As the effects of the WannaCry global ransomware attack continue to be felt, there is evidence emerging that the hackers are not decrypting the files of victims who decide to pay the US $300 ransom.
A commenter on cybersecurity expert Troy Hunt’s blog recounted that one of his customers had paid the ransom and still not received any updates from the hackers after 24 hours.
Indeed, there have been no reports of anyone getting their files back, despite nearly 170 payments (about US $50,000 at the time of writing) having been made to the bitcoin wallets associated with the ransomware.
An analysis of the ransomware on the blog of software company Check Point suggests it is highly unlikely the hackers ever intended to decrypt the files for several reasons.
Firstly, the software is not like normal ransomware in that it hasn’t used a unique payment address that would identify which user has paid for their files to be decrypted. Consequently, there is no way for the hackers to actually know who has paid and who hasn’t.
Secondly, ransomware developers typically provide “customer support” – ways of contacting them to get help in making payments or decrypting files. In the case of WannaCry, there has been absolute silence from the hackers behind it.
And thirdly, the way the ransomware is encrypting the files on a computer suggests it would be almost impossible for the ransomware developers to decrypt them, even if they wanted to.
Ironically, the WannaCry hackers are likely to have a negative impact on the entire ransomware industry by taking this approach. Their failure to decrypt files even after users have paid serves as a very salient lesson to anyone effected by ransomware: there is little benefit in paying the ransom. If everyone stops paying, the motivation for ransomware largely disappears.
Since the attack, Microsoft has responded to the seriousness of the situation by issuing security updates to older versions of Windows that are normally unsupported.
Microsoft’s chief legal officer Brad Smith has voiced direct criticism of the US National Security Agency for not revealing the details of the vulnerability that was at the root of the WannaCry ransomware. In a blog post, Smith said:
“This vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage.”
Smith has argued in the past that digital weapons need to be treated in the same way as physical ones, governed by a “Digital Geneva Convention” that would limit the stockpiling of computer vulnerabilities that can cause widespread damage if they end up in the wrong hands. While commendable, it is extremely unlikely that governments would sign up to a limitation of how their secret services and law enforcement agencies operate in the area of cyber warfare or cyber espionage.
For a start, it is unlikely that the adversaries these efforts are aimed at would sign up to any such agreement. Not to mention, despite the chaos inadvertently unleashed by the NSA, most of it was felt by countries like Russia, Ukraine and China and not the US. There would certainly be no internal pressure on the NSA from anyone in the current government to change their current behaviour.
WannaCry will eventually stop spreading as people upgrade and patch their systems. Variants of the malware have surfaced that avoid being switched off using techniques discovered earlier by researchers. There will be no quick fix to the spread of the malware, and it will ultimately end only when all systems have been updated.