Whoever is found to be behind the attack, said Marin Ivezic, a cybersecurity partner at PwC in Hong Kong, the way the hackers used freely available tools so effectively may be what makes this campaign more worrying. In the past, this has included hot lines in various languages. In one case, the hackers demanded bitcoin in exchange for client information they had stolen from a South Korean shopping mall.Only paltry sums were collected by the hackers, according to available evidence, mostly in the bitcoin cryptocurrency.The WannaCry malware that spread to more than 100 countries in a few hours is throwing up several surprises for cybersecurity researchers, including how it gained its initial foothold, how it spread so fast and why the hackers are not making much money from it.The lack of sophistication may bolster those cybersecurity researchers who say they have found evidence that could link North Korea to the attack.Choi, who has done extensive research into North Koreas hacking capabilities, said his findings matched those of Symantec and Kaspersky Lab, who say some code in an earlier version of the WannaCry software had also appeared in programs used by the Lazarus Group, identified by some researchers as a North Korea-run hacking operation.
Some researchers have found evidence they say could link North Korea with the attack, but others are more cautious, saying that the first step is shedding light on even the most basic questions about the malware itself.And so far, Levin said, the bitcoin that had been paid into the attackers wallets remained there - compared to another campaign, known as Locky, which made $15 million while regularly emptying the bitcoin wallets. Other researchers agree. "How the hell did this get on there, and could this be repeatedly NMRV Worm Gear reducer used again?" said Barlow.The Lazarus hackers have however been more brazen in their pursuit of financial gain than others, and have been blamed for the theft of $81 million from the Bangladesh central bank, according to some cybersecurity firms. The problem in the WannaCry case is that despite digging through the companys database of more than 1 billion e-mails dating back to March 1, Barlows team could find none linked to the attack. "Once one victim inside a network is infected it propagates," Boston-based Barlow said in a phone interview, describing a vulnerability in Microsoft Windows that allows the worm to move from one computer to another. By bundling a tool farmed from the leaked NSA files with their own ransomware, "they achieved better distribution than anything they could have achieved in a traditional way" he said.
Knowing how malware infects and spreads is key to being able to stop existing attacks and anticipate new ones. "Its statistically very unusual that wed scan and find no indicators," Barlow said. The United States accused it of being behind a cyber attack on Sony Pictures in 2014. FireEye said it was aware customers had used its reports to successfully identify some associated with the attack. But the company agrees that the malware relied less on phishing e-mails than other attacks. Barlow said that single payments in some other ransomware cases were more than that, depending on the victim..PALTRY RANSOMSome cybersecurity companies, however, say theyve found a few samples of the phishing e-mails. Once a certain number of infections was established, it was able to use the Microsoft vulnerability to propagate without their help.The NSA used the Microsoft flaw to build a hacking tool codenamed EternalBlue that ended up in the hands of a mysterious group called the Shadow Brokers, which then published that and other such tools online.A senior researcher from South Koreas Hauri Labs, Simon Choi, said on Tuesday the reclusive state had been developing and testing ransomware programs only since August. Thats how most ransomware finds its way onto victims computers. Jonathan Levin of Chainalysis, which monitors bitcoin payments, said there were other differences compared to most ransomware campaigns: for instance the lack of sophisticated methods used in previous cases to convince victims to pay up.For one thing, said IBM Securitys Caleb Barlow, researchers are still unsure exactly how the malware spread in the first place."EternalBlue (the hacking tool) has now demonstrated the ROI (return on investment) of the right sort of worm and this will become the focus of research for cybercriminals," Ivezic said. Most cybersecurity companies have blamed phishing e-mails - e-mails containing malicious attachments or links to files - that download the ransomware. But the puzzle is how the first person in each network was infected with the worm. There are other surprises, that suggest this is not an ordinary ransomware attack. "They really arent set up well to handle their bitcoin payments," Levin said.There were only three bitcoin wallets and the campaign has far earned only $50,000 or so, despite the widespread infections. "Right now there is no clear indication of the first compromise for WannaCry," said Budiman Tsjin of RSA Security, a part of Dell