Hacker News new | past | comments | ask | show | jobs | submit login
Global ‘Wana’ Ransomware Outbreak Earned Perpetrators $26k So Far (krebsonsecurity.com)
27 points by phodo on May 15, 2017 | hide | past | favorite | 53 comments



$26K and the spot on every most wanted cyber criminal list on the planet. Congratulations guys, well done!


The flaw in their plan is that the intersection of people capable of figuring out how to pay a ransom payment in Bitcoin, and people still using Windows XP, is pretty small.


They have very detailed instructions in 20 languages. It's much more user-friendly than most software these days.


But their price point was set too high for their market.

Turns out that for a lot of victims wiping their old computer was deemed less expensive than the cost, nuisance, and risk of paying criminals through some shady internet fake money thing to possibly avoid having to wipe their computer.

For anyone with a recent backup of their data, I can't think of why they'd pay.


I think you are way underestimating the percentage of people who have good backups of their data.

HN'ers might, but HN would not be a representative sample.


A lot of the high-profile systems getting hit are embedded mission-critical systems. They'd be getting some amount of IT attention. And systems that aren't that important might not be important enough to ransom - just wipe and start over.


Agreed - I was thinking more of the individuals.


Almost makes you think the hysteria was the goal. The next illuminating question is "why," and the fallout the next couple of weeks will answer that.

Problem -> Reaction -> Solution.


Looks to be ~56K and pulling in 20k / day right now: https://twitter.com/actual_ransom/


Have you seen the banner ad at the top of the page: "Kevin Mitnick Security Awareness Training 2016". So who knows, maybe there's more in it for them longer term.


Sure, Silicon Valley probably won't jump on this bandwagon. But it's ok for a lifestyle business to have modest goals.



Would they make more money if they demanded $10 instead of $300? While $300 isn't crazy money, it's more than enough to be painful, and definitely feels like ransom.

I wonder how many people facing a locked computer would sigh, say a few choice swearwords, and dig out their cards had it been a relatively low amount.


Asking to get paid in Bitcoin is already a stiff barrier to entry for most users, so probably not. $300 feels close to the upper threshold where people who already care enough to not balk at the Bitcoin requirement also won't balk at the sticker price.


Ahh, yeah you're totally right, I keep forgetting that the victims need to pay with bitcoin.

Well. I guess it's good that there's not a more convenient way to give in to the criminals' demands!


They passed up a good opportunity for price discovery: have the ransomware pick a random number between, say, 10 and 1000 and learn from that for future attacks.


Other ramsomware authors did this. I remember reading that the optimal​ amount is somewhere between 300 and 500$, but i can't find a source anymore.


They could also make a machine learning model to take into account the part of the world, the hardware model, and other wealth indicators.


They probably would have made more by being quiet about the infection and renting it out as a botnet, or selling whatever interesting data they found.


Is this a point to the downside of bitcoin? Im not against it at all still, but this does prove it to be a viable method of payment for shady business that can't reasonably be tracked... without bitcoin (or other crytocurrency), what methods would be in place to collect this money that wouldnt be easily tracked?


Western Union? Scammers have had means of collecting payouts since the beginning of scams.

One interesting counter point here is that the money hasn't disappeared. Literally every cent that has been paid to one of these Bitcoin addresses can be traced through all future purchases by anyone on the internet. The money will, of course, be combined with other amounts as transactions occur but that doesn't kill the trail. If any of it does end up in a wallet which a government can tie to a real person, an investigator can start working backwards. This is no different from marked bills in a more traditional ransom payment. Not perfect, but proven effective.


Western Union at least requires ID to recieve money, and you have to go into a location to do so (you cant claim it online) ... so you will be on camera...

Checks and money orders have to be cashed...

Im not ranting against anything, just a curiosity...


"The warning informs the user that to unlock their system, they would have to pay a fine using a voucher from an anonymous prepaid cash service such as Ukash or Paysafecard.

[...]

By August 2012, a new variant of Reveton began to spread in the United States, claiming to require the payment of a $200 fine to the FBI using a MoneyPak card.

[...]

Rather surprisingly, Fusob suggests using iTunes gift cards for payment." https://en.wikipedia.org/wiki/Ransomware

Apparently at least Ukash, Paysafecard, MoneyPak card, and iTunes gift cards have all been used.


Isn't tax evasion the whole point of bitcoin?


Decentralization is the point of Bitcoin. It can still be taxed in any number of ways.


The only reason to care about centralized currency is the possibility that whoever owns the central bank will simply print more. This is equivalent to taxation.

edit:

>any number of ways

what about zero?


If this were me, I'd be running away from it as fast as possible.

It's entered meatspace, with players like the FBI, FSB, China (not sure about their acronyms), and anyone else who feels they have a stake.

If you aren't state-sponsored and protected (by a competent state, however corrupt), you aren't going to win against them. Not when you have a physical body, family, and friends to protect.

