If you’ve been infected with WannaCry, you’re probably not getting your files back if you pay.
About three days ago, a ransomware campaign named “Wannacry” began. If you looked only at what mainstream media is telling you, this was malware written by genius programmers who know what they are doing and is one of the most sophisticated and profitable ransomware schemes ever.
If you look at the code, however, you find this could not be further from the truth. The code is bad malware, not just bad code. (Most malware is “bad code” already.)
It’s not even bad because of any real technical hurdles the developers could overcome in a timely manner – they just didn’t care or were incompetent. This is true to the point where it’s not likely that the people behind this will decrypt your files if you pay. The main reason is because they can’t know if you do pay.
When we look at the code of WannaCry, we see that the page a user sees consists of a text box with instructions to submit payment to the bitcoin address. (It picks one of three hard-coded addresses at random.) Once payment is made, the victim must wait until 9am-11am GMT, at which point the people running WannaCry somehow by magic figure out who paid and then decrypt their files. This is problematic because there is no way for the people who encrypted your files to know that you paid at all.
Secondly, there does not seem to be any real, working decryption method in the code. Now, you may be saying, “But what about the free decrypt option?” This is the only seemingly real decryption function. It picks 10 files at random at the time of encryption and stores the decryption key for these files. There does not at all appear to be a way for any other decryption keys to be used, so there is no real reason to suspect anyone is getting their files back.
Why is this? This is likely because the developers of WannaCry were trying to be the first people to use the recently leaked NSA exploits and thus did not spend much time making their malware work past the point where the developers get paid. Additionally, making it actually work would involve the following.
A new bot is infected, it downloads Tor, and uses Tor to connect to one of the four hidden command and control (C&C) servers. The C&C server gives a unique ID to each bot and then generates a bitcoin address for said ID. They then would have to provide this bitcoin address to the victim. The command and control server would then check the Bitcoin blockchain and check the balance of each victim’s custom bitcoin address; if the balance is greater than or equal to $300, the server sends the private key to the client and lets them decrypt their files. The operators would then have to figure out how to send all these coins to one wallet (not hard but something of a pain). This likely would have taken half a day to develop, so it is curious why this is not being done.
It is also worth noting that this will draw the ire of both law enforcement and ransomware campaign operators alike. Because this ransomware can’t give anyone their files back and because it is so high-profile, many people’s thoughts on ransomware and if they should pay will be based off what is happening now. I would bet that because of this, we will be seeing a decrease in the number of people paying ransom on conventional ransomware.
There is one possible hope. It is possible that the people behind WannaCry will release a universal decryption key once everyone who is going to pay has paid. I would put the chances of this at about 25 percent.
P.S. Even if you haven’t been infected yet you still could be. (More on that later.)
How can we stop WannaCry from infecting us?
For those out of the loop, WannaCry is a worm, which means it infects a machine and then uses that machine to scan said machine’s local network, as well as nearby parts of the internet for machines that can be infected.
If it finds a vulnerable machine, it infects it and the whole thing continues. Luckily, it is no longer a fully functional worm as a researcher recently activated the worm function’s kill switch. (A big thank you to security researcher MalwareTech for activating the kill switch in WannaCry.)
But even though the worm function has been largely disabled, you are still not safe. WannaCrypt also spreads by phishing and fake .doc files. So, even if you do not have machines on the outside world that are vulnerable, make sure your internal network is safe, as well.
First, make sure your machines are all patched. Especially if they have SMB accessible via the open internet. If you want to check your network and find the patched/unpatched status of every machine in your AD domain, you can use a handy PowerShell script from Kieran Walsh. Make sure to patch any boxes that are not already patched and consider enabling automatic updates on these boxes if you can.
But what if you can’t take these off the internet or patch them? (For some odd reason.) This is a big problem, but there is a quick fix for this that will not keep you safe from a targeted attack but will stop WannaCry from infecting your boxes. If possible, (And this can get a little tricky on Windows.) try to change the port that SMB is running on from port 445 or 139 to any other port. WannaCry scans the internet for machines with ports 445 and 139 open, so if you have SMB on another port, you will still be vulnerable but won’t be automatically infected by the ransomware.
It is worth noting that even if you have not been infected, you are likely vulnerable on your local network even if nothing on your network that faces the internet has been compromised. Either way, take five minutes and check your network for unpatched boxes.
Given the coding errors evident in WannaCry, users should back up their information on a regular basis and follow these ransomware prevention strategies. That way, they’ll never need to even entertain the thought of paying WannaCry’s authors or other bad actors. They’ll always have a copy of their files, access which they can use to oppose the ransomware business model more generally.
If you want to learn more about how Tripwire’s product suite can help your organization be prepared for similar attacks in the future, please watch this video:
Alternatively, you can find out more about the malware’s operation and how you can prevent a similar attack here.
About the Author: Nick McKenna is a student researcher who has had an interest in cyber security for the past five years. Nick likes seeing how things work and trying to break them. If you have any questions, you can contact Nick here.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.