Who's Profiting From The WannaCry Ransoms? (cnn.com)

← Back to Stories (view on slashdot.org)

Who's Profiting From The WannaCry Ransoms? (cnn.com)

Posted by EditorDavid on Sunday August 6, 2017 @04:14AM from the burglaring-bitcoins dept.

CNN reports: For months, the ransom money from the massive WannaCry cyberattack sat untouched in online accounts. Now, someone has moved it. More than $140,000 worth of digital currency bitcoin has been drained from three accounts linked to the ransomware virus that hit hundreds of thousands of computers around the world in May.
Meanwhile, a Ukrainian law firm wants NotPetya victims to join a collective lawsuit against Intellect-Service LLC, the company behind the M.E.Doc accounting software, said to be the point of origin of the NotPetya ransomware outbreak. An anonymous reader quotes BleepingComputer: The NotPetya ransomware spread via a trojanized M.E.Doc update, according to Microsoft, Bitdefender, Kaspersky, Cisco, ESET, and Ukrainian Cyber Police. A subsequent investigation revealed that Intellect-Service had grossly mismanaged the hacked servers, which were left without updates since 2013 and were backdoored on three different occasions... The Juscutum Attorneys Association says that on Tuesday, Ukrainian Cyber Police confirmed that M.E.Doc servers were backdoor on three different occasions in an official document. The company is now using this document as the primary driving force behind its legal action.
The law firm says victims must pay all of the court fees -- and give them 30% of any awarded damages.

31 comments

Min score:

Reason:

Sort:

Hillary by Anonymous Coward · 2017-08-06 04:23 · Score: -1

Follow the money.
Who is profiting? by Anonymous Coward · 2017-08-06 04:26 · Score: 1

Sounds like the attorneys. And the court system, more generally. Parties to the suit? They all end up in the hole.
1. Re:Who is profiting? by BarbaraHudson · 2017-08-06 05:02 · Score: 1
  
  Sounds like the attorneys. And the court system, more generally. Parties to the suit? They all end up in the hole.
  Of course the game is rigged, especially in this case. You're paying the legal fees up front, and there's no guarantee that what you'll recover will be enough to even get your money back.
  If software were to be developed that way, the deal would be "You pay me to develop the software and bill you at $300 an hour and up, plus all expenses, and also give me 30% of all revenue, if any."
  
  --
  "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
2. Re:Who is profiting? by ShanghaiBill · 2017-08-06 05:38 · Score: 1
  
  Sounds like the attorneys.
  That is not necessarily bad. If criminals are forced to pay lawyers, that is still a deterrent to crime. You should think of these lawsuits as the outsourcing of law enforcement to the private sector.
3. Re:Who is profiting? by ShanghaiBill · 2017-08-06 05:41 · Score: 1
  
  You're paying the legal fees up front
  I know nothing about the Ukrainian legal system, but in America most class action lawsuits are 100% contingency. There are no up-front fees.
4. Re:Who is profiting? by Swave+An+deBwoner · 2017-08-06 07:48 · Score: 2
  
  And the victims get a 10% discount on future purchases (or services) from the company that bilked them in the first place.
  
  Class action suits were a great idea when they were used for social benefit like going after polluters who were untouchable by individual victims, but these days they seem to be mostly moneymakers for the legal firm that handles the lawsuit premised on some minor impropriety (or none sometimes) of the defendant entity.
  
  It looks like this Ukrainian legal group just found a more profitable way to skin their clients.
My bet is by Anonymous Coward · 2017-08-06 04:27 · Score: 0

Marcus Hutchins
Not the point of origin, not the attack vector by Anonymous Coward · 2017-08-06 04:31 · Score: 0

