Slashdot Mirror
WanaDecrypt0r Ransomware Earns Just $26,000 In Ransom Payments (krebsonsecurity.com)
An anonymous reader quotes Krebs On Security:
As thousands of organizations work to contain and clean up the mess from this week's devastating Wana ransomware attack, the fraudsters responsible for releasing the digital contagion are no doubt counting their earnings and congratulating themselves on a job well done. But according to a review of the Bitcoin addresses hard-coded into Wana, it appears the perpetrators of what's being called the worst ransomware outbreak ever have made little more than USD $26,000 so far from the scam...
It's worth noting that the ransom note Wana popped up on victim screens (see screenshot above) included a "Contact Us" feature that may have been used by some victims to communicate directly with the fraudsters... I find it depressing to think of the massive financial damage likely wrought by this ransom campaign in exchange for such a comparatively small reward.
It's worth noting that the ransom note Wana popped up on victim screens (see screenshot above) included a "Contact Us" feature that may have been used by some victims to communicate directly with the fraudsters... I find it depressing to think of the massive financial damage likely wrought by this ransom campaign in exchange for such a comparatively small reward.
Hopefully if it becomes the norm that people don't make any money from these things, it won't be worth the effort to do....
Sendmail is like emacs: A nice operating system, but missing an editor and a MTA.
Is it more than Trump paid in federal income tax for 2016?
No more AMT! Free the shackles from the rich!
Without knowing how much time and money they put into creating, disseminating, and maintaining it we won't know the RIO. If it was an evenings work, and nothing more than a side job, then $26K could be worthwhile.
Did they get their files decrypted? If so, how?
"However, I find it depressing to think of the massive financial damage likely wrought by this ransom campaign in exchange for such a comparatively small reward. "
This is the most idiotic statement I've ever seen him make. It is a good thing if there was little reward, and his implication that he is disappointed that they didn't get more is just mind boggling.
This is why we should ever pay ransomware.
1) There is a big chance they are not going to unlock your data, anyway.
2) You don't know if they have also stolen all the data and can then do other things to harm you in other ways. Or left residuals in your computer.
3) By paying, you are a "mark" so they might go after you again.
4) Paying absolutely encourages them to continue this behavior and incentivizes others to joint them.
We need to educate everyone: Backup your data redundantly and check it regularly, and don't pay ransomware.
Until you factor in trying to hide from the FBI/Interpol for the rest of your life. Are you sure those transactions are completely untraceable? Yeah, sure, keep telling your self that. Sleep well...
given that probably more than one countries three letter agencies are looking for these morons, my bet is they will be found, and then either spend the rest of their lives behind bars, or even just disappear... all that risk for 26k....
the ransom was around 300$ and more than 75000 computers infected.. ... That's a total fiasco lol
That's mean less than 0.1% paid for description
The real question is why isn't the NSA getting its feet nailed to the floor for this? They discovered (or engineered) a critical weakness in a major operating system, and rather than report it to make sure we are actually safe from this threat, they used it to make malicious software which then got released into the wild and is being used against the world.
This is the largest breach of trust of any US government agency that I know of, and yet people are just ignoring that aspect of it.
They might be long-term investors.
It's because they kidnapped Liam Nesson's files.
People in hospitals did not get care due to this. There was at least one critical stroke response unit that had shut down complete. Medical equipment also relies on computers, some of which were vulnerable. You want to blame the "victims" for un-patched systems? Sure, all systems should be up to date, but that's a bit like blaming the victim of a stray bullet from a gun fight for not wearing combat armor when he went out for a sandwich that day.
The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
Those criminal hackers won't be the winners. Try make them be the losers.
May the another hackers apply DDOS to Bitcoin's and Tor's servers as a deterrent act.
I'm quiet if they are shutdown.
This finding shows conclusively that all the hysterical talk of highly-organized, focussed attacks by "criminal gangs" was rubbish. Instead, the facts point to what one would expect to see if the malware had simply been launched and drifted where it would.
Had there really been an organized criminal gang behind the attacks, we could have expected many more computers to be pwned, and instead of a demand for $300 in Bitcoin or whatever on each monitor, there would have been a single demand for several million pounds - delivered to the Prime Minister.
When I used to give talks about software security 20 years ago, I always stressed that, so far, attacks had been episodic and uncoordinated, which is what you would expect from "hobbyists". "Just kids messing about," in the apt words of Crocodile Dundee. When serious actors moved in, people would know about it.
The really astonishing thing is that, now 20 years have passed, so very little has changed. We still get these amateurish, uncoordinated attacks. One day - but I won't predict when, having been so wrong in the past - things will get a great deal worse very suddenly.
