If you’ve been infected with WannaCry, you’re probably not getting your files back if you pay.About three days ago, a ransomware campaign named “Wannacry” began. If you looked only at what mainstream media is telling you, this was malware written by genius programmers who know what they are doing and is one of the most sophisticated and profitable ransomware schemes ever.If you look at the code, however, you find this could not be further from the truth. The code is bad malware, not just bad code. (Most malware is “bad code” already.)It’s not even bad because of any real technical hurdles the developers could overcome in a timely manner. They just didn’t care or were incompetent. This is true to the point where it’s not likely that the people behind this will decrypt your files if you pay. The main reason is because they can’t know if you did pay.When we look at the code of WannaCry, we see that the page a user sees consists of a text box with instructions to submit payment to the bitcoin address. (It picks one of three hard-coded addresses at random.) Once payment is made, the victim must wait until 9am-11am GMT, at which point the people running WannaCry somehow by magic figure out who paid and then decrypt their files. This is problematic because there is no way for the people who encrypted your files to know that you paid at all.Secondly, there does not seem to be any real, working decryption method in the code. Now, you may be saying “But what about the free decrypt option?”. This is the only seemingly real decryption function. It picks 10 files at random at the time of encryption and stores the decryption key for these files. There does not at all appear to be a way for any other decryption keys to be used. So there is no real reason to suspect anyone is getting their files back.Why is this? This is likely because the developers of WannaCry were trying to be the first people to use the recently leaked NSA exploits and thus did not spend much time making their malware work past the point where the developers get paid. Additionally, making it actually work would involve the following:A new bot is infected, it downloads Tor, and uses Tor to connect to one of the four hidden command and control (C&C) servers. The C&C server gives a unique ID to each bot and then generates a bitcoin address for said ID. They then would have to provide this bitcoin address to the victim. The command and control server would then check the Bitcoin blockchain and check the balance of each victim’s custom bitcoin address; if the balance is greater than or equal to $300, the server sends the private key to the client and lets them decrypt their files. The operators would then have to figure out how to send all these coins to one wallet (not hard but something of a pain). This likely would have taken half a day to develop, so it is curious why this is not being done.It is also worth noting that this will draw the ire of both law enforcement and ransomware campaign operators alike. Because this ransomware can’t give anyone their files back and because it is so high-profile, many people’s thoughts on ransomware and if they should pay will be based off what is happening now. I would bet that because of this, we will be seeing a decrease in the number of people paying ransom on conventional ransomware.But there is one possible hope. It is possible that the people behind WannaCry will release a universal decryption key once everyone who is going to pay has paid. I would put the chances of this at about 25%.
About the Author: Nick McKenna is a student researcher who has had an interest in cyber security for the past five years. Nick likes seeing how things work and trying to break them. If you have any questions, you can contact Nick here.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.