The point of origin is in the Russian military hacking service. They were the Ukrainian accounting software firm whose software was hijacked.
And it was believed to be an employees creditials that were used to hack it:
https://www.bleepingcomputer.com/news/security/ukrainian-firm-facing-legal-action-for-damages-caused-by-notpetya-ransomware/
"In a report released last night, Cisco experts say that the NotPetya group — suspected to be a cyber-espionage group named TeleBots — had infiltrated the company's infrastructure by gaining access to an employee's credentials. Cisco says the NotPetya gang used these credentials to embed a backdoor in the M.E.Doc software package, but also place a PHP webshell on the company's web server."
Unbelievable by Anonymous Coward · 2017-08-06 04:40 · Score: 0

APK hosts file generator makes me immune from such attacks. No ones gonna profit from me!
1. Re:Unbelievable by Trax3001BBS · 2017-08-06 05:39 · Score: 1
  
  APK hosts file generator makes me immune from such attacks. No ones gonna profit from me!
  This came my way http://i64.tinypic.com/152p9nb... (cloudfront.net of course). It was searching the number I came across many who paid a lady who knew little english.
  Me? I was running Linux Mint it crashed Flash with a segfault (buffer overflow), and let me down load a small html file that said little.
Charging all fees plus 30% ? by qwerty+shrdlu · 2017-08-06 04:53 · Score: 2

Trust me, this is the kind of law firm that will take a lot more than 30%.
1. Re:Charging all fees plus 30% ? by Anonymous Coward · 2017-08-06 05:08 · Score: 0
  
  At that rate, it might actually make sense for the victims to represent themselves in court. I know, I know... once upon a time there was a saying that "a person that is their own attorney is a fool", but when it is obvious that Ukrainian n-word lawyers are more interested in bleeding you dry, it almost makes sense to take the most sensible route. Although in this case, it seems that all parties except the people who ran away with all the money are fools.
2. Re:Charging all fees plus 30% ? by Anonymous Coward · 2017-08-06 05:36 · Score: 0
  
  Infect them with WannaCry and tell them you'll fix their system if they prosecute for free.
3. Re:Charging all fees plus 30% ? by ShanghaiBill · 2017-08-06 05:58 · Score: 1
  
  Trust me, this is the kind of law firm that will take a lot more than 30%.
  As they should. A lawsuit like this takes a lot of time and money, and has a high probability of netting $0. So the contingency has to be high to make it worthwhile.
  In a class action, if another qualified law firm is willing to do it for less, the judge can allow them to represent the class instead.
  For the injured parties, 70% of something is better than 100% of nothing.
Yes that is unbelievable. APK is worthless. by Anonymous Coward · 2017-08-06 05:16 · Score: 0

Except for the scammer himself, of course.
1. Re:Yes that is unbelievable. APK is worthless. by Anonymous Coward · 2017-08-06 08:25 · Score: 0
  
  Actually APK's methods of wanacry protection he put out work and are valuable https://yro.slashdot.org/comments.pl?sid=10956749&cid=54951471/
2. Re: Yes that is unbelievable. APK is worthless. by Anonymous Coward · 2017-08-06 13:30 · Score: 0
  
  Of course, want to avoid competition!
"sat untouched in online accounts" by Anonymous Coward · 2017-08-06 05:19 · Score: 0

"sat untouched in online accounts. Now, someone has moved it."
And why exactly wasn't the money seized? And why is "someone" anonymous when you cannot be anonymous whenever money is involved? Always these unanswered questions. None of the articles posted here ever make any sense.
1. Re: "sat untouched in online accounts" by Anonymous Coward · 2017-08-06 05:33 · Score: 0
  
  Do some research on Cryptocurrency....you are a little out of touch with the year and technology. Why are you even here?
2. Re: "sat untouched in online accounts" by Anonymous Coward · 2017-08-06 05:36 · Score: 0
  
  What the fuck are you talking about, you dumb piece of shit?
3. Re: "sat untouched in online accounts" by DontBeAMoran · 2017-08-06 06:03 · Score: 1
  
  By saying things like "why exactly wasn't the money seized" you are showing your ignorance and then complaining about things you do not understand.
  
  --
  #DeleteFacebook
4. Re:"sat untouched in online accounts" by ShanghaiBill · 2017-08-06 06:06 · Score: 1
  
  And why exactly wasn't the money seized?
  To seize the money you would need one of two things:
  1. The cryptographic keys
  2. Cooperation of the majority of the miners that control the blockchain.
  The miners have precisely zero incentive to cooperate. If they agreed to compromise the integrity of the blockchain, it would have a huge negative effect on the value of the currency.
5. Re: "sat untouched in online accounts" by Anonymous Coward · 2017-08-06 06:24 · Score: 0
  
  ONLINE ACCOUNTS. Not a fucking local Bitcoin wallet. Read.
6. Re: "sat untouched in online accounts" by DontBeAMoran · 2017-08-06 07:04 · Score: 1
  
  Just because it's "on the line" doesn't mean they have the cryptographic keys to do anything about it, grandpa.
  
  --
  #DeleteFacebook
Easy ways to prevent Wannacry infection by Anonymous Coward · 2017-08-06 08:01 · Score: -1

Protect yourself vs. WanaCry easily
From MS - SMB Ports 445/139 (TCP) & 137/138 (UDP) protection via regedit.exe:
Disable SMBv1 on the SERVER, configure the following registry key:
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled
Enable SMBv2 on the SERVER, configure the following registry key:
Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB2
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled
---
Disable SMBv1 on the CLIENT, run the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
Enable SMBv2 & SMBv3 on the CLIENT, run the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
sc.exe config mrxsmb20 start= auto
---
* The above is per https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012/
(THIS HAS BEEN PATCHED but you can protect this way too & it works...)
Not sure if this works in a "mixed-mode" network though (check MS link) using older Windows (e.g. XP/2000 etc.).
APK
P.S.=> For a SINGLE 'standalone' non-networked PC (no home network/LAN but TCP/IP connected online) turn off Server & Workstation services.
That shuts off any "handles" (port 445) this thing propogates thru + turn off NetBIOS over TCP/IP in your internet connection & uncheck/disable Client for Microsoft Networks + File and Print Sharing. Port 139 & 445 always pop up issues over time. It also makes your packet trains smaller (no encapsulation of LanMan)
I covered all this 11++ yrs. ago in a security guide I wrote for users with a single system & apparently, its advice STILL STANDS THE "TEST OF TIME" https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&btnG=Google+Search&gbv=1/ vs. even today's threats like this one.
* This effectively makes this threat a non-issue + saves you CPU cycles/RAM & other I/O wasted on services you don't NEED as a single PC user only... & you don't. They're just wastes with a single PC really. Many services are (covered in guide above based on CIS Tool guidance (who took fixes to their ware from "yours truly" too, no less)) & again, no more encapsulated packet bulk... apk
It doesn't matter... by Anonymous Coward · 2017-08-06 08:49 · Score: 0

We should not care who profits from the ransoms. The only thing we should concern ourselves with is ensuring that people pay the ransom.
Always, always, ALWAYS pay your ransoms.
140k is peanuts by gweihir · 2017-08-06 09:45 · Score: 1

Seriously.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
1. Re:140k is peanuts by Anonymous Coward · 2017-08-06 18:03 · Score: 0
  
  Yes. In fact that almost makes it worse. The persons responsible for this should be killed when they're found to make an example. This ransomware has caused millions of dollars in damages. For that amount, their lives ought to be forfeit. The US Government needs to put the fear of God into these sorts of people, otherwise we will see more and more of the same.
2. Re:140k is peanuts by schleimkeim · 2017-08-06 23:27 · Score: 1
  
  I'm not sure if you're trolling, or if you're actually a complete moron.
3. Re:140k is peanuts by Anonymous Coward · 2017-08-07 00:37 · Score: 0
  
  depends entirely on where you live. $140k in the US? yeah, peanuts. In Ukraine where average yearly income is around $3.5k before taxes? That's 40 YEARS of average income...
who is winning on americas obsession with spying? by Anonymous Coward · 2017-08-07 02:26 · Score: 0

who is winning on Americas, Chinas, Russias etc obsession with spying? NOBODY! THATS WHO! We all lose... and all future generations as well!