I am sure that there are many other solipsists out there.
" I find it depressing to think of the massive financial damage likely wrought by this ransom campaign in exchange for such a comparatively small reward."
I find it depressing that people are more concerned with how much the thieves made rather than getting on the case of TLAs that are supposed to be SECURING the Internet instead of subverting it.
I find it depressing to think of the massive financial damage likely wrought by this ransom campaign in exchange for such a comparatively small reward
Yeah, as clever as they were they deserved more money?!
Just think, because it made so little money, this may be the last time we see such a wide scale attack, how sad... /sarcasm
Ken
"I find it depressing to think of the massive financial damage likely wrought by this ransom campaign in exchange for such a comparatively small reward."
It is not depressing to criminals. That it depresses you is of no consequence.
Hell... couldn't even begin to wonder how to get sign-off for bitcoin without 4 layers of admin and a competitive process.
Especially over the weekend.
They picked the wrong payment method - or too short a timescale.
I don't know what the Slashdot community is smoking. That'll cover a LOT of expenses for an overseas criminal enterprise, regardless of whether it's in Paris or Ulaan Baatar.
-Legal.Troll (logged out to avoid silly negative karma)
how many millions of dollars and man-hours were spent across the globe in response to the thing?
Would you find it less depressing then if they reaped a massive financial reward?
"Contact Us" feature that may have been used by some victims to communicate directly with the fraudsters...
So the agencies that supposedly can backdoor any electronics and trace all movements of data can't penetrate thise fragile Bitcoin exchanges or trace phone calls to the perps?
Can you spot me a little bit of cash? Won't be much I promise
I wonder where that figure comes from. My company literally paid a third of that amount.
oh and it is all like Las Vegas and why today are you not protecting your OS install by livebootdisc?
if you are not doing it live --fuckit! Damn thing is asking for a new peripheral to detect all the time -- fuck! Do it LIVE!
Have a wonderful day, keep your OS data and mountpoints separate from your home directory dot-config files and obscure your personal datavaway from the goddam home directory preferably in a RAID configured remote network-mounted Truecrypt-encrypted fileshare just to keep them guessing.
The good thing here is that people have apparently gotten the message to not ever pay these people. Given that they will be completely destroyed if ever caught and that there is a lot of incentive to catch them, I hope this problem will just vanish over time.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Comment removed based on user account deletion
Those bitches with NAWBO (https://www.nawbo.org/) missed again; neener-neener.
there's lots and lots of engineers in China, India & Eastern Europe without much to lose. Their economies have little to no safety net, meaning if you trip up you crash hard. This is one of those consequences of abandoning a good chunk of your population to the forces of nature and the whims of capitalism. There's talk about the US slashing aid to poor middle eastern countries and of Isis et al looking forward to it so they can move on and radicalize the desperate. On a more local scale stuff like this is why we have WIC, so we don't have millions of babies with mental and physical disorders from their developing years.
I know, I know, I'm politicizing. But the thing is like it or not politics affects everything we do. It's scary how far it's embedded in our lives and nobody likes to acknowledge it...
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
I think history is gonna show us that we were responsible for the Wana attack. It didn't cross my mind until I heard on NPR that Russia was the county that suffered from the attack the most- even getting into government computers. The Shadow Brokers released this trove of hacking tools a little while ago. This meant the door on using this exploit was going to start closing slowly. We also knew that hackers would take advantage of this exploit. So why wouldn't the US Govt, under the guise of a random hacker, use this exploit to garner as much info as possible on Russia while it was still possible? Remember that Obama told Russia that we would get them back, at the time and date of our choosing. And this would explain why the built in shutdown was hidden in the code- I wouldn't be surprised if that 20 something year old security researcher wasn't tipped off to register that domain name once we'd gotten access to some of Russia's infrastructure, to mitigate collateral damage to the innocent bystanders. That would explain why they "only" got $26k, if their M.O. was to make money there would have been zero reason to include a kill switch in the code.
It shows the bean counters the cost of not keeping systems up to date.
In the form of a Hellfire missile...
"guys" is the most gender neutral term you can use!
What rock have you been sleeping under?
It's like those criminals who do $100K damage to some expensive electrical equipment just so they can scrounge a few hundred dollars worth of copper. They simply don't care how much damage they do to other people as long as they get a few bucks in their pocket.
But we were warned of these vulnerabilities months before. The whole industry had months in advance warnings to alleviate this problem. Did anyone do anything? Nope.
This problem is a combination of not having your updates and patches done. Not having good IDS software running, Not having good Firewalls running. Using Windows in the Server room, when you know Linux is the almost always the right choice. Nothing having good backups, not following good data security practices and overall just failing to do your job properly.
