that it doesn’t require a network connection to operate unlike some other ransomware strains). It seems like there’s no way for the malware creator(s) to link a payment to a computer and if they can’t do that how do they know which decryption key to use? This makes me wonder if there is only one “master” private key. Whatever the case, it’s seeming likely that anyone will be able to decrypt their files. Though, I’m sure we’ll find out soon enough.