(And even if you aren't state-sponsored, do you want to be on high-vigilance for 10+ years? No trips abroad? And how do you stay useful enough to maintain that protection? And how, regardless of internal political turmoil?)

P.S. Not to mention, the competent (as opposed to the other) and very resource rich aspects of their intelligence services. Which can add up to a lot of haystack sifting.


What a shame. They've surely done many orders of magnitude more than $26k worth of damage. They've done a really really bad job at monetising their impact.


True, the damages they have done far surpass the ransom income, but the inflation of the currency itself based on global attacks probably helps them over the long haul. Sort of crazy that bitcoin markets react to ransom hauls in a positive way and to me - that is the biggest danger to bitcoin and a large source of potential revenue.


What would be really interesting to me is the reverse-engineering of the outbound bitcoin to trace this back to real/named individuals.

Consider that every transaction is public information - so any bitcoin spent from that wallet has to go somewhere.

A friend threw out a stat for me while we were discussing this the other day that something like 80% of existing wallets are owned within places like coinbase where they are associated with named individuals. (I don't know if that is true, but for the purposes of this strategy it's the assumption I'll stick with)

Anyways - assuming 80% of wallets can be traced by law enforcement to named individuals. Imagine that you set an alert to watch all outbound transactions from any of those three wallets.

After each transaction, do a lookup on the owner of the receiving wallet. If it is a named individual, interview them to find out how they got this money. Who just sent them a bitcoin?

If the wallet is not owned by a named individual, add it to the watch-list. Repeat for all outbound transactions from that wallet until you can trace it back.

I'm interested to know how many steps it would take to arrive at the actual criminal.


Once the BTC goes through an exchange, and withdrawn in another cryptocurrency, it would be almost impossible to trace without cooperation of the exchange. I'm sure there are plenty of exchanges out there that wouldn't cooperate with law enforcement.


If bitcoin were truly that ineffective for use by extortionists, why is it so commonly used? Note: I'm truly asking a question, I know very little about the subject.


Honestly, I'm repeating this question for years. I still didn't come-up with a good answer.

The best that I got is that those criminals rely on living in countries with weak rule of law, and Bitcoin makes for just enough obfuscation that those countries won't investigate them, while countries wiling to investigate don't want to disclaim they have the ability.

Besides, anonymity is not the only feature of Bitcoin useful for criminals. There's also the fact that transactions can not be stopped or undone. Those may be even more important.


My guess is that BTC, while not effectively anonymous, does make it easy to use temporary accounts for receipt of extortion money.


Things like this exist: https://coinmixer.se/en/


Interesting! So there are laundering services. Still, even if that were a 'terminal' point, you'd know at least where they were going. I'd love to read the story of 'follow the money'


Mmm, I think they just convert the bitcoins to another cryptocurrency. Sounds like a cool movie though


Considering nobody has had their files decrypted yet, I'm almost surprised how high this figure is. You'd think some people would do at least a bit of research before throwing $300 down the drain.


That's not true. The process to send out the decryption key is apparently manual and slow, and some people haven't received keys https://twitter.com/MalwareTechBlog/status/86418145375993856... but some have. https://twitter.com/mikko/status/864107673146490880


Thanks, unfortunately it's too late to edit my comment now.


Did they actually decrypted the files after getting money from victims?

It would be interesting, if some white-hat security researcher, pays the $300 money and gets the solution (reverse engineering) . Make its available for free to everyone :)


As much as parts of the worm do look kind of amateur-ish, it's probably still a stretch to assume that they used the same encryption key for every infection.


Crypto doesn't work like that.


It depends on the implementation. Even so, it's always easier for the authors to patch the malware than it is for researchers to reverse it.


Really good technical analysis of WannaCry for hackers (in a good sense): https://www.youtube.com/watch?v=d_j8UUQbJsc


Article is a couple of days old now. If you do the math right as im writing this it'd be 33.8 bitcoins. at $1721 per coin the total is over $58,000. All points Krebs mentions are still valid however.


We really should make it illegal to pay ransom. The only ultimate solution to this problem is to eliminate the incentive.


Ah yes, the old: "This action harms no one but yourself, but we wish to protect you from yourself, so the solution is to turn you into a criminal when you perform said action. For your own good of course."


This action harms no one but yourself

Paying a ransom is the opposite of this. The action only helps yourself, but harms everyone else, but providing funds to the ransomer.


> Paying a ransom is the opposite of this. The action only helps yourself, but harms everyone else, but providing funds to the ransomer.

Reminds me of my relationship with the people who call themselves the taxing authorities.


It's not to protect you from yourself, it's to protect you from others. It's like how some shops have "cashier cannot access safe" signs -- it's not necessarily that they don't trust the cashier, it's that it prevents the cashier from becoming a target.


It's because they asked for $300 when they could've asked for $30,000, considering they infected a lot of large organizations.


$300 per machine, not per network.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: