
Why did WannaCry authors implement a killswitch? - giomasce
In many WannaCry variants there is a killswitch that pings a domain and only spread if the domain does not reply. So, once you discover this right domain, you can heavily slow down that variant of WannaCry by registering that domain and putting a webserver on it.<p>Why did the authors implement this? This effectively bounds the amount of money they receive from the attack. Clearly civic duty is not their priority, unless they are maybe trying to reach a balance between their reward and the amount of damage. But this is hard to support: ransomware infections always cause much more damage than the authors earn (according to available public estimates, WannaCry&#x27;s authors made less than 100 k$, which seems really small to me).<p>Also, why did they implement such a poor killswitch scheme? Everybody can register a domain, and the domain itself appears to be relatively simple to find in the code. They could have implemented an asymmetric encryption scheme, which only they would have been able to use.<p>Of course there is no way to know the actual reasons, but I still wonder: does anybody have some insight on why as a ramsomware author you would do things this way?
======
dvdhnt
From what I've read, it's not uncommon for these types of malware to implement
similar schemes. They send the HTTP requests to one of N domains over some
period of time in order to detect whether or not the malware is being run
inside of a sandbox. If the IP of every response matches, they cease to
operate. Their intention, it seems, is to avoid in-depth analysis by
researchers, hoping to prolong the malware's lifespan. However, in this
particular case, such a check had the opposite effect.

~~~
seanwilson
Is there a safe way a sandbox could mock these HTTP requests to trip up the
sandbox detection?

~~~
giomasce
It is very implausible. A sandbox detection algorithm has a lot of different
options on what to observe to decide whether it is running in a "genuine"
environment or in an "artificial" one. You probably have to see what every
single sandbox detector is doing and cook up something specific for that.

------
elorm
As to why they implemented the killswitch, a simple guess will be a slip up or
poor personal security leading to your lair being raided by some unforgiving 3
letter agency that doesn't mind meting out a few harsh knocks until you cease
the spread.

However I agree with you on the poor implementation of the killswitch. The
first thing that came to mind was, why not use an .onion instead? It might
mean bundling the malware with TOR but I've seen enough of these use cases to
know it's not a challenging thing to implement. Better to have the entire
computing might of the world struggle to crack your private key instead of
some lucky researcher registering your domain and halting your spread.

------
giomasce
CommitStrip took its position:
[http://www.commitstrip.com/en/2017/05/17/wannacrypt-bad-
code...](http://www.commitstrip.com/en/2017/05/17/wannacrypt-bad-code-doesnt-
pay-much/)

