So Far, That Enormous Ransomware Attack Has Only Netted About $55,000 for the Hackers

Homeland Security Advisor Tom Bossert speaks about recent cyber attacks during a briefing at the White House.

Photo by Mark Wilson/Getty Images

On this side of the Atlantic, reaction to the the WannaCry ransomware attack that affected at least 150 countries and crippled Britain’s National Health Service has been fairly muted. Homeland Security officials reportedly met over the attack on Friday and Saturday, and U.S. officials said Monday that only a handful of American companies, like FedEx, have been affected so far. That may well be a consequence of pure luck—a security researcher who goes by the handle MalwareTech accidentally triggered a kill switch in the attack’s program that has bought those with uninfected computers some extra time.

The attack, which works on Windows PCs, has been spread mostly by email. It locks, encrypts, and threatens to erase an infected computer unless the owner pays a gradually increasing ransom starting at about $300 worth of Bitcoin. Despite the global reach of the malware, trackers set up to monitor the amounts being paid to the hackers in ransom suggest that relatively few have lost money. The Twitter account @actual_ransom says that as of 2 p.m. Monday, the hackers behind WannaCry had made just over $55,000.

Mikko Hypponen of the Finnish cybersecurity firm F-Secure says that many who have paid the ransom have regained control of their computers and their files. But paying is ill-advised, especially since the hackers behind the attack reportedly have to approve each decryption. There’s no guarantee whatsoever that paying will actually work. (Furthermore, Josephine Wolff has written in Slate that you should only pay a ransom for your files if it’s a matter of life.)

It could have been much worse. While looking into the attack’s malware, MalwareTech discovered that the code was written to query an unregistered URL. When MalwareTech registered the domain and diverted traffic to a sinkhole—a server that takes in traffic from infected computers and prevents hackers from controlling them—the code shut down. The malware had evidently been designed to deactivate itself if the domain was active. “Competing theories exist as to why WannaCry’s perpetrators built it this way,” Wired’s Lily Hay Newman writes. “One possibility: The functionality was put in place as an intentional kill switch, in case the creators ever wanted to rein in the monster they’d created.” MalwareTech believes it’s also possible that the kill switch could have been intended to circumvent analysis of the malware itself:

That sort of examination often takes place in a controlled environment called a “sandbox.” Researchers construct some of these environments to trick malware into thinking it’s querying outside servers, even though it’s really talking to a bunch of dummy sandbox IP addresses. As a result, any address the malware tries to reach gets a response—even if the actual domain is unregistered. Since the domain MalwareTech acquired was supposed to be dormant but went live, WannaCry may have assumed it was in the middle of forensic analysis, and shut down.

Either way, the activation of the kill switch gives those with uninfected computers an opportunity to protect them. Microsoft has taken the rare step of offering a security patch for older Windows systems, including Windows XP, which has proven particularly vulnerable to the attack. If you are running a Windows machine and you haven’t updated it yet, you should do so immediately.

Microsoft has also published a statement partially blaming the National Security Administration for the attacks. WannaCry used a vulnerability in Windows systems that the NSA cataloged for use and was leaked by the hacking group Shadow Brokers in April. “[T]his attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem,” the statement reads. “This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world.”