"I find it depressing to think of the massive financial damage likely wrought by this ransom campaign in exchange for such a comparatively small reward."
So, it would have been better if the reward were much bigger?
Have you considered that the message "there are no winners here not even the criminals" would be written in exactly the same way?
I think your shoot the messenger attitude is from not considering the context.
Take it for granted that *most* people infected did not have access to $600 worth of bitcoins.
Then understand that for fraud reasons, most bit coin exchanges make you wait 24 hours before clearing your credit card transaction and granting you the bit coins, especially for new users.
QED, those payments were probably just made by people who were infected and already had access to bitcoins.
Also, most organizations would first check their backups, which can take some time, before deciding whether to pay up for the missing, non-backed up data.
A bit odd calling NTFS "modern" when the filesystem on VMS had that feature.
ZFS is a much better and more user friendly example in the way it handles snapshots.
I hate to extinguish your fantasy but script-kiddie shit is invariably shit so it's quite likely that the first person with a clue to take a really good look at the malware could find a hole.
If your fantasy was correct somebody "connected" would be the one tipped off to claim the glory.
Bitcoin ... the currency of criminals.
The problem in nearly every system that was affected by an attack comes down to greed (and not just on the malware maker's part). Hospitals are either businesses, expected to make ever greater profits, or government entities expected to save tax dollars (or some combination). They balance the good they do against the money it costs and unfortunately, sick people tend to be on the losing end.
Medical equipment manufacturers are almost universally corporations. If the money is there, they'll keep upgrading equipment forever, but it's usually more profitable to sell something new.
The people responsible for the equipment knew that it was old and out of date. They decided that the money they had should go elsewhere. You're not blaming the victim when someone deliberately stops maintaining his car and gets killed when his brakes fail, even if he didn't have the money to fix them. In fact, I'd say that he's responsible for any injuries to the people in the other car.
There comes a point where hacking has to be considered a force of nature, and the wind does not respect a fool.
Coal miners care about how much their product wrecks the environment? Nope. No different really.
> This ransomware here will encrypt attached devices - such as
> external usb drives - and any network share you may have access to.
>
> So even if you have backups, you can still get burned.
That's *NOT* how to backup. Three principles of successful backups...
1) Do *NOT* let the PC have write access to the backup system. Do not trust it to not f*** up external backups. Instead have the desktop PC share out directories (read-only access) so they can be copied by an external machine running linux/bsd/whatever.
2) Do *NOT* overwrite your backups. Use a proper versioning system. If a file is unchanged, don't make another copy. If it is changed *CREATE A SEPARATE COPY*. If you're running low on space, give read only access to the user and ask them to confirm that the latest file version is not screwed up. Then and only then have the backup machine delete older versions.
3) Set up random "tripwire files" that look like ordinary Word and Excel files... and tell the user *NOT* to touch them. Have the backup machine (with read only access) check the "tripwire files" every hour or so. If any of the files change, have the back up machine send an urgent email to IT to look into it *NOW*!
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
If it's too good to be true it normally is. This is all very convenient. NSA leaks vulnerabilities, script kiddies are conveniently placed to use the code to execute malware attacks. The fact that they used only a few bitcoin wallets and have received little cash suggest this is all a front, a cover for who is really behind it. The NSA works covertly on behalf of those people in the UK that don't want the UK to have the NHS. Why attack a cash strapped health service. There's much more bounty in banks etc. Oh, I forgot bankers are probably sposoring all this.
There were THREE addresses hardcoded into it, not one. On Friday the blockchain reported the three addresses together had just under 20 BTC on them. Where did they get their info from? Is there something I'm missing?
1) Is it possible to trace the bitcoin recipients? To their real IP address? To their home address?
2) Other attacks are often followed by "those who know" telling us that the attack occurred in Russia, or China, or...wherever. Since it is easily possible to spoof the sending IP address of an attack, how are these attackers identified? Won't all the routing information also be compromised? In fact, the only IP address that is accurate is the recipient. Any help?
--
As usual, I am confused.
This is going to seem like the worst comparison but I recall a day where if you had a junk bicycle it would never get stolen, and then you had to have a token lock on said bicycle, then it got to where you needed to park next to a more expensive bike with a decent lock, then it got to where your lock needed to be more expensive than your bike. Its crazy now how crap parts from crap bikes will be stolen. The thieves have to get maybe a dollar or so for them.
I've just checked those Bitcoin addresses and they have made a little bit over 20 bitcoins >> $34k >> so they're still making money and will continue as time